Need help with Privilege-Escalation?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

Ignitetechnologies
1.8K Stars 403 Forks 158 Commits 0 Opened issues

Description

This cheasheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples.

Services available

!
?

Need anything else?

Contributors list

# 13,102
ctf-wri...
ctf-cha...
157 commits

Privilege Escalation Cheatsheet (Vulnhub)

This cheatsheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience. Please share this with your connections and direct queries and feedback to Pavandeep Singh.

Follow us on alt text

cheatsheet

Table of Contents

Abusing Sudo Rights

|No.|Machine Name|Files/Binaries| |-------|--------------|----------------| |1.|Ted:1|apt-get| |2.|KFIOFan : 1|awk| |3.|21 LTR: Scene1|cat| |4.|Skytower|cat| |5.|Matrix : 1|cp| |6.|Sputnik 1|ed| |7.|Sunset|ed| |8.|DC-2|git| |9.|Kioptrix : Level 1.2|ht| |10.|Matrix-3|manual| |11.|symfonos : 2|MySQL| |12.|Development|nano| |13.|SP ike|nmap| |14.|DC6|nmap| |15.|Dina|perl| |16.|Wakanda : 1|pip| |17.|Violator|proftpd| |18.|Broken: Gallery|reboot/timedatectl| |19.|DE-ICE:S1.120|script| |20.|Fristileaks|script| |21.|DerpNStink|script| |22.|Digitalworld.local : JOY|script| |23.|PumpkinFestival|script| |24.|The Ether: Evil Science|script| |25.|HA:Rudra|script| |26.|djinn:1|script| |27.|UA: Literally Vulnerable|script| |28.|PumpkinRaising|strace| |29.|Unknowndevice64 : 1|strace| |30.|Holynix: v1|tar| |31.|Breach 2.1|tcpdump| |32.|Temple of Doom|tcpdump| |33.|Web Developer : 1|tcpdump| |34.|DC-4|teehee| |35.|Serial: 1|vim| |36.|Zico 2|zip| |37.|HA: Dhanush|zip| |38.|Sunset: Nightfall|cat| |39.|HA: Infinity Stones|ftp| |40.|Sunset-Sunrise|wine| |41.|Me and My Girlfreind:1|php| |42.|Symfonos:5|dpkg| |43.|Five86:2| service | |44.|Tempus Fugit:1|Diffrent for every user| |45.|DevRandom CTF:1.1|dpkg| |46.|Zion: 1.1|cp| |47.|Seppuku:1|script| |48.|GitRoot: 1|git| |49.|Tre:1|shutdown| |50.|BlackRose: 1|script| |51.|So Simple:1|script| |52.|CryptoBank:1|All| |53.|Star Wars:1|All| |54.|Mercury|script| |55.|Durian:1|script| |56.|nyx:1|gcc| |57.|Relevant:1|node| |58.|Maskcrafter:1.1|dpkg| |59.|Hogwarts:Bellatrix|vim|

SUID Bit

|No.| Machine Name |SUID Bit| |-------|------------------------------|-------| |1.|Kevgir|cp| |2.|digitalworld.local - BRAVERY|cp| |3.|Happycorp : 1|cp| |4.|FourAndSix : 2|doas| |5.|DC-1|find| |6.|dpwwn:2|find| |7.|MinU: v2|Micro Editor| |8.|Toppo:1|python 2.7/mawk| |9.|Mr. Robot|nmap| |10.|Covfefe|script| |11.|/dev/random : K2|script| |12.|hackme1|script| |13.|Sunset: dawn|zsh| |14.|HA: Wordy|cp| |15.|bossplayersCTF 1|find| |16.|In Plain Sight:1|script| |17.|Five86:1|script| |18.|Geisha:1|base32| |19.|Victim:1|nohup| |20.|eLection: 1|script| |21.|Photographer 1|php7.2| |22.|DMV :1| script| |23.|ShellDredd #1 Hannah| cpulimit| |24.|KB-Vuln:3| systemctl| |25.|Cybox:1| register|

