> For the complete documentation index, see [llms.txt](https://angelica.gitbook.io/hacktricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angelica.gitbook.io/hacktricks/linux-hardening/linux-privilege-escalation-checklist.md).

# Checklist - Linux Privilege Escalation

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="/files/pkCbnqa1piLi0fahSPUn" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)

### [System Information](/hacktricks/linux-hardening/privilege-escalation.md#system-information)

* [ ] Get **OS information**
* [ ] Check the [**PATH**](/hacktricks/linux-hardening/privilege-escalation.md#path), any **writable folder**?
* [ ] Check [**env variables**](/hacktricks/linux-hardening/privilege-escalation.md#env-info), any sensitive detail?
* [ ] Search for [**kernel exploits**](/hacktricks/linux-hardening/privilege-escalation.md#kernel-exploits) **using scripts** (DirtyCow?)
* [ ] **Check** if the [**sudo version** is vulnerable](/hacktricks/linux-hardening/privilege-escalation.md#sudo-version)
* [ ] [**Dmesg** signature verification failed](/hacktricks/linux-hardening/privilege-escalation.md#dmesg-signature-verification-failed)
* [ ] More system enum ([date, system stats, cpu info, printers](/hacktricks/linux-hardening/privilege-escalation.md#more-system-enumeration))
* [ ] [Enumerate more defenses](/hacktricks/linux-hardening/privilege-escalation.md#enumerate-possible-defenses)

### [Drives](/hacktricks/linux-hardening/privilege-escalation.md#drives)

* [ ] **List mounted** drives
* [ ] **Any unmounted drive?**
* [ ] **Any creds in fstab?**

### [**Installed Software**](/hacktricks/linux-hardening/privilege-escalation.md#installed-software)

* [ ] **Check for**[ **useful software**](/hacktricks/linux-hardening/privilege-escalation.md#useful-software) **installed**
* [ ] **Check for** [**vulnerable software**](/hacktricks/linux-hardening/privilege-escalation.md#vulnerable-software-installed) **installed**

### [Processes](/hacktricks/linux-hardening/privilege-escalation.md#processes)

* [ ] Is any **unknown software running**?
* [ ] Is any software running with **more privileges than it should have**?
* [ ] Search for **exploits of running processes** (especially the version running).
* [ ] Can you **modify the binary** of any running process?
* [ ] **Monitor processes** and check if any interesting process is running frequently.
* [ ] Can you **read** some interesting **process memory** (where passwords could be saved)?

### [Scheduled/Cron jobs?](/hacktricks/linux-hardening/privilege-escalation.md#scheduled-jobs)

* [ ] Is the [**PATH** ](/hacktricks/linux-hardening/privilege-escalation.md#cron-path)being modified by some cron and you can **write** in it?
* [ ] Any [**wildcard** ](/hacktricks/linux-hardening/privilege-escalation.md#cron-using-a-script-with-a-wildcard-wildcard-injection)in a cron job?
* [ ] Some [**modifiable script** ](/hacktricks/linux-hardening/privilege-escalation.md#cron-script-overwriting-and-symlink)is being **executed** or is inside **modifiable folder**?
* [ ] Have you detected that some **script** could be or are being [**executed** very **frequently**](/hacktricks/linux-hardening/privilege-escalation.md#frequent-cron-jobs)? (every 1, 2 or 5 minutes)

### [Services](/hacktricks/linux-hardening/privilege-escalation.md#services)

* [ ] Any **writable .service** file?
* [ ] Any **writable binary** executed by a **service**?
* [ ] Any **writable folder in systemd PATH**?

### [Timers](/hacktricks/linux-hardening/privilege-escalation.md#timers)

* [ ] Any **writable timer**?

### [Sockets](/hacktricks/linux-hardening/privilege-escalation.md#sockets)

* [ ] Any **writable .socket** file?
* [ ] Can you **communicate with any socket**?
* [ ] **HTTP sockets** with interesting info?

### [D-Bus](/hacktricks/linux-hardening/privilege-escalation.md#d-bus)

* [ ] Can you **communicate with any D-Bus**?

### [Network](/hacktricks/linux-hardening/privilege-escalation.md#network)

* [ ] Enumerate the network to know where you are
* [ ] **Open ports you couldn't access before** getting a shell inside the machine?
* [ ] Can you **sniff traffic** using `tcpdump`?

### [Users](/hacktricks/linux-hardening/privilege-escalation.md#users)

* [ ] Generic users/groups **enumeration**
* [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**?
* [ ] Can you [**escalate privileges thanks to a group**](/hacktricks/linux-hardening/privilege-escalation/interesting-groups-linux-pe.md) you belong to?
* [ ] **Clipboard** data?
* [ ] Password Policy?
* [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without a password.

### [Writable PATH](/hacktricks/linux-hardening/privilege-escalation.md#writable-path-abuses)

* [ ] If you have **write privileges over some folder in PATH** you may be able to escalate privileges

### [SUDO and SUID commands](/hacktricks/linux-hardening/privilege-escalation.md#sudo-and-suid)

* [ ] Can you execute **any command with sudo**? Can you use it to READ, WRITE or EXECUTE anything as root? ([**GTFOBins**](https://gtfobins.github.io))
* [ ] Is any **exploitable SUID binary**? ([**GTFOBins**](https://gtfobins.github.io))
* [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](/hacktricks/linux-hardening/privilege-escalation.md#sudo-execution-bypassing-paths)?
* [ ] [**Sudo/SUID binary without path indicated**](/hacktricks/linux-hardening/privilege-escalation.md#sudo-command-suid-binary-without-command-path)?
* [ ] [**SUID binary specifying path**](/hacktricks/linux-hardening/privilege-escalation.md#suid-binary-with-command-path)? Bypass
* [ ] [**LD\_PRELOAD vuln**](/hacktricks/linux-hardening/privilege-escalation.md#ld_preload)
* [ ] [**Lack of .so library in SUID binary**](/hacktricks/linux-hardening/privilege-escalation.md#suid-binary-so-injection) from a writable folder?
* [ ] [**SUDO tokens available**](/hacktricks/linux-hardening/privilege-escalation.md#reusing-sudo-tokens)? [**Can you create a SUDO token**](/hacktricks/linux-hardening/privilege-escalation.md#var-run-sudo-ts-less-than-username-greater-than)?
* [ ] Can you [**read or modify sudoers files**](/hacktricks/linux-hardening/privilege-escalation.md#etc-sudoers-etc-sudoers-d)?
* [ ] Can you [**modify /etc/ld.so.conf.d/**](/hacktricks/linux-hardening/privilege-escalation.md#etc-ld-so-conf-d)?
* [ ] [**OpenBSD DOAS**](/hacktricks/linux-hardening/privilege-escalation.md#doas) command

### [Capabilities](/hacktricks/linux-hardening/privilege-escalation.md#capabilities)

* [ ] Has any binary any **unexpected capability**?

### [ACLs](/hacktricks/linux-hardening/privilege-escalation.md#acls)

* [ ] Has any file any **unexpected ACL**?

### [Open Shell sessions](/hacktricks/linux-hardening/privilege-escalation.md#open-shell-sessions)

* [ ] **screen**
* [ ] **tmux**

### [SSH](/hacktricks/linux-hardening/privilege-escalation.md#ssh)

* [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](/hacktricks/linux-hardening/privilege-escalation.md#debian-openssl-predictable-prng-cve-2008-0166)
* [ ] [**SSH Interesting configuration values**](/hacktricks/linux-hardening/privilege-escalation.md#ssh-interesting-configuration-values)

### [Interesting Files](/hacktricks/linux-hardening/privilege-escalation.md#interesting-files)

* [ ] **Profile files** - Read sensitive data? Write to privesc?
* [ ] **passwd/shadow files** - Read sensitive data? Write to privesc?
* [ ] **Check commonly interesting folders** for sensitive data
* [ ] **Weird Location/Owned files,** you may have access to or alter executable files
* [ ] **Modified** in last mins
* [ ] **Sqlite DB files**
* [ ] **Hidden files**
* [ ] **Script/Binaries in PATH**
* [ ] **Web files** (passwords?)
* [ ] **Backups**?
* [ ] **Known files that contains passwords**: Use **Linpeas** and **LaZagne**
* [ ] **Generic search**

### [**Writable Files**](/hacktricks/linux-hardening/privilege-escalation.md#writable-files)

* [ ] **Modify python library** to execute arbitrary commands?
* [ ] Can you **modify log files**? **Logtotten** exploit
* [ ] Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit
* [ ] Can you [**write in ini, int.d, systemd or rc.d files**](/hacktricks/linux-hardening/privilege-escalation.md#init-init-d-systemd-and-rc-d)?

### [**Other tricks**](/hacktricks/linux-hardening/privilege-escalation.md#other-tricks)

* [ ] Can you [**abuse NFS to escalate privileges**](/hacktricks/linux-hardening/privilege-escalation.md#nfs-privilege-escalation)?
* [ ] Do you need to [**escape from a restrictive shell**](/hacktricks/linux-hardening/privilege-escalation.md#escaping-from-restricted-shells)?

<figure><img src="/files/pkCbnqa1piLi0fahSPUn" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
