Skip to main content

Cheatsheet LPE Linux (to be completed)

Linux LPE to-do list
#

List Users
#

cat /etc/passwd

Check Exploits for the Running Linux Kernel Version
#

uname -a # full kernel info
uname -r # just the version

Check Special Groups That May Allow Privileged Command Execution
#

groups

For example, if the user is part of the docker group, it may be possible to mount a Docker container on the root filesystem: https://www.hackingarticles.in/docker-privilege-escalation/

docker run -it -v /root:/mnt alpine  # or another image

Check Environment Variables
#

printenv

Find Executables with sudo Privileges
#

sudo -l

https://gtfobins.github.io

If you are dealing with a custom script:

Check Running Services / Timers
#

  • Check ports exposed only on localhost:
./linpeas
ss -tlnp
ps -aux # process listing
  • List active services and timers:
systemctl list-units --type service/timer --state running
  • Print detailed information about a specific service or timer (unit):
systemctl cat custom.service
  • Get the status of a service:
systemctl status apache2

Check Suspicious Files
#

  • Find files owned by the current user (excluding /run, /proc, etc.):
find / -user <USER> 2>/dev/null | grep -v '^/run\|^/proc\|^/sys\'
  • Search in common directories:
/opt
/var
/tmp
/mail

(others?)

  • Search for files by name:
find / -iname *<PATTERN>* 2>/dev/null

Check Files with SUID Bit Set (Owned by Root) (Reported by linpeas)
#

Pay special attention to binary files on the system. Some may be vulnerable to Local Privilege Escalation (LPE) exploits!

Capabilities (Reported by linpeas)
#

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities

Non-Exhaustive List of Additional Checks
#

■ Check if dangerous binaries have the SUID/SGID attribute (linpeas) ■ List files not owned by me but where I have write permissions ■ Check if critical packages (sudo, polkit, etc.) are outdated

There are no articles to list here yet.