Awesome Privilege Escalation

A curated list of awesome privilege escalation

Table of Contents

Linux

Escape restricted shells

SUDO and SUID

Capabilities

Tools

  • AutoLocalPrivilegeEscalation: An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically.
  • BeRoot: BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. exploits.
  • exploit-suggester: This tool reads the output of “showrev -p” on Solaris machines and outputs a list of exploits that you might want to try. is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as word writable files, misconfigurations, clear-text password and applicable
  • kernelpop: kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation.
  • LES: LES: Linux privilege escalation auditing tool
  • LinEnum: Scripted local Linux enumeration & privilege escalation checks
  • LinPEAS: Linux Privilege Escalation Awesome Script
  • Linux Exploit Suggester 2: Next-generation exploit suggester based on Linux_Exploit_Suggester
  • Linux_Exploit_Suggester: Linux Exploit Suggester; based on operating system release number.
  • linux-kernel-exploits
  • Linuxprivchecker.py: This script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits.
  • Linux Privilege Escalation Check Script: Originally forked from the linuxprivchecker.py (Mike Czumak), this script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as word writable files, misconfigurations, clear-text password and applicable exploits.
  • linux-smart-enumeration: Linux enumeration tools for pentesting and CTFs
  • linux-soft-exploit-suggester: linux-soft-exploit-suggester finds exploits for all vulnerable software in a system helping with the privilege escalation.
  • PrivEsc: A collection of Windows, Linux and MySQL privilege escalation scripts and exploits.
  • pspy: unprivileged Linux process snooping
  • traitor: Automatically exploit low-hanging fruit to pop a root shell. Linux privilege escalation made easy!
  • unix-privesc-check: Shell script to check for simple privilege escalation vectors on Unix systems
  • Unix-Privilege-Escalation-Exploits-Pack: Exploits for getting local root on Linux, BSD, AIX, HP-UX, Solaris, RHEL, SUSE etc.
  • uptux: Specialized privilege escalation checks for Linux systems.

Find CVEs

  • active-cve-check: Checks a list of packages against the "active" (not yet patched) CVE's as listed in the Ubuntu CVE Tracker.
  • Arch-Audit: A tool to check vulnerable packages in Arch Linux.
  • cve-check-tool: Original Automated CVE Checking Tool.
  • LPVS: Linux Package Vulnerability Scanner for CentOS and Ubuntu.

Chkrootkit

NFS

Presentations

Windows

DLL Hijacking

Potato

Unquoted services with spaces

Groups.xml

PrintNightmare

Tools

  • JAWS - Just Another Windows (Enum) Script: JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
  • juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
  • Potato: Potato Privilege Escalation on Windows 7, 8, 10, Server 2008, Server 2012.
  • PowerSploit: PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
  • PrivescCheck: Enumerate common Windows security misconfigurations which can be leveraged for privilege escalation and gather various information which might be useful for exploitation and/or post-exploitation, by itm4n.
  • RemotePotato0: Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin by antonioCoco.
  • RoguePotato: Another Windows Local Privilege Escalation from Service Account to System by splinter_code/antonioCoco
  • RottenPotato: RottenPotato local privilege escalation from service account to SYSTEM. (No longer maintained)
  • RottenPotatoNG: New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
  • Seatbelt: Project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
  • SessionGopher: SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools.
  • Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. (Deprecated)
  • SweetPotato: Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019 by CCob
  • Tater: Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit.
  • Watson: Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
  • WindowsEnum: A Powershell Privilege Escalation Enumeration Script.
  • Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. By AonCyberLabs
  • Windows Exploit Suggester - Next Generation (WES-NG): WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported. By bitsadmin
  • windows-privesc-check: Standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
  • winPEAS: Windows Privilege Escalation Awesome Scripts
  • WinPwnage: UAC bypass, Elevate, Persistence and Execution methods. The goal of this repo is to study the Windows penetration techniques.

Presentations

Linux and Windows

Docker

Tools

  • BOtB: BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.
  • CDK: CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency.
  • Deepce: Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)
  • Dokcer-escape-tool: This tool will help identify if you're in a Docker container and try some quick escape techniques to help assess the security of your containers.
  • PrivilegedDockerEscape: A bash script to create an interactive shell from a privileged docker container to the container host

Presentations

Cloud

AWS

Tools

  • Pacu: The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. By RhinoSecurityLabs.

GCP

Tools

  • GCPBucketBrute: A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated. By RhinoSecurity.