Kernel Exploit

|No.| Machine Name|Kernel|Exploit| |-------|----------------------|--------------------------------------------------------|-----------------------------------------| |1.|pWnOS -1.0|Linux Kernel 2.6.17 < 2.6.24.1| 5092| |2.|LAMPSecurity: CTF 5|Linux Kernel 2.4/2.6|9479| |3.|Kioptrix : Level 1.1|CentOS 4.4/4.5 / Fedora Core 4/5/6 x86)|9542| |4.|Hackademic-RTB1| RDS Protocol' Local Privilege Escalation| 15285| |5.|Hackademic-RTB2|RDS Protocol' Local Privilege Escalation|15285| |6.|ch4inrulz : 1.0.1|RDS Protocol' Local Privilege Escalation|15285| |7.|Kioprtix: 5|FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation|28718| |8.|Simple|Apport/Abrt (Ubuntu / Fedora)| 36746| |9.|SecOS: 1|Ubuntu 12.04/14.04/14.10/15.04|37292| |10.|Droopy|Ubuntu 12.04/14.04/14.10/15.04|37292| |11.|VulnOS: 2.0|Ubuntu 12.04/14.04/14.10/15.04|37292| |12.|Fartknocker|Ubuntu 12.04/14.04/14.10/15.04|37292| |13.|Super Mario|Ubuntu 12.04/14.04/14.10/15.04|37292| |14.|Golden Eye:1|Ubuntu 12.04/14.04/14.10/15.04|37292| |15.|Typhoon : 1.02|Ubuntu 12.04/14.04/14.10/15.04|37292| |16.|GrimTheRipper:1|Ubuntu 12.04/14.04/14.10/15.04|37292| |17.|6days|Ubuntu 12.04/14.04/14.10/15.04|37292| |18.|Lord of the Root|Ubuntu 14.04/15.10| 39166| |19.|Acid Reloaded|Ubuntu 14.04/15.10|39166| |20.|Stapler|Ubuntu 16.04|39772| |21.|Sidney|Ubuntu 16.04|39772| |22.|DC-3|Ubuntu 16.04|39772| |23.|Pluck|Dirty COW|40616| |24.|Lampiao : 1|Dirty COW /proc/self/mem' Race Condition|40847| |25.|WinterMute : 1|GNU Screen 4.5.0|41154| |26.|DC-5|GNU Screen 4.5.0|41154| |27.|BTRSys:dv 2.1|Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free|41458| |28.|Nightmare|Ubuntu 14.04/16.04 (KASLR / SMEP)|43418| |29.|Trollcave|Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)|44298| |30.|Prime: 1|Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)| 44298| |31.|LAMPSecurity: CTF6|Linux Kernel 2.6|8478| |32.|My File Server:1|Dirty COW|40616| |33.|VulnUni 1.0.1|GUnet OpenEclass E-learning platform 1.7.3|48106| |34.|Sumo: 1|Dirty COW|40839| |35.|CyberSploit: 1|Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs'|37292| |36.|Loly: 1|Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) |45010| |37.|Tomato: 1|Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) |45010|

Path Variable

|No.| Path Variable | Files | |-------|-----------------|--------| |1.| PwnLab| cat | |2.| USV | cat | |3.| Zeus:1| date | |4.| The Gemini inc | date | |5.| EW-Skuzzy|id| |6.| Nullbyte | ps | |7.| symfonos : 1| curl | |8.| Silky-CTF: 0x01 | whoami | |9.| Beast 2 | whoami | |10.| HA:Arsenal Avengers | ifconfig | |11.| Inclusiveness:1|whoami| |12.| MuzzyBox:1|ls| |13.| TBBT:2|sl| |14.| Sunset: Midnight|service| |15.| Healthcare:1|fdisk|

