Home

Awesome

Privilege Escalation Cheatsheet (Vulnhub)

This cheatsheet is aimed at CTF players and beginners to help them understand the fundamentals of privilege escalation with examples. It is not a cheatsheet for enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same task. We have performed and compiled this list based on our experience. Please share this with your connections and direct queries and feedback to Hacking Articles.

Follow us on alt text alt text alt text

<img src="https://github.com/Ignitetechnologies/Mindmap/blob/main/Vulnhub/%20Vulnhub%20Privs%20Cheatsheet%20UHD.png" alt="cheatsheet" border="0">

Table of Contents

<a name="sudo"></a>

Abusing Sudo Rights

No.Machine NameFiles/Binaries
1.Ted:1apt-get
2.KFIOFan : 1awk
3.21 LTR: Scene1cat
4.Skytowercat
5.Matrix : 1cp
6.Sputnik 1ed
7.Sunseted
8.DC-2git
9.Kioptrix : Level 1.2ht
10.Matrix-3manual
11.symfonos : 2MySQL
12.Developmentnano
13.SP ikenmap
14.DC6nmap
15.Dinaperl
16.Wakanda : 1pip
17.Violatorproftpd
18.Broken: Galleryreboot/timedatectl
19.DE-ICE:S1.120script
20.Fristileaksscript
21.DerpNStinkscript
22.Digitalworld.local : JOYscript
23.PumpkinFestivalscript
24.The Ether: Evil Sciencescript
25.HA:Rudrascript
26.djinn:1script
27.UA: Literally Vulnerablescript
28.PumpkinRaisingstrace
29.Unknowndevice64 : 1strace
30.Holynix: v1tar
31.Breach 2.1tcpdump
32.Temple of Doomtcpdump
33.Web Developer : 1tcpdump
34.DC-4teehee
35.Serial: 1vim
36.Zico 2zip
37.HA: Dhanushzip
38.Sunset: Nightfallcat
39.HA: Infinity Stonesftp
40.Sunset-Sunrisewine
41.Me and My Girlfreind:1php
42.Symfonos:5dpkg
43.Five86:2service
44.Tempus Fugit:1Diffrent for every user
45.DevRandom CTF:1.1dpkg
46.Zion: 1.1cp
47.Seppuku:1script
48.GitRoot: 1git
49.Tre:1shutdown
50.BlackRose: 1script
51.So Simple:1script
52.CryptoBank:1All
53.Star Wars:1All
54.Mercuryscript
55.Durian:1script
56.nyx:1gcc
57.Relevant:1node
58.Maskcrafter:1.1dpkg
59.Hogwarts:Bellatrixvim

<a name="suid"></a>

SUID Bit

No.Machine NameSUID Bit
1.Kevgircp
2.digitalworld.local - BRAVERYcp
3.Happycorp : 1cp
4.FourAndSix : 2doas
5.DC-1find
6.dpwwn:2find
7.MinU: v2Micro Editor
8.Toppo:1python 2.7/mawk
9.Mr. Robotnmap
10.Covfefescript
11./dev/random : K2script
12.hackme1script
13.Sunset: dawnzsh
14.HA: Wordycp
15.bossplayersCTF 1find
16.In Plain Sight:1script
17.Five86:1script
18.Geisha:1base32
19.Victim:1nohup
20.eLection: 1script
21.Photographer 1php7.2
22.DMV :1script
23.ShellDredd #1 Hannahcpulimit
24.KB-Vuln:3systemctl
25.Cybox:1register

