# Privileges Escalation

### Kernel Exploits

```
   1) uname -a
   2) /proc/version
   3) /etc/issue
      1- Look for an exploit for the kernel
      2- Compile and run the code
```

### Sudo

```
   1) sudo -l
      1- look for files you can execute as root. use gtfobins
   2) LD_PRELOAD
      1- if env-keep is set can generate and execute custom lib when running command
         1> compile code as shared object (.so) 
         2> run command with sudo pointing LD_PRELOAD to you .so file
```

### SUID

```
   1) find / -type f -perm -04000 -ls 2>/dev/null 
   2) find / -perm -u=s -type f 2>/dev/null
      1- find SUID enabled files
      2- use gtfobins to find out how to exploit them
```

### Cron Jobs

```
   1) cat /etc/crontab
      1- look for jobs being run as a user with higher privs than you
      2- see if you can write to the file being executed
      3- If the job dosent specify full path, will use PATH listed in crontab. If can write to any dir in the PATH, can hijack the Cron Job
```

### PATH

```
   1) echo $PATH
   2) Can you write to and Dirs in $PATH?
   3) Can you modify your path?
   4) Is there a script you can run that will be effected by this?
      1- if you can modify PATH you can ad d/tmp to beggining and hijack and binary being run with higher privs than you have
```

### Capabilities

```
  1) getcap -r / 2>
      1- recursively get capabilities for every file starting from /
```

### NFS

```
   1) cat /etc/exports
      1- must have “no_root_squash” enabled on a share
         1>  showmount -e 10.10.135.31
         2> mkdir /tmp/mnt 
         3> mount -o rw IP:SHARE /tmp/mnt
         4> make and compile and an exploit
         5> Add the SUID bit
         6> transfer file to mounted share
         7> Execute as user on target
```

### Mind Map 

<figure><img src="https://3842310249-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUP340Y0oTQWYWNx6lIXd%2Fuploads%2FbGZgOZpVPjDr62i8pzFU%2Fdownload.png?alt=media&#x26;token=323f74a5-4e25-4dfb-a4c6-0ae528e758df" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jackmeister.gitbook.io/jackmeister-playbook/network-pentest/linux/privileges-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.