SUID / SGID Executables - Shared Object Injection Enumeration We are going to exploit a vulnerable suid/sgid executable to escalate our privileges to root. Let’s find all the SUID/SGID executable...

SUID / SGID Executables - Known Exploits Enumeration We are going to exploit a vulnerable suid/sgid executable to escalate our privileges to root. Let’s find all the SUID/SGID executables on the ...

SUID / SGID Executables - Environment Variables Enumeration We are going to exploit a vulnerable suid/sgid executable to escalate our privileges to root. Let’s find all the SUID/SGID executables ...

SUDO - LD_PRELOAD LD_PRELOAD is a function that allows any program to use shared libraries. If the env_keep option is enabled, we can generate a shared library which will be loaded and executed be...

Shell Escape Sequences The sudo command, by default, allows you to run a program with root privileges. Under some conditions, system administrators may need to give regular users some flexibility o...

Writable /etc/shadow The /etc/shadow file contains user password hashes and is usually readable only by the root user. Enumeration We are going to exploit a misconfigured /etc/shadow file to esc...

Readable /etc/shadow The /etc/shadow file contains user password hashes and is usually readable only by the root user. Enumeration We are going to exploit a misconfigured /etc/shadow file to esc...

/etc/passwd The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user. Enumeration We are going to exploit a misconfigured /...

Capabilities System administrators can use capabilities to increase the privilege level of a process or binary. Capabilities help manage privileges at a more granular level. For example, if the SO...

Cron Jobs - Wildcards Enumeration We are going to exploit Wildcards * to escalate our privileges to root. Let’s check the content of a crontab /etc/crontab As you can see, tar is set to run w...