<a name="kernel"></a>

Kernel Exploit

No.Machine NameKernelExploit
1.pWnOS -1.0Linux Kernel 2.6.17 < 2.6.24.15092
2.LAMPSecurity: CTF 5Linux Kernel 2.4/2.69479
3.Kioptrix : Level 1.1CentOS 4.4/4.5 / Fedora Core 4/5/6 x86)9542
4.Hackademic-RTB1RDS Protocol' Local Privilege Escalation15285
5.Hackademic-RTB2RDS Protocol' Local Privilege Escalation15285
6.ch4inrulz : 1.0.1RDS Protocol' Local Privilege Escalation15285
7.Kioprtix: 5FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation28718
8.SimpleApport/Abrt (Ubuntu / Fedora)36746
9.SecOS: 1Ubuntu 12.04/14.04/14.10/15.0437292
10.DroopyUbuntu 12.04/14.04/14.10/15.0437292
11.VulnOS: 2.0Ubuntu 12.04/14.04/14.10/15.0437292
12.FartknockerUbuntu 12.04/14.04/14.10/15.0437292
13.Super MarioUbuntu 12.04/14.04/14.10/15.0437292
14.Golden Eye:1Ubuntu 12.04/14.04/14.10/15.0437292
15.Typhoon : 1.02Ubuntu 12.04/14.04/14.10/15.0437292
16.GrimTheRipper:1Ubuntu 12.04/14.04/14.10/15.0437292
17.6daysUbuntu 12.04/14.04/14.10/15.0437292
18.Lord of the RootUbuntu 14.04/15.1039166
19.Acid ReloadedUbuntu 14.04/15.1039166
20.StaplerUbuntu 16.0439772
21.SidneyUbuntu 16.0439772
22.DC-3Ubuntu 16.0439772
23.PluckDirty COW40616
24.Lampiao : 1Dirty COW /proc/self/mem' Race Condition40847
25.WinterMute : 1GNU Screen 4.5.041154
26.DC-5GNU Screen 4.5.041154
27.BTRSys:dv 2.1Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free41458
28.NightmareUbuntu 14.04/16.04 (KASLR / SMEP)43418
29.TrollcaveLinux Kernel < 4.4.0-116 (Ubuntu 16.04.4)44298
30.Prime: 1Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)44298
31.LAMPSecurity: CTF6Linux Kernel 2.68478
32.My File Server:1Dirty COW40616
33.VulnUni 1.0.1GUnet OpenEclass E-learning platform 1.7.348106
34.Sumo: 1Dirty COW40839
35.CyberSploit: 1Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs'37292
36.Loly: 1Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)45010
37.Tomato: 1Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)45010

<a name="path"></a>

Path Variable

No.Path VariableFiles
1.PwnLabcat
2.USVcat
3.Zeus:1date
4.The Gemini incdate
5.EW-Skuzzyid
6.Nullbyteps
7.symfonos : 1curl
8.Silky-CTF: 0x01whoami
9.Beast 2whoami
10.HA:Arsenal Avengersifconfig
11.Inclusiveness:1whoami
12.MuzzyBox:1ls
13.TBBT:2sl
14.Sunset: Midnightservice
15.Healthcare:1fdisk

<a name="enum"></a>

Enumeration

No.Machine Name
1.The Library:1
2.The Library:2
3.LAMPSecurity: CTF 4
4.LAMPSecurity: CTF 7
5.Xerxes: 1
6.pWnOS -2.0
7.DE-ICE:S1.130
9.Tommyboy
10.VulnOS: 1
11.Spyder Sec
12.Acid
13.Necromancer
14.Freshly
15.Fortress
16.Billu : B0x
17.Defence Space
18.Moria 1.1
19.Analougepond
20.Lazysysadmin
21.Bulldog
22.BTRSys 1
23.G0rmint
24.Blacklight : 1
25.The blackmarket
26.Matrix 2
27.Basic Pentesting : 2
28.Depth
29.Bob: 1.0.1
30.W34kn3ss 1
31.Replay: 1
32.Born2Root: 2
33.CLAMP 1.0.1
34.WestWild: 1.1
35.64base
36.C0m80
37.Gibson
38.Quaoar
39.Hacker Fest: 2019
40.EVM: 1
41.EnuBox:Mattermost
42.2much:1
43.mhz_cxf:c1f
44.HA: Pandavas
45.GreenOptic:1
46.Cewlkid:1
47.PowerGrid:1.0.1
48.Insanity:1
49.Tempus Fugit:3
50.HA: Forensics
51.HA: Vedas
52.HA: Sherlock

<a name="mysql"></a>

MySQL

NoMachine Name
1.Kioptrix : Level 1.3
2.Raven
3.Raven : 2

<a name="cronjob"></a>

Cronjob

NoMachine Name
1.Billy Madison
2.BSides Vancuver: 2018
3.Jarbas : 1
4.SP:Jerome
5.dpwwn: 1
6.Sar
7.TBBT
8.Glasgow Smile: 1.1
9.LemonSqueezy:1

<a name="wild"></a>

Wildcard Injection

NoMachine Name
1.Milnet
2.Pipe

<a name="capabilities"></a>

Capabilities

NoMachine Name
1.Kuya : 1
2.DomDom: 1
3.HA: Naruto
4.Connect The Dots:1
5.Katana
6.Presidential: 1
<a name="etc"></a>

Writable /etc/passwd file

NoMachine Name
1.Hackday Albania
2.Billu Box 2
3.Bulldog 2
4.AI: Web: 1
5.Westwild: 2
6.Misdirection 1
7.HA: ISRO
8.Gears of War: EP#1
9.DC:9
10.Sahu
11.Sunset: Twilight
12.Chili:1

<a name="root"></a>

Writable files or script

NoMachine Name
1.Skydog
2.Breach 1.0
3.Bot Challenge: Dexter
4.Fowsniff : 1
5.Mercy
6.Casino Royale
7.SP eric
8.PumpkinGarden
9.Tr0ll: 3
10.Nezuko:1
11.Symfonos:3
12.Tr0ll 1
13.DC:7
14.View2aKill
15.CengBox:1
16.Broken 2020: 1
17.CengBox:2
18.HA:Narak

<a name="buffer"></a>

Buffer Overflow

NoMachine Name
1.Tr0ll 2
2.IMF
3.BSides London 2017
4.PinkyPalace
5.ROP Primer
6.CTF KFIOFAN:2
7.Kioptrix : Level 1
8.Silky-CTF: 0x02

<a name="docker"></a>

Docker

NoMachine Name
1.Donkey Docker
2.Game of Thrones
3.HackinOS:1
4.HA: Chakravyuh
5.Mumbai:1
6.Sunset:dusk
7.Pwned:1

<a name="chkrootkit"></a>

Chkrootkit

NoMachine Name
1.SickOS 1.2
2.Sedna
3.HA: Chanakya
4.Sunset: decoy

<a name="bruteforce"></a>

Bruteforce

NoMachine Name
1.Rickdiculouslyeasy
2.RootThis : 1
3.LAMPSecurity: CTF 8
4.Cyberry:1
5.Born2root

<a name="shadow"></a>

Crack /etc/shadow

NoMachine Name
1.DE-ICE:S1.140
2.Minotaur
3.Moonraker:1
4.Basic Penetration
5.W1R3S.inc

<a name="nfs"></a>

NFS

NoMachine Name
1.Orcus
2.FourAndSix

<a name="json"></a>

Json

NoMachine NameJson
1.MinU: 1Json Token
2.Symfonos:4Json Pickle

<a name="redis"></a>

Redis

NoMachine Name
1.Gemini inc:2

<a name="lxd"></a>

LXD

NoMachine Name
1.AI: Web: 2
2.HA: Joker
3.CyNix:1

<a name="all"></a>

ALL

NoMachine Name
1.Lin.Security
2.Escalate_Linux
3.Jigsaw:1

<a name="Exim"></a>

Exim

NoMachine Name
1.DC:8

<a name="apache2"></a>

Apache2 Writable

NoMachine Name
1.Torment
2.HA: Armour
3.HA: Natraj