Back to Blog
OSCP Notes2 min read

Linux Privilege Escalation Checklist

A comprehensive checklist for Linux privilege escalation covering common vectors and enumeration techniques.

#OSCP#Linux#Privilege Escalation#Checklist

Linux Privilege Escalation Checklist

A systematic approach to Linux privilege escalation enumeration and exploitation.

Initial Enumeration

System Information

uname -a
cat /etc/os-release
hostname

User Information

id
whoami
groups
cat /etc/passwd

Network Information

ifconfig
ip addr
netstat -tulpn
ss -tulpn

SUID/SGID Binaries

Find SUID Binaries

find / -perm -4000 2>/dev/null
find / -perm -2000 2>/dev/null

Check GTFOBins

For each SUID binary, check GTFOBins for exploitation methods.

Capabilities

getcap -r / 2>/dev/null

Capabilities can grant specific privileges without full root access.

Cron Jobs

System Cron

cat /etc/crontab
ls -la /etc/cron.*

User Cron

crontab -l
ls -la /var/spool/cron

Writable Cron Scripts

Check if cron scripts are writable:

find /etc/cron* -type f -writable 2>/dev/null

World-Writable Files

find / -type f -perm -0002 -ls 2>/dev/null
find / -type d -perm -0002 -ls 2>/dev/null

Environment Variables

env
echo $PATH

Check for writable directories in PATH that could be exploited.

NFS Shares

showmount -e target_ip

If NFS shares are mounted with no_root_squash, they can be exploited.

Kernel Exploits

Kernel Version

uname -r
cat /proc/version

Search for Exploits

searchsploit "kernel version"

Sudo Misconfiguration

Sudo Permissions

sudo -l

Look for:

  • Commands that can be run without password
  • Commands that allow shell escape
  • Wildcards in sudo rules

Password Files

cat /etc/shadow
find / -name "*.pem" 2>/dev/null
find / -name "id_rsa" 2>/dev/null

Service Misconfigurations

Running Services

ps aux
systemctl list-units --type=service

Writable Service Files

find /etc/systemd/system -type f -writable 2>/dev/null

Automated Tools

While manual enumeration is important, automated tools can help:

./linpeas.sh
./linux-smart-enumeration.sh

Documentation

Document all findings:

  • SUID binaries found
  • Cron jobs discovered
  • Writable files identified
  • Potential exploit paths

This checklist should be used as a starting point, not a complete solution. Always adapt based on the specific environment.

Disclaimer

This content is for educational and ethical hacking purposes only. Only use these techniques on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal.