Awesome

Privilege Escalation Cheatsheet (Vulnhub)

This cheatsheet is aimed at CTF players and beginners to help them understand the fundamentals of privilege escalation with examples. It is not a cheatsheet for enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same task. We have performed and compiled this list based on our experience. Please share this with your connections and direct queries and feedback to Hacking Articles.

Follow us on

Abusing Sudo Rights
SUID Bit
Kernel Exploit
Path Variable
Enumeration
MySQL
Cronjob
Wildcard Injection
Capabilities
Writable /etc/passwd file
Writable files or script
Buffer Overflow
Docker
Chkrootkit
Bruteforce
Crack /etc/shadow
NFS
Json
Redis
LXD
All
Exim
Apache2 Writable

Abusing Sudo Rights ⤴

No.	Machine Name	Files/Binaries
1.	Ted:1	apt-get
2.	KFIOFan : 1	awk
3.	21 LTR: Scene1	cat
4.	Skytower	cat
5.	Matrix : 1	cp
6.	Sputnik 1	ed
7.	Sunset	ed
8.	DC-2	git
9.	Kioptrix : Level 1.2	ht
10.	Matrix-3	manual
11.	symfonos : 2	MySQL
12.	Development	nano
13.	SP ike	nmap
14.	DC6	nmap
15.	Dina	perl
16.	Wakanda : 1	pip
17.	Violator	proftpd
18.	Broken: Gallery	reboot/timedatectl
19.	DE-ICE:S1.120	script
20.	Fristileaks	script
21.	DerpNStink	script
22.	Digitalworld.local : JOY	script
23.	PumpkinFestival	script
24.	The Ether: Evil Science	script
25.	HA:Rudra	script
26.	djinn:1	script
27.	UA: Literally Vulnerable	script
28.	PumpkinRaising	strace
29.	Unknowndevice64 : 1	strace
30.	Holynix: v1	tar
31.	Breach 2.1	tcpdump
32.	Temple of Doom	tcpdump
33.	Web Developer : 1	tcpdump
34.	DC-4	teehee
35.	Serial: 1	vim
36.	Zico 2	zip
37.	HA: Dhanush	zip
38.	Sunset: Nightfall	cat
39.	HA: Infinity Stones	ftp
40.	Sunset-Sunrise	wine
41.	Me and My Girlfreind:1	php
42.	Symfonos:5	dpkg
43.	Five86:2	service
44.	Tempus Fugit:1	Diffrent for every user
45.	DevRandom CTF:1.1	dpkg
46.	Zion: 1.1	cp
47.	Seppuku:1	script
48.	GitRoot: 1	git
49.	Tre:1	shutdown
50.	BlackRose: 1	script
51.	So Simple:1	script
52.	CryptoBank:1	All
53.	Star Wars:1	All
54.	Mercury	script
55.	Durian:1	script
56.	nyx:1	gcc
57.	Relevant:1	node
58.	Maskcrafter:1.1	dpkg
59.	Hogwarts:Bellatrix	vim

SUID Bit ⤴

No.	Machine Name	SUID Bit
1.	Kevgir	cp
2.	digitalworld.local - BRAVERY	cp
3.	Happycorp : 1	cp
4.	FourAndSix : 2	doas
5.	DC-1	find
6.	dpwwn:2	find
7.	MinU: v2	Micro Editor
8.	Toppo:1	python 2.7/mawk
9.	Mr. Robot	nmap
10.	Covfefe	script
11.	/dev/random : K2	script
12.	hackme1	script
13.	Sunset: dawn	zsh
14.	HA: Wordy	cp
15.	bossplayersCTF 1	find
16.	In Plain Sight:1	script
17.	Five86:1	script
18.	Geisha:1	base32
19.	Victim:1	nohup
20.	eLection: 1	script
21.	Photographer 1	php7.2
22.	DMV :1	script
23.	ShellDredd #1 Hannah	cpulimit
24.	KB-Vuln:3	systemctl
25.	Cybox:1	register

Kernel Exploit ⤴

No.	Machine Name	Kernel	Exploit
1.	pWnOS -1.0	Linux Kernel 2.6.17 < 2.6.24.1	5092
2.	LAMPSecurity: CTF 5	Linux Kernel 2.4/2.6	9479
3.	Kioptrix : Level 1.1	CentOS 4.4/4.5 / Fedora Core 4/5/6 x86)	9542
4.	Hackademic-RTB1	RDS Protocol' Local Privilege Escalation	15285
5.	Hackademic-RTB2	RDS Protocol' Local Privilege Escalation	15285
6.	ch4inrulz : 1.0.1	RDS Protocol' Local Privilege Escalation	15285
7.	Kioprtix: 5	FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation	28718
8.	Simple	Apport/Abrt (Ubuntu / Fedora)	36746
9.	SecOS: 1	Ubuntu 12.04/14.04/14.10/15.04	37292
10.	Droopy	Ubuntu 12.04/14.04/14.10/15.04	37292
11.	VulnOS: 2.0	Ubuntu 12.04/14.04/14.10/15.04	37292
12.	Fartknocker	Ubuntu 12.04/14.04/14.10/15.04	37292
13.	Super Mario	Ubuntu 12.04/14.04/14.10/15.04	37292
14.	Golden Eye:1	Ubuntu 12.04/14.04/14.10/15.04	37292
15.	Typhoon : 1.02	Ubuntu 12.04/14.04/14.10/15.04	37292
16.	GrimTheRipper:1	Ubuntu 12.04/14.04/14.10/15.04	37292
17.	6days	Ubuntu 12.04/14.04/14.10/15.04	37292
18.	Lord of the Root	Ubuntu 14.04/15.10	39166
19.	Acid Reloaded	Ubuntu 14.04/15.10	39166
20.	Stapler	Ubuntu 16.04	39772
21.	Sidney	Ubuntu 16.04	39772
22.	DC-3	Ubuntu 16.04	39772
23.	Pluck	Dirty COW	40616
24.	Lampiao : 1	Dirty COW /proc/self/mem' Race Condition	40847
25.	WinterMute : 1	GNU Screen 4.5.0	41154
26.	DC-5	GNU Screen 4.5.0	41154
27.	BTRSys:dv 2.1	Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free	41458
28.	Nightmare	Ubuntu 14.04/16.04 (KASLR / SMEP)	43418
29.	Trollcave	Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)	44298
30.	Prime: 1	Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)	44298
31.	LAMPSecurity: CTF6	Linux Kernel 2.6	8478
32.	My File Server:1	Dirty COW	40616
33.	VulnUni 1.0.1	GUnet OpenEclass E-learning platform 1.7.3	48106
34.	Sumo: 1	Dirty COW	40839
35.	CyberSploit: 1	Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs'	37292
36.	Loly: 1	Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)	45010
37.	Tomato: 1	Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)	45010

Path Variable ⤴

No.	Path Variable	Files
1.	PwnLab	cat
2.	USV	cat
3.	Zeus:1	date
4.	The Gemini inc	date
5.	EW-Skuzzy	id
6.	Nullbyte	ps
7.	symfonos : 1	curl
8.	Silky-CTF: 0x01	whoami
9.	Beast 2	whoami
10.	HA:Arsenal Avengers	ifconfig
11.	Inclusiveness:1	whoami
12.	MuzzyBox:1	ls
13.	TBBT:2	sl
14.	Sunset: Midnight	service
15.	Healthcare:1	fdisk

Enumeration ⤴

No.	Machine Name
1.	The Library:1
2.	The Library:2
3.	LAMPSecurity: CTF 4
4.	LAMPSecurity: CTF 7
5.	Xerxes: 1
6.	pWnOS -2.0
7.	DE-ICE:S1.130
9.	Tommyboy
10.	VulnOS: 1
11.	Spyder Sec
12.	Acid
13.	Necromancer
14.	Freshly
15.	Fortress
16.	Billu : B0x
17.	Defence Space
18.	Moria 1.1
19.	Analougepond
20.	Lazysysadmin
21.	Bulldog
22.	BTRSys 1
23.	G0rmint
24.	Blacklight : 1
25.	The blackmarket
26.	Matrix 2
27.	Basic Pentesting : 2
28.	Depth
29.	Bob: 1.0.1
30.	W34kn3ss 1
31.	Replay: 1
32.	Born2Root: 2
33.	CLAMP 1.0.1
34.	WestWild: 1.1
35.	64base
36.	C0m80
37.	Gibson
38.	Quaoar
39.	Hacker Fest: 2019
40.	EVM: 1
41.	EnuBox:Mattermost
42.	2much:1
43.	mhz_cxf:c1f
44.	HA: Pandavas
45.	GreenOptic:1
46.	Cewlkid:1
47.	PowerGrid:1.0.1
48.	Insanity:1
49.	Tempus Fugit:3
50.	HA: Forensics
51.	HA: Vedas
52.	HA: Sherlock

MySQL ⤴

No	Machine Name
1.	Kioptrix : Level 1.3
2.	Raven
3.	Raven : 2

Cronjob ⤴

No	Machine Name
1.	Billy Madison
2.	BSides Vancuver: 2018
3.	Jarbas : 1
4.	SP:Jerome
5.	dpwwn: 1
6.	Sar
7.	TBBT
8.	Glasgow Smile: 1.1
9.	LemonSqueezy:1

Wildcard Injection ⤴

No	Machine Name
1.	Milnet
2.	Pipe

Capabilities ⤴

No	Machine Name
1.	Kuya : 1
2.	DomDom: 1
3.	HA: Naruto
4.	Connect The Dots:1
5.	Katana
6.	Presidential: 1
<a name="etc"></a>

Writable /etc/passwd file ⤴

No	Machine Name
1.	Hackday Albania
2.	Billu Box 2
3.	Bulldog 2
4.	AI: Web: 1
5.	Westwild: 2
6.	Misdirection 1
7.	HA: ISRO
8.	Gears of War: EP#1
9.	DC:9
10.	Sahu
11.	Sunset: Twilight
12.	Chili:1

Writable files or script ⤴

No	Machine Name
1.	Skydog
2.	Breach 1.0
3.	Bot Challenge: Dexter
4.	Fowsniff : 1
5.	Mercy
6.	Casino Royale
7.	SP eric
8.	PumpkinGarden
9.	Tr0ll: 3
10.	Nezuko:1
11.	Symfonos:3
12.	Tr0ll 1
13.	DC:7
14.	View2aKill
15.	CengBox:1
16.	Broken 2020: 1
17.	CengBox:2
18.	HA:Narak

Buffer Overflow ⤴

No	Machine Name
1.	Tr0ll 2
2.	IMF
3.	BSides London 2017
4.	PinkyPalace
5.	ROP Primer
6.	CTF KFIOFAN:2
7.	Kioptrix : Level 1
8.	Silky-CTF: 0x02

Docker ⤴

No	Machine Name
1.	Donkey Docker
2.	Game of Thrones
3.	HackinOS:1
4.	HA: Chakravyuh
5.	Mumbai:1
6.	Sunset:dusk
7.	Pwned:1

Chkrootkit ⤴

No	Machine Name
1.	SickOS 1.2
2.	Sedna
3.	HA: Chanakya
4.	Sunset: decoy

Bruteforce ⤴

No	Machine Name
1.	Rickdiculouslyeasy
2.	RootThis : 1
3.	LAMPSecurity: CTF 8
4.	Cyberry:1
5.	Born2root

Crack /etc/shadow ⤴

No	Machine Name
1.	DE-ICE:S1.140
2.	Minotaur
3.	Moonraker:1
4.	Basic Penetration
5.	W1R3S.inc

NFS ⤴

No	Machine Name
1.	Orcus
2.	FourAndSix

Json ⤴

No	Machine Name	Json
1.	MinU: 1	Json Token
2.	Symfonos:4	Json Pickle

Redis ⤴

No	Machine Name
1.	Gemini inc:2

LXD ⤴

No	Machine Name
1.	AI: Web: 2
2.	HA: Joker
3.	CyNix:1

ALL ⤴

No	Machine Name
1.	Lin.Security
2.	Escalate_Linux
3.	Jigsaw:1

Exim⤴

No	Machine Name
1.	DC:8

Apache2 Writable ⤴

No	Machine Name
1.	Torment
2.	HA: Armour
3.	HA: Natraj