Privilege Escalation Cheatsheet (Vulnhub)

This cheasheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience. Please share this with your connections and direct queries and feedback to Pavandeep Singh.

Follow us on

Table of Contents

• Abusing Sudo Rights
• SUID Bit
• Kernel Exploit
• Path Variable
• Enumeration
• MySQL
• Crontab
• Wildcard Injection
• Capabilities
• Writable /etc/passwd file
• Writable files or script as root
• Buffer Overflow
• Docker
• Chkrootkit
• Bruteforce
• Crack /etc/shadow
• NFS

Abusing Sudo Rights

No.	Machine Name	Files/Binaries
1.	Ted:1	apt-get
2.	KFIOFan : 1	awk
3.	21 LTR: Scene1	cat
4.	Skytower	cat
5.	Matrix : 1	cp
6.	Sputnik 1	ed
7.	Sunset	ed
8.	DC-2	git
9.	Kioptrix : Level 1.2	ht
10.	Matrix-3	manual
11.	symfonos : 2	MySQL
12.	Development	nano
13.	SP ike	nmap
14.	DC6	nmap
15.	Dina	perl
16.	Wakanda : 1	pip
17.	Violator	proftpd
18.	Torment	python
19.	Broken: Gallery	reboot/timedatectl
20.	DE-ICE:S1.120	script
21.	Fristileaks	script
22.	DerpNStink	script
23.	Digitalworld.local : JOY	script
24.	PumpkinFestival	script
25.	The Ether: Evil Science	script
26.	PumpkinRaising	strace
27.	Unknowndevice64 : 1	strace
28.	Holynix: v1	tar
29.	Breach 2.1	tcpdump
30.	Temple of Doom	tcpdump
31.	Web Developer : 1	tcpdump
32.	DC-4	teehee
33.	Serial: 1	vim
34.	Zico 2	zip

SUID Bit

No.	Machine Name	SUID Bit
1.	Kevgir	cp
2.	digitalworld.local - BRAVERY	cp
3.	Happycorp : 1	cp
4.	FourAndSix : 2	doas
5.	DC-1	find
6.	dpwwn:2	find
7.	MinU: v2	Micro Editor
8.	Toppo:1	python 2.7/mawk
9.	Mr. Robot	nmap
10.	Covfefe	script
11.	/dev/random : K2	script
12.	hackme1	script

Kernel Exploit

No.	Machine Name	Kernel	Exploit
1.	pWnOS -1.0	Linux Kernel 2.6.17 < 2.6.24.1	5092
2.	LAMPSecurity: CTF 5	Linux Kernel 2.4/2.6	9479
3.	Kioptrix : Level 1.1	CentOS 4.4/4.5 / Fedora Core 4/5/6 x86)	9542
4.	Hackademic-RTB1	RDS Protocol' Local Privilege Escalation	15285
5.	Hackademic-RTB2	RDS Protocol' Local Privilege Escalation	15285
6.	ch4inrulz : 1.0.1	RDS Protocol' Local Privilege Escalation	15285
7.	Kioprtix: 5	FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation	28718
8.	Simple	Apport/Abrt (Ubuntu / Fedora)	36746
9.	SecOS: 1	Ubuntu 12.04/14.04/14.10/15.04	37292
10.	Droopy	Ubuntu 12.04/14.04/14.10/15.04	37292
11.	VulnOS: 2.0	Ubuntu 12.04/14.04/14.10/15.04	37292
12.	Fartknocker	Ubuntu 12.04/14.04/14.10/15.04	37292
13.	Super Mario	Ubuntu 12.04/14.04/14.10/15.04	37292
14.	Golden Eye:1	Ubuntu 12.04/14.04/14.10/15.04	37292
15.	Typhoon : 1.02	Ubuntu 12.04/14.04/14.10/15.04	37292
16.	GrimTheRipper:1	Ubuntu 12.04/14.04/14.10/15.04	37292
17.	6days	Ubuntu 12.04/14.04/14.10/15.04	37292
18.	Lord of the Root	Ubuntu 14.04/15.10	39166
19.	Acid Reloaded	Ubuntu 14.04/15.10	39166
20.	Stapler	Ubuntu 16.04	39772
21.	Sidney	Ubuntu 16.04	39772
22.	DC-3	Ubuntu 16.04	39772
23.	Pluck	Dirty COW	40616
24.	Lampiao : 1	Dirty COW /proc/self/mem' Race Condition	40847
25.	WinterMute : 1	GNU Screen 4.5.0	41154
26.	DC-5	GNU Screen 4.5.0	41154
27.	BTRSys:dv 2.1	Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free	41458
28.	Nightmare	Ubuntu 14.04/16.04 (KASLR / SMEP)	43418
29.	Trollcave	Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)	44298

Path Variable

No.	Path Variable	Files
1.	PwnLab	cat
2.	USV	cat
3.	Zeus:1	date
4.	The Gemini inc	date
5.	EW-Skuzzy	id
6.	Nullbyte	ps
7.	symfonos : 1	curl
8.	Silky-CTF: 0x01	whoami
9.	Beast 2	whoami

Enumeration

No.	Machine Name
1.	The Library:1
2.	The Library:2
3.	LAMPSecurity: CTF 4
4.	LAMPSecurity: CTF 7
5.	Xerxes: 1
6.	pWnOS -2.0
7.	DE-ICE:S1.130
9.	Tommyboy
10.	VulnOS: 1
11.	Spyder Sec
12.	Acid
13.	Necromancer
14.	Freshly
15.	Fortress
16.	Billu : B0x
17.	Defence Space
18.	Moria 1.1
19.	Analougepond
20.	Lazysysadmin
21.	Bulldog
22.	BTRSys 1
23.	G0rmint
24.	Blacklight : 1
25.	The blackmarket
26.	Matrix 2
27.	Basic Pentesting : 2
28.	Depth
29.	Bob: 1.0.1
30.	W34kn3ss 1
31.	Replay: 1
32.	Born2Root: 2
33.	CLAMP 1.0.1
34.	WestWild: 1.1
35.	64base
36.	C0m80
37.	Gibson

MySQL

No	Machine Name
1.	Kioptrix : Level 1.3
2.	Raven
3.	Raven : 2

Crontab

No	Machine Name
1.	Billy Madison
2.	BSides Vancuver: 2018
3.	Jarbas : 1
4.	SP:Jerome
5.	dpwwn: 1

Wildcard Injection

No	Machine Name
1.	Milnet
2.	Pipe

Capabilities

No	Machine Name
1.	Kuya : 1
2.	DomDom: 1

Writable etc/passwd file

No	Machine Name
1.	Hackday Albania
2.	Billu Box 2
3.	Bulldog 2
4.	AI: Web: 1
5.	Westwild: 2

Writable files or script as root

No	Machine Name
1.	Skydog
2.	Breach 1.0
3.	Bot Challenge: Dexter
4.	Fowsniff : 1
5.	Mercy
6.	Casino Royale
7.	SP eric
8.	PumpkinGarden
9.	Tr0ll: 3
10.	Nezuko:1
11.	Symfonos:3
12.	