> For the complete documentation index, see [llms.txt](https://jackmeister.gitbook.io/jackmeister-playbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jackmeister.gitbook.io/jackmeister-playbook/network-pentest/linux/privileges-escalation.md).

# Privileges Escalation

### Kernel Exploits

```
   1) uname -a
   2) /proc/version
   3) /etc/issue
      1- Look for an exploit for the kernel
      2- Compile and run the code
```

### Sudo

```
   1) sudo -l
      1- look for files you can execute as root. use gtfobins
   2) LD_PRELOAD
      1- if env-keep is set can generate and execute custom lib when running command
         1> compile code as shared object (.so) 
         2> run command with sudo pointing LD_PRELOAD to you .so file
```

### SUID

```
   1) find / -type f -perm -04000 -ls 2>/dev/null 
   2) find / -perm -u=s -type f 2>/dev/null
      1- find SUID enabled files
      2- use gtfobins to find out how to exploit them
```

### Cron Jobs

```
   1) cat /etc/crontab
      1- look for jobs being run as a user with higher privs than you
      2- see if you can write to the file being executed
      3- If the job dosent specify full path, will use PATH listed in crontab. If can write to any dir in the PATH, can hijack the Cron Job
```

### PATH

```
   1) echo $PATH
   2) Can you write to and Dirs in $PATH?
   3) Can you modify your path?
   4) Is there a script you can run that will be effected by this?
      1- if you can modify PATH you can ad d/tmp to beggining and hijack and binary being run with higher privs than you have
```

### Capabilities

```
  1) getcap -r / 2>
      1- recursively get capabilities for every file starting from /
```

### NFS

```
   1) cat /etc/exports
      1- must have “no_root_squash” enabled on a share
         1>  showmount -e 10.10.135.31
         2> mkdir /tmp/mnt 
         3> mount -o rw IP:SHARE /tmp/mnt
         4> make and compile and an exploit
         5> Add the SUID bit
         6> transfer file to mounted share
         7> Execute as user on target
```

### Mind Map&#x20;

<figure><img src="/files/Txbq6QCOxTCS79y1v51L" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://jackmeister.gitbook.io/jackmeister-playbook/network-pentest/linux/privileges-escalation.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
