Share
## https://sploitus.com/exploit?id=A91DA5A9-9F01-5898-AD64-4416D436FF4E
# Linux Privilege Escalation PoC Lab

> **Educational disclaimer:** This repository is intended **only** for authorized security training, CTF practice, and defensive research in **isolated lab environments** you own or have explicit permission to test. Misusing these techniques against systems without authorization is illegal and unethical. The author assumes no liability for misuse.

**Author:** Mostafa Tamime

---

## Overview

[Linux-privesc-PoC](https://github.com/anounymous68/Linux-privesc-PoC) is a modular hands-on lab for learning common Linux local privilege escalation vectors. Each directory is a self-contained scenario with:

| Component | Purpose |
|-----------|---------|
| `README.md` | Theory, prerequisites, reproduction, expected output |
| `setup.sh` | Creates the vulnerable condition (**run as root**) |
| `exploit.sh` | Demonstrates escalation (**run as low-privilege user**) |

## Lab modules

| Module | Vector | Directory |
|--------|--------|-----------|
| Enumeration | Recon with LinPEAS and manual commands | [`enumeration/`](enumeration/) |
| SUID/SGID | Misconfigured setuid binary | [`suid-sgid/`](suid-sgid/) |
| Sudo | NOPASSWD, `env_keep`, rule abuse | [`sudo-misconfig/`](sudo-misconfig/) |
| LD_PRELOAD | Shared library injection via sudo | [`ld-preload/`](ld-preload/) |
| Cron | Writable cron script / PATH hijack | [`cron-hijack/`](cron-hijack/) |

## Recommended lab setup

Use a disposable VM (Ubuntu 22.04/24.04 LTS or Debian 12) with snapshots enabled.

```bash
# Clone and enter the repo
git clone https://github.com/anounymous68/Linux-privesc-PoC.git
cd Linux-privesc-PoC

# Create a dedicated low-privilege lab user (as root)
useradd -m -s /bin/bash labuser
echo 'labuser:labpass' | chpasswd

# Run each module's setup as root, then exploit as labuser
sudo ./suid-sgid/setup.sh
su - labuser
./suid-sgid/exploit.sh
```

## Suggested learning path

1. **Enumeration** โ€” Run `manual_enum.sh` and review LinPEAS output before touching exploits.
2. **SUID/SGID** โ€” Classic binary misconfiguration.
3. **Sudo misconfiguration** โ€” Very common in real assessments.
4. **LD_PRELOAD** โ€” Understand `env_keep` and library loading.
5. **Cron hijack** โ€” Scheduled task and PATH weaknesses.

## Cleanup

Each `setup.sh` prints module-specific cleanup hints. Revert snapshots or rebuild the VM between sessions for a clean state.

## References

- [GTFOBins](https://gtfobins.github.io/)
- [HackTricks โ€” Linux Privilege Escalation](https://book.hacktricks.wiki/linux-hardening/privilege-escalation/index.html)
- [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)

## License

MIT โ€” use responsibly in authorized lab environments only.