## https://sploitus.com/exploit?id=A91DA5A9-9F01-5898-AD64-4416D436FF4E
# Linux Privilege Escalation PoC Lab
> **Educational disclaimer:** This repository is intended **only** for authorized security training, CTF practice, and defensive research in **isolated lab environments** you own or have explicit permission to test. Misusing these techniques against systems without authorization is illegal and unethical. The author assumes no liability for misuse.
**Author:** Mostafa Tamime
---
## Overview
[Linux-privesc-PoC](https://github.com/anounymous68/Linux-privesc-PoC) is a modular hands-on lab for learning common Linux local privilege escalation vectors. Each directory is a self-contained scenario with:
| Component | Purpose |
|-----------|---------|
| `README.md` | Theory, prerequisites, reproduction, expected output |
| `setup.sh` | Creates the vulnerable condition (**run as root**) |
| `exploit.sh` | Demonstrates escalation (**run as low-privilege user**) |
## Lab modules
| Module | Vector | Directory |
|--------|--------|-----------|
| Enumeration | Recon with LinPEAS and manual commands | [`enumeration/`](enumeration/) |
| SUID/SGID | Misconfigured setuid binary | [`suid-sgid/`](suid-sgid/) |
| Sudo | NOPASSWD, `env_keep`, rule abuse | [`sudo-misconfig/`](sudo-misconfig/) |
| LD_PRELOAD | Shared library injection via sudo | [`ld-preload/`](ld-preload/) |
| Cron | Writable cron script / PATH hijack | [`cron-hijack/`](cron-hijack/) |
## Recommended lab setup
Use a disposable VM (Ubuntu 22.04/24.04 LTS or Debian 12) with snapshots enabled.
```bash
# Clone and enter the repo
git clone https://github.com/anounymous68/Linux-privesc-PoC.git
cd Linux-privesc-PoC
# Create a dedicated low-privilege lab user (as root)
useradd -m -s /bin/bash labuser
echo 'labuser:labpass' | chpasswd
# Run each module's setup as root, then exploit as labuser
sudo ./suid-sgid/setup.sh
su - labuser
./suid-sgid/exploit.sh
```
## Suggested learning path
1. **Enumeration** โ Run `manual_enum.sh` and review LinPEAS output before touching exploits.
2. **SUID/SGID** โ Classic binary misconfiguration.
3. **Sudo misconfiguration** โ Very common in real assessments.
4. **LD_PRELOAD** โ Understand `env_keep` and library loading.
5. **Cron hijack** โ Scheduled task and PATH weaknesses.
## Cleanup
Each `setup.sh` prints module-specific cleanup hints. Revert snapshots or rebuild the VM between sessions for a clean state.
## References
- [GTFOBins](https://gtfobins.github.io/)
- [HackTricks โ Linux Privilege Escalation](https://book.hacktricks.wiki/linux-hardening/privilege-escalation/index.html)
- [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
## License
MIT โ use responsibly in authorized lab environments only.