Enumeration

| No. | Machine Name | |-----|-----------------------------------------------------------------------------------------------------------------------| | 1. | The Library:1 | | 2. | The Library:2 | | 3. | LAMPSecurity: CTF 4 | | 4. | LAMPSecurity: CTF 7 | | 5. | Xerxes: 1 | | 6. | pWnOS -2.0 | | 7. | DE-ICE:S1.130 | | 8. | | 8. | SickOS 1.1 |
| 9. | Tommyboy | | 10. | VulnOS: 1 | | 11. | Spyder Sec | | 12. | Acid | | 13. | Necromancer | | 14. | Freshly | | 15. | Fortress | | 16. | Billu : B0x | | 17. | Defence Space | | 18. | Moria 1.1 | | 19. | Analougepond | | 20. | Lazysysadmin | | 21. | Bulldog | | 22. | BTRSys 1 | | 23. | G0rmint | | 24. | Blacklight : 1 | | 25. | The blackmarket |
| 26. | Matrix 2 | | 27. | Basic Pentesting : 2 | | 28. | Depth| | 29. | Bob: 1.0.1| | 30. | W34kn3ss 1| | 31. | Replay: 1| | 32. | Born2Root: 2| | 33. | CLAMP 1.0.1| | 34. | WestWild: 1.1| | 35. | 64base| | 36. | C0m80| | 37. | Gibson| | 38. | Quaoar| | 39. | Hacker Fest: 2019| | 40. | EVM: 1| | 41. | EnuBox:Mattermost| | 42. | 2much:1| | 43. | mhz_cxf:c1f| | 44. | HA: Pandavas| | 45. | GreenOptic:1| | 46. | Cewlkid:1| | 47. | PowerGrid:1.0.1| | 48. | Insanity:1| | 49. | Tempus Fugit:3| | 50. | HA: Forensics| | 51. | HA: Vedas| | 52. | HA: Sherlock|

MySQL

| No | Machine Name | |-----|---------------------------------------------------------------------------------------------------------| | 1. | Kioptrix : Level 1.3 | | 2. | Raven | | 3. | Raven : 2 |

Cronjob

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Billy Madison | |2. |BSides Vancuver: 2018| |3. |Jarbas : 1| |4. |SP:Jerome| |5. |dpwwn: 1| |6. |Sar| |7. |TBBT| |8. |Glasgow Smile: 1.1| |9. |LemonSqueezy:1|

Wildcard Injection

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Milnet| |2. |Pipe|

Capabilities

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Kuya : 1| |2. |DomDom: 1| |3. |HA: Naruto| |4. |Connect The Dots:1| |5. |Katana| |6. |Presidential: 1|

Writable /etc/passwd file

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Hackday Albania| |2. |Billu Box 2| |3. |Bulldog 2| |4. |AI: Web: 1| |5. |Westwild: 2| |6. |Misdirection 1| |7. |HA: ISRO| |8. |Gears of War: EP#1| |9. |DC:9| |10. |Sahu| |11. |Sunset: Twilight| |12. |Chili:1|

Writable files or script

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Skydog| |2. |Breach 1.0| |3. |Bot Challenge: Dexter| |4. |Fowsniff : 1| |5. |Mercy| |6. |Casino Royale| |7. |SP eric| |8. |PumpkinGarden| |9. |Tr0ll: 3| |10. |Nezuko:1| |11. |Symfonos:3| |12. |Tr0ll 1| |13. |DC:7| |14. |View2aKill| |15. |CengBox:1| |16. |Broken 2020: 1| |17. |CengBox:2| |18. |HA:Narak|

Buffer Overflow

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Tr0ll 2| |2. |IMF| |3. |BSides London 2017| |4. |PinkyPalace| |5. |ROP Primer| |6. |CTF KFIOFAN:2| |7. |Kioptrix : Level 1| |8. |Silky-CTF: 0x02|

Docker

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Donkey Docker| |2. |Game of Thrones| |3. |HackinOS:1| |4. |HA: Chakravyuh| |5. |Mumbai:1| |6. |Sunset:dusk| |7. |Pwned:1|

Chkrootkit

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |SickOS 1.2| |2. |Sedna| |3. |HA: Chanakya| |4. |Sunset: decoy|

Bruteforce

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Rickdiculouslyeasy| |2. |RootThis : 1| |3. |LAMPSecurity: CTF 8| |4. |Cyberry:1| |5. |Born2root |

Crack /etc/shadow

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |DE-ICE:S1.140| |2. |Minotaur| |3. |Moonraker:1| |4. |Basic Penetration| |5. |W1R3S.inc|

NFS

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Orcus| |2. |FourAndSix|

Json

| No | Machine Name |Json| |----|-----------------------------------------------------------------------------------------|-------| |1. |MinU: 1| Json Token| |2. |Symfonos:4| Json Pickle|

Redis

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Gemini inc:2|

LXD

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |AI: Web: 2| |2. |HA: Joker| |3. |CyNix:1|

ALL

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1. |Lin.Security| |2. |Escalate_Linux| |3. |Jigsaw:1|

Exim

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| | 1. |DC:8 |

Apache2 Writable

| No | Machine Name | |----|---------------------------------------------------------------------------------------------------------| |1.|Torment| |2.|HA: Armour| |3.|HA: Natraj

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.