Search K

Main NavigationTable of Contents

Appearance

Sidebar Navigation

Checklist - Linux Privilege Escalation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Best tool to look for Linux local privilege escalation vectors: LinPEAS

System Information

Get OS information
Check the PATH, any writable folder?
Check env variables, any sensitive detail?
Search for kernel exploits using scripts (DirtyCow?)
Check if the sudo version is vulnerable
Dmesg signature verification failed
More system enum (date, system stats, cpu info, printers)
Enumerate more defenses

Drives

List mounted drives
Any unmounted drive?
Any creds in fstab?

Installed Software

Check foruseful software installed
Check for vulnerable software installed

Processes

Is any unknown software running?
Is any software running with more privileges than it should have?
Search for exploits of running processes (especially the version running).
Can you modify the binary of any running process?
Monitor processes and check if any interesting process is running frequently.
Can you read some interesting process memory (where passwords could be saved)?

Scheduled/Cron jobs?

Is the PATHbeing modified by some cron and you can write in it?
Any wildcardin a cron job?
Some modifiable scriptis being executed or is inside modifiable folder?
Have you detected that some script could be or are being executed very frequently? (every 1, 2 or 5 minutes)

Services

Any writable .service file?
Any writable binary executed by a service?
Any writable folder in systemd PATH?

Timers

Any writable timer?

Sockets

Any writable .socket file?
Can you communicate with any socket?
HTTP sockets with interesting info?

D-Bus

Can you communicate with any D-Bus?

Network

Enumerate the network to know where you are
Open ports you couldn't access before getting a shell inside the machine?
Can you sniff traffic using tcpdump?

Users

Generic users/groups enumeration
Do you have a very big UID? Is the machine vulnerable?
Can you escalate privileges thanks to a group you belong to?
Clipboard data?
Password Policy?
Try to use every known password that you have discovered previously to login with each possible user. Try to login also without a password.

Writable PATH

If you have write privileges over some folder in PATH you may be able to escalate privileges

SUDO and SUID commands

Can you execute any command with sudo? Can you use it to READ, WRITE or EXECUTE anything as root? (GTFOBins)
Is any exploitable SUID binary? (GTFOBins)
Are sudo commands limited by path? can you bypass the restrictions?
Sudo/SUID binary without path indicated?
SUID binary specifying path? Bypass
LD_PRELOAD vuln
Lack of .so library in SUID binary from a writable folder?
SUDO tokens available? Can you create a SUDO token?
Can you read or modify sudoers files?
Can you modify /etc/ld.so.conf.d/?
OpenBSD DOAS command

Capabilities

Has any binary any unexpected capability?

ACLs

Has any file any unexpected ACL?

Open Shell sessions

screen
tmux

SSH

Debian OpenSSL Predictable PRNG - CVE-2008-0166
SSH Interesting configuration values

Interesting Files

Profile files - Read sensitive data? Write to privesc?
passwd/shadow files - Read sensitive data? Write to privesc?
Check commonly interesting folders for sensitive data
Weird Location/Owned files, you may have access to or alter executable files
Modified in last mins
Sqlite DB files
Hidden files
Script/Binaries in PATH
Web files (passwords?)
Backups?
Known files that contains passwords: Use Linpeas and LaZagne
Generic search

Writable Files

Modify python library to execute arbitrary commands?
Can you modify log files? Logtotten exploit
Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit
Can you write in ini, int.d, systemd or rc.d files?

Other tricks

Can you abuse NFS to escalate privileges?
Do you need to escape from a restrictive shell?

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Last updated:

Pager

Next pageHackTricks

External Recon Methodology

Pentesting Network

Pentesting Wifi

Phishing Methodology

Basic Forensic Methodology

Memory dump analysis

Partitions/File Systems/Carving

Pcap Inspection

Specific Software/File-Type Tricks

Windows Artifacts

Python Sandbox Escape & Pyscript

Bypass Python sandboxes

Shells (Linux, Windows, MSFVenom)

Linux Privilege Escalation

Docker Security

Docker Breakout / Privilege Escalation

Namespaces

Interesting Groups - Linux Privesc

Bypass Linux Restrictions

Bypass FS protections: read-only / no-exec / Distroless

Linux Post-Exploitation

macOS Security & Privilege Escalation

macOS Apps - Inspecting, debugging and Fuzzing

macOS Kernel & System Extensions

macOS Files, Folders, Binaries & Memory

macOS Process Abuse

macOS IPC - Inter Process Communication

macOS Library Injection

macOS Security Protections

macOS Sandbox

macOS TCC

macOS FS Tricks

macOS Red Teaming

macOS MDM

Windows Local Privilege Escalation

Dll Hijacking

Active Directory Methodology

Abusing Active Directory ACLs/ACEs

AD Certificates

Windows Security Controls

NTLM

Lateral Movement

Stealing Windows Credentials

Basic PowerShell for Pentesters

Android Applications Pentesting

Drozer Tutorial

Frida Tutorial

iOS Pentesting

Pentesting VoIP

Basic VoIP Protocols

21 - Pentesting FTP

25,465,587 - Pentesting SMTP/s

80,443 - Pentesting Web Methodology

Buckets

Drupal

Electron Desktop Apps

PHP Tricks

PHP - Useful Functions & disable_functions/open_basedir bypass

Tomcat

88tcp/udp - Pentesting Kerberos

139,445 - Pentesting SMB

161,162,10161,10162/udp - Pentesting SNMP

1433 - Pentesting MSSQL - Microsoft SQL Server

11211 - Pentesting Memcache

Reflecting Techniques - PoCs and Polygloths CheatSheet

Browser Extension Pentesting Methodology

Cache Poisoning and Cache Deception

Content Security Policy (CSP) Bypass

Cookies Hacking

Dangling Markup - HTML scriptless injection

Deserialization

NodeJS - __proto__ & prototype Pollution

File Inclusion/Path traversal

File Upload

HTTP Request Smuggling / HTTP Desync Attack

Login Bypass

PostMessage Vulnerabilities

SAML Attacks

SQL Injection

MySQL injection

NodeJS - proto & prototype Pollution

Checklist - Linux Privilege Escalation

Best tool to look for Linux local privilege escalation vectors: LinPEAS