/Privilege-Escalation

This cheasheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples.

Privilege Escalation Cheatsheet (Vulnhub)

This cheatsheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience. Please share this with your connections and direct queries and feedback to Pavandeep Singh.

Follow us on alt text

cheatsheet

Table of Contents

Abusing Sudo Rights

No. Machine Name Files/Binaries
1. Ted:1 apt-get
2. KFIOFan : 1 awk
3. 21 LTR: Scene1 cat
4. Skytower cat
5. Matrix : 1 cp
6. Sputnik 1 ed
7. Sunset ed
8. DC-2 git
9. Kioptrix : Level 1.2 ht
10. Matrix-3 manual
11. symfonos : 2 MySQL
12. Development nano
13. SP ike nmap
14. DC6 nmap
15. Dina perl
16. Wakanda : 1 pip
17. Violator proftpd
18. Broken: Gallery reboot/timedatectl
19. DE-ICE:S1.120 script
20. Fristileaks script
21. DerpNStink script
22. Digitalworld.local : JOY script
23. PumpkinFestival script
24. The Ether: Evil Science script
25. HA:Rudra script
26. djinn:1 script
27. UA: Literally Vulnerable script
28. PumpkinRaising strace
29. Unknowndevice64 : 1 strace
30. Holynix: v1 tar
31. Breach 2.1 tcpdump
32. Temple of Doom tcpdump
33. Web Developer : 1 tcpdump
34. DC-4 teehee
35. Serial: 1 vim
36. Zico 2 zip
37. HA: Dhanush zip
38. Sunset: Nightfall cat
39. HA: Infinity Stones ftp
40. Sunset-Sunrise wine
41. Me and My Girlfreind:1 php
42. Symfonos:5 dpkg
43. Five86:2 service
44. Tempus Fugit:1 Diffrent for every user

SUID Bit

No. Machine Name SUID Bit
1. Kevgir cp
2. digitalworld.local - BRAVERY cp
3. Happycorp : 1 cp
4. FourAndSix : 2 doas
5. DC-1 find
6. dpwwn:2 find
7. MinU: v2 Micro Editor
8. Toppo:1 python 2.7/mawk
9. Mr. Robot nmap
10. Covfefe script
11. /dev/random : K2 script
12. hackme1 script
13. Sunset: dawn zsh
14. HA: Wordy cp
15. bossplayersCTF 1 find
16. In Plain Sight:1 script
17. Five86:1 script
18. Geisha:1 base32

Kernel Exploit

No. Machine Name Kernel Exploit
1. pWnOS -1.0 Linux Kernel 2.6.17 < 2.6.24.1 5092
2. LAMPSecurity: CTF 5 Linux Kernel 2.4/2.6 9479
3. Kioptrix : Level 1.1 CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) 9542
4. Hackademic-RTB1 RDS Protocol' Local Privilege Escalation 15285
5. Hackademic-RTB2 RDS Protocol' Local Privilege Escalation 15285
6. ch4inrulz : 1.0.1 RDS Protocol' Local Privilege Escalation 15285
7. Kioprtix: 5 FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation 28718
8. Simple Apport/Abrt (Ubuntu / Fedora) 36746
9. SecOS: 1 Ubuntu 12.04/14.04/14.10/15.04 37292
10. Droopy Ubuntu 12.04/14.04/14.10/15.04 37292
11. VulnOS: 2.0 Ubuntu 12.04/14.04/14.10/15.04 37292
12. Fartknocker Ubuntu 12.04/14.04/14.10/15.04 37292
13. Super Mario Ubuntu 12.04/14.04/14.10/15.04 37292
14. Golden Eye:1 Ubuntu 12.04/14.04/14.10/15.04 37292
15. Typhoon : 1.02 Ubuntu 12.04/14.04/14.10/15.04 37292
16. GrimTheRipper:1 Ubuntu 12.04/14.04/14.10/15.04 37292
17. 6days Ubuntu 12.04/14.04/14.10/15.04 37292
18. Lord of the Root Ubuntu 14.04/15.10 39166
19. Acid Reloaded Ubuntu 14.04/15.10 39166
20. Stapler Ubuntu 16.04 39772
21. Sidney Ubuntu 16.04 39772
22. DC-3 Ubuntu 16.04 39772
23. Pluck Dirty COW 40616
24. Lampiao : 1 Dirty COW /proc/self/mem' Race Condition 40847
25. WinterMute : 1 GNU Screen 4.5.0 41154
26. DC-5 GNU Screen 4.5.0 41154
27. BTRSys:dv 2.1 Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free 41458
28. Nightmare Ubuntu 14.04/16.04 (KASLR / SMEP) 43418
29. Trollcave Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) 44298
30. Prime: 1 Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) 44298
31. LAMPSecurity: CTF6 Linux Kernel 2.6 8478
32. My File Server:1 Dirty COW 40616
33. VulnUni 1.0.1 GUnet OpenEclass E-learning platform 1.7.3 48106

Path Variable

No. Path Variable Files
1. PwnLab cat
2. USV cat
3. Zeus:1 date
4. The Gemini inc date
5. EW-Skuzzy id
6. Nullbyte ps
7. symfonos : 1 curl
8. Silky-CTF: 0x01 whoami
9. Beast 2 whoami
10. HA:Arsenal Avengers ifconfig
11. Inclusiveness:1 whoami
12. MuzzyBox:1 ls
13. TBBT:2 sl

Enumeration

No. Machine Name
1. The Library:1
2. The Library:2
3. LAMPSecurity: CTF 4
4. LAMPSecurity: CTF 7
5. Xerxes: 1
6. pWnOS -2.0
7. DE-ICE:S1.130
9. Tommyboy
10. VulnOS: 1
11. Spyder Sec
12. Acid
13. Necromancer
14. Freshly
15. Fortress
16. Billu : B0x
17. Defence Space
18. Moria 1.1
19. Analougepond
20. Lazysysadmin
21. Bulldog
22. BTRSys 1
23. G0rmint
24. Blacklight : 1
25. The blackmarket
26. Matrix 2
27. Basic Pentesting : 2
28. Depth
29. Bob: 1.0.1
30. W34kn3ss 1
31. Replay: 1
32. Born2Root: 2
33. CLAMP 1.0.1
34. WestWild: 1.1
35. 64base
36. C0m80
37. Gibson
38. Quaoar
39. Hacker Fest: 2019
40. EVM: 1
41. EnuBox:Mattermost
42. 2much:1
43. mhz_cxf:c1f

MySQL

No Machine Name
1. Kioptrix : Level 1.3
2. Raven
3. Raven : 2

Crontab

No Machine Name
1. Billy Madison
2. BSides Vancuver: 2018
3. Jarbas : 1
4. SP:Jerome
5. dpwwn: 1
6. Sar
7. TBBT

Wildcard Injection

No Machine Name
1. Milnet
2. Pipe

Capabilities

No Machine Name
1. Kuya : 1
2. DomDom: 1
3. HA: Naruto
4. Connect The Dots:1
5. Katana

Writable etc/passwd file

No Machine Name
1. Hackday Albania
2. Billu Box 2
3. Bulldog 2
4. AI: Web: 1
5. Westwild: 2
6. Misdirection 1
7. HA: ISRO
8. Gears of War: EP#1
9. DC:9
10. Sahu

Writable files or script as root

No Machine Name
1. Skydog
2. Breach 1.0
3. Bot Challenge: Dexter
4. Fowsniff : 1
5. Mercy
6. Casino Royale
7. SP eric
8. PumpkinGarden
9. Tr0ll: 3
10. Nezuko:1
11. Symfonos:3
12. Tr0ll 1
13. DC:7
14. View2aKill
15. CengBox:1

Buffer Overflow

No Machine Name
1. Tr0ll 2
2. IMF
3. BSides London 2017
4. PinkyPalace
5. ROP Primer
6. CTF KFIOFAN:2
7. Kioptrix : Level 1
8. Silky-CTF: 0x02

Docker

No Machine Name
1. Donkey Docker
2. Game of Thrones
3. HackinOS : 1
4. HA: Chakravyuh
5. Mumbai:1
6. Sunset: dusk

Chkrootkit

No Machine Name
1. SickOS 1.2
2. Sedna
3. HA: Chanakya

Bruteforce

No Machine Name
1. Rickdiculouslyeasy
2. RootThis : 1
3. LAMPSecurity: CTF 8
4. Cyberry:1
5. Born2root

Crack /etc/shadow

No Machine Name
1. DE-ICE:S1.140
2. Minotaur
3. Moonraker:1
4. Basic Penetration
5. W1R3S.inc

NFS

No Machine Name
1. Orcus
2. FourAndSix

Json

No Machine Name Json
1. MinU: 1 Json Token
2. Symfonos:4 Json Pickle

Redis

No Machine Name
1. Gemini inc:2

LXD

No Machine Name
1. AI: Web: 2
2. HA: Joker
3. CyNix:1

ALL

No Machine Name
1. Lin.Security
2. Escalate_Linux
3. Jigsaw:1

Exim

No Machine Name
1. DC:8

Apache2 Writable

No Machine Name
1. Torment
2. HA: Armour