Linux Privilege Escalation (Manual)

🛠️ Command

Find SUID/GUID Binaries

Find all files with the SUID or GUID bit set to identify potential escalation paths.

find / -perm -u=s -type f 2>/dev/null; find / -perm -g=s -type f 2>/dev/null

Check Sudo Permissions

List the allowed (and forbidden) commands for the current user.

sudo -l

Find Writable Files and Directories

Identify system files or directories that are world-writable.

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

Check for NFS Root Squashing

Determine if any NFS shares are exported with ‘no_root_squash’.

cat /etc/exports

Search for Credentials in Configuration Files

Grep for ‘password’ or ‘config’ in common directory paths.

grep -ri "password" {{directory}} 2>/dev/null; find {{directory}} -name "*config*" 2>/dev/null

Enumerate Cron Jobs

List all scheduled tasks for the system and the current user.

cat /etc/crontab; ls -la /etc/cron.*; crontab -l

📝 Description

A collection of manual enumeration techniques for identifying privilege escalation vectors on Linux systems.

Privilege escalation in Linux often relies on misconfigured binary permissions (SUID), overly permissive sudo rules, or insecure system configurations like cron jobs and NFS exports. This file consolidates the core manual checks taught in the PNPT curriculum to find paths to root access.

🔗 References

• https://gtfobins.github.io/
• https://github.com/rebootuser/LinEnum