Checklist - Linux Privilege Escalation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Best tool to look for Linux local privilege escalation vectors: LinPEAS

System Information

Get OS information
Check the PATH, any writable folder?
Check env variables, any sensitive detail?
Search for kernel exploits using scripts (DirtyCow?)
Check if the sudo version is vulnerable
Dmesg signature verification failed
More system enum (date, system stats, cpu info, printers)
Enumerate more defenses

Drives

List mounted drives
Any unmounted drive?
Any creds in fstab?

Installed Software

Check for useful software installed
Check for vulnerable software installed

Processes

Is any unknown software running?
Is any software running with more privileges than it should have?
Search for exploits of running processes (especially the version running).
Can you modify the binary of any running process?
Monitor processes and check if any interesting process is running frequently.
Can you read some interesting process memory (where passwords could be saved)?

Scheduled/Cron jobs?

Is the PATH being modified by some cron and you can write in it?
Any wildcard in a cron job?
Some modifiable script is being executed or is inside modifiable folder?
Have you detected that some script could be or are being executed very frequently? (every 1, 2 or 5 minutes)

Services

Any writable .service file?
Any writable binary executed by a service?
Any writable folder in systemd PATH?

Timers

Any writable timer?

Sockets

Any writable .socket file?
Can you communicate with any socket?
HTTP sockets with interesting info?

D-Bus

Can you communicate with any D-Bus?

Network

Enumerate the network to know where you are
Open ports you couldn't access before getting a shell inside the machine?
Can you sniff traffic using tcpdump?

Users

Generic users/groups enumeration
Do you have a very big UID? Is the machine vulnerable?
Can you escalate privileges thanks to a group you belong to?
Clipboard data?
Password Policy?
Try to use every known password that you have discovered previously to login with each possible user. Try to login also without a password.

Writable PATH

If you have write privileges over some folder in PATH you may be able to escalate privileges

SUDO and SUID commands

Capabilities

Has any binary any unexpected capability?

ACLs

Has any file any unexpected ACL?

Open Shell sessions

screen
tmux

SSH

Interesting Files

Writable Files

Modify python library to execute arbitrary commands?
Can you modify log files? Logtotten exploit
Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit
Can you write in ini, int.d, systemd or rc.d files?

Other tricks

Can you abuse NFS to escalate privileges?
Do you need to escape from a restrictive shell?