You are here: interactive or semi-interactive shell as some user, on Windows or Linux.

First make the shell usable, then re-enumerate as this user — your new vantage point sees things your earlier scans couldn’t.

▶️ Next moves (in order)

  1. Stabilize the shell. Upgrade to a proper TTY before anything else. → Shell_Stabilization · Shell_Interactive_Spawning
  2. Situational awareness. whoami /priv + /groups, host info, other users, installed software, network position. Run automated enum. → Windows: Windows_PrivEsc_Enumeration · Linux: Linux_PrivEsc_Enumeration / Linux_PrivEsc_Methodology

Windows privesc routes: 3. Token privileges (SeImpersonate, SeDebug, etc.) → Windows_PrivEsc_Token_Privileges 4. Weak service / file permissions, unquoted paths → Windows_PrivEsc_Weak_Permissions 5. Privileged group membership → Windows_PrivEsc_Group_Privileges 6. Credential hunting (files, registry, browsers, DPAPI, Credential Manager) → Windows_PrivEsc_Credential_Hunting · Credential_Hunting_Windows · Windows_Credential_Manager 7. UAC bypass when admin-but-not-elevated → Windows_PrivEsc_UAC_Bypass

Linux privesc routes: 8. sudo -l, SUID/SGID, capabilities → Linux_PrivEsc_Permissions_Sudo · Linux_PrivEsc_Groups_Capabilities

  • A tightly constrained rule (locked regex, fixed flags/dir) that isn’t on GTFOBins may still be exploitable by attacking the file format the allowed binary processes — a patch tool that follows symlinks writes files as the target; an old parser (XXE) reads them. → Attack_Patterns

  1. Cron / services / writable scripts → Linux_PrivEsc_Services_Cron

  2. Kernel / language vectors → Linux_PrivEsc_Kernel_Python

  3. Shared libs, wildcards, NFS, logrotate → Linux_PrivEsc_Shared_Libs_Wildcard_Shell · Linux_PrivEsc_Misc_NFS_Logrotate

  4. Credential hunting → Credential_Hunting_Linux

    • Hunting isn’t only passive looting — once you’re root on a shared/multi-user host you can actively capture future cleartext logins (other users, sudo, automated bots) by hooking pam_exec/expose_authtok into /etc/pam.d/common-auth. → Linux_Auth_Process

  5. Domain-joined host? Feed BloodHound and pivot to AD thinking. → Stuck_In_AD

  6. New network visibility? This host may bridge subnets. → Need_To_Pivot

⚠️ Common stalls

  • Never re-enumerated as the new user — privesc clue was in their files/history.
  • Ignored whoami /priv (Windows escalations hide there).
  • Skipped automated enum (winPEAS/linPEAS/Seatbelt) out of impatience.
  • Forgot to loot shell history, configs, and saved credentials.
  • Assumed root = host root — check /.dockerenv / cgroups; container root means loot app config and reach internal services, not kernel privesc.
  • Dismissed a constrained sudo/SUID rule as “locked down” because it wasn’t a flag-escape — the exploitable surface was the file it processes, not the command line.

⏱️ Stop condition

You’ve run automated enum, checked /priv + groups, walked the OS-specific routes, and looted the user’s files and history. If no vector surfaced, escalation may simply not be on this host — stop hand-searching. Re-enumerate once as the user for anything new, then change altitude: feed BloodHound and think domain (Stuck_In_AD), or use the host as a vantage point (Need_To_Pivot). Local root/SYSTEM is not always required to progress — don’t make it a prerequisite when it isn’t one.

🔀 Route on