Privilege Escalation Cheatsheet (Vulnhub)
This cheasheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience. Please share this with your connections and direct queries and feedback to Pavandeep Singh.
Follow us on
Table of Contents
- Abusing Sudo Rights
- SUID Bit
- Kernel Exploit
- Path Variable
- Enumeration
- MySQL
- Crontab
- Wildcard Injection
- Capabilities
- Writable /etc/passwd file
- Writable files or script as root
- Buffer Overflow
- Docker
- Chkrootkit
- Bruteforce
- Crack /etc/shadow
- NFS
- Json
- Redis
- LXD
- All
- Exim
⤴
Abusing Sudo Rights No. | Machine Name | Files/Binaries |
---|---|---|
1. | Ted:1 | apt-get |
2. | KFIOFan : 1 | awk |
3. | 21 LTR: Scene1 | cat |
4. | Skytower | cat |
5. | Matrix : 1 | cp |
6. | Sputnik 1 | ed |
7. | Sunset | ed |
8. | DC-2 | git |
9. | Kioptrix : Level 1.2 | ht |
10. | Matrix-3 | manual |
11. | symfonos : 2 | MySQL |
12. | Development | nano |
13. | SP ike | nmap |
14. | DC6 | nmap |
15. | Dina | perl |
16. | Wakanda : 1 | pip |
17. | Violator | proftpd |
18. | Torment | python |
19. | Broken: Gallery | reboot/timedatectl |
20. | DE-ICE:S1.120 | script |
21. | Fristileaks | script |
22. | DerpNStink | script |
23. | Digitalworld.local : JOY | script |
24. | PumpkinFestival | script |
25. | The Ether: Evil Science | script |
26. | PumpkinRaising | strace |
27. | Unknowndevice64 : 1 | strace |
28. | Holynix: v1 | tar |
29. | Breach 2.1 | tcpdump |
30. | Temple of Doom | tcpdump |
31. | Web Developer : 1 | tcpdump |
32. | DC-4 | teehee |
33. | Serial: 1 | vim |
34. | Zico 2 | zip |
35. | Sunset: Nightfall | cat |
36. | HA: Infinity Stones |
⤴
SUID Bit No. | Machine Name | SUID Bit |
---|---|---|
1. | Kevgir | cp |
2. | digitalworld.local - BRAVERY | cp |
3. | Happycorp : 1 | cp |
4. | FourAndSix : 2 | doas |
5. | DC-1 | find |
6. | dpwwn:2 | find |
7. | MinU: v2 | Micro Editor |
8. | Toppo:1 | python 2.7/mawk |
9. | Mr. Robot | nmap |
10. | Covfefe | script |
11. | /dev/random : K2 | script |
12. | hackme1 | script |
13. | Sunset: dawn | zsh |
14. | HA: Wordy | cp |
⤴
Kernel Exploit No. | Machine Name | Kernel | Exploit |
---|---|---|---|
1. | pWnOS -1.0 | Linux Kernel 2.6.17 < 2.6.24.1 | 5092 |
2. | LAMPSecurity: CTF 5 | Linux Kernel 2.4/2.6 | 9479 |
3. | Kioptrix : Level 1.1 | CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) | 9542 |
4. | Hackademic-RTB1 | RDS Protocol' Local Privilege Escalation | 15285 |
5. | Hackademic-RTB2 | RDS Protocol' Local Privilege Escalation | 15285 |
6. | ch4inrulz : 1.0.1 | RDS Protocol' Local Privilege Escalation | 15285 |
7. | Kioprtix: 5 | FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation | 28718 |
8. | Simple | Apport/Abrt (Ubuntu / Fedora) | 36746 |
9. | SecOS: 1 | Ubuntu 12.04/14.04/14.10/15.04 | 37292 |
10. | Droopy | Ubuntu 12.04/14.04/14.10/15.04 | 37292 |
11. | VulnOS: 2.0 | Ubuntu 12.04/14.04/14.10/15.04 | 37292 |
12. | Fartknocker | Ubuntu 12.04/14.04/14.10/15.04 | 37292 |
13. | Super Mario | Ubuntu 12.04/14.04/14.10/15.04 | 37292 |
14. | Golden Eye:1 | Ubuntu 12.04/14.04/14.10/15.04 | 37292 |
15. | Typhoon : 1.02 | Ubuntu 12.04/14.04/14.10/15.04 | 37292 |
16. | GrimTheRipper:1 | Ubuntu 12.04/14.04/14.10/15.04 | 37292 |
17. | 6days | Ubuntu 12.04/14.04/14.10/15.04 | 37292 |
18. | Lord of the Root | Ubuntu 14.04/15.10 | 39166 |
19. | Acid Reloaded | Ubuntu 14.04/15.10 | 39166 |
20. | Stapler | Ubuntu 16.04 | 39772 |
21. | Sidney | Ubuntu 16.04 | 39772 |
22. | DC-3 | Ubuntu 16.04 | 39772 |
