Tools

• https://gtfobins.github.io/#cha
• linpeas
• pspy

Some Privilege Escalation Methods

<aside>

Wildcard Injection

Writable /etc/passwd

PATH Hijacking

doas

</aside>

Privileged Groups

<aside>

• LXC or LXD

Docker group

Disk group

• ADM </aside>

Binaries

<aside>

• Run strings & strace on suspicious binaries. This may reveal plaintext passwords, commands, other executables being called, potential Shared Object injection, etc. </aside>

Automated Enumeartion

linpeas.sh
lse.sh -l1
pspy64 -pf

Manual Enumeration

/var/www/html
/proc/self/cmdline
/opt
/tmp
/proc/[pid]/cmdline
/proc/sched_debug

Host information

hostname
/etc/os-release
uname -a
uname -sr

User information

whoami
id
cat /etc/passwd
cat /etc/shadow
cat /etc/group
/home/$USER
/home/$USER/.ssh
/home/$USER/.ssh/id_rsa
/home/$USER/.ssh/authorized_keys

Sudo