23. | Pluck | Dirty COW | 40616 |
24. | Lampiao : 1 | Dirty COW /proc/self/mem' Race Condition | 40847 |
25. | WinterMute : 1 | GNU Screen 4.5.0 | 41154 |
26. | DC-5 | GNU Screen 4.5.0 | 41154 |
27. | BTRSys:dv 2.1 | Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free | 41458 |
28. | Nightmare | Ubuntu 14.04/16.04 (KASLR / SMEP) | 43418 |
29. | Trollcave | Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) | 44298 |
30. | Prime: 1 | Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) | 44298 |
⤴
Path Variable No. | Path Variable | Files |
---|---|---|
1. | PwnLab | cat |
2. | USV | cat |
3. | Zeus:1 | date |
4. | The Gemini inc | date |
5. | EW-Skuzzy | id |
6. | Nullbyte | ps |
7. | symfonos : 1 | curl |
8. | Silky-CTF: 0x01 | whoami |
9. | Beast 2 | whoami |
⤴
Enumeration No. | Machine Name |
---|---|
1. | The Library:1 |
2. | The Library:2 |
3. | LAMPSecurity: CTF 4 |
4. | LAMPSecurity: CTF 7 |
5. | Xerxes: 1 |
6. | pWnOS -2.0 |
7. | DE-ICE:S1.130 |
9. | Tommyboy |
10. | VulnOS: 1 |
11. | Spyder Sec |
12. | Acid |
13. | Necromancer |
14. | Freshly |
15. | Fortress |
16. | Billu : B0x |
17. | Defence Space |
18. | Moria 1.1 |
19. | Analougepond |
20. | Lazysysadmin |
21. | Bulldog |
22. | BTRSys 1 |
23. | G0rmint |
24. | Blacklight : 1 |
25. | The blackmarket |
26. | Matrix 2 |
27. | Basic Pentesting : 2 |
28. | Depth |
29. | Bob: 1.0.1 |
30. | W34kn3ss 1 |
31. | Replay: 1 |
32. | Born2Root: 2 |
33. | CLAMP 1.0.1 |
34. | WestWild: 1.1 |
35. | 64base |
36. | C0m80 |
37. | Gibson |
38. | Quaoar |
⤴
MySQL No | Machine Name |
---|---|
1. | Kioptrix : Level 1.3 |
2. | Raven |
3. | Raven : 2 |
⤴
Crontab No | Machine Name |
---|---|
1. | Billy Madison |
2. | BSides Vancuver: 2018 |
3. | Jarbas : 1 |
4. | SP:Jerome |
5. | dpwwn: 1 |
⤴
Wildcard Injection No | Machine Name |
---|---|
1. | Milnet |
2. | Pipe |
⤴
Capabilities No | Machine Name |
---|---|
1. | Kuya : 1 |
2. | DomDom: 1 |
⤴
Writable etc/passwd file No | Machine Name |
---|---|
1. | Hackday Albania |
2. | Billu Box 2 |
3. | Bulldog 2 |
4. | AI: Web: 1 |
5. | Westwild: 2 |
⤴
Writable files or script as root No | Machine Name |
---|---|
1. | Skydog |
2. | Breach 1.0 |
3. | Bot Challenge: Dexter |
4. | Fowsniff : 1 |
5. | Mercy |
6. | Casino Royale |
7. | SP eric |
8. | PumpkinGarden |
9. | Tr0ll: 3 |
10. | Nezuko:1 |
11. | Symfonos:3 |
12. | Tr0ll 1 |
13. | DC:7 |
⤴
Buffer Overflow No | Machine Name |
---|---|
1. | Tr0ll 2 |
2. | IMF |
3. | BSides London 2017 |
4. | PinkyPalace |
5. | ROP Primer |
6. | CTF KFIOFAN:2 |
7. | Kioptrix : Level 1 |
8. | Silky-CTF: 0x02 |
⤴
Docker No | Machine Name |
---|---|
1. | Donkey Docker |
2. | Game of Thrones |
3. | HackinOS : 1 |
⤴
Chkrootkit No | Machine Name |
---|---|
1. | SickOS 1.2 |
2. | Sedna |
⤴
Bruteforce No | Machine Name |
---|---|
1. | Rickdiculouslyeasy |
2. | RootThis : 1 |
3. | LAMPSecurity: CTF 8 |
4. | Cyberry:1 |
5. | Born2root |
⤴
Crack /etc/shadow No | Machine Name |
---|---|
1. | DE-ICE:S1.140 |
2. | Minotaur |
3. | Moonraker:1 |
4. | Basic Penetration |
5. | W1R3S.inc |
⤴
NFS No | Machine Name |
---|---|
1. | Orcus |
2. | FourAndSix |
⤴
Json No | Machine Name | Json |
---|---|---|
1. | MinU: 1 | Json Token |
2. | Symfonos:4 | Json Pickle |
⤴
Redis No | Machine Name |
---|---|
1. | Gemini inc:2 |
⤴
LXD No | Machine Name |
---|---|
1. | AI: Web: 2 |
⤴
ALL No | Machine Name |
---|---|
1. | Lin.Security |
2. | Escalate_Linux |
⤴
EximNo | Machine Name |
---|---|
1. | DC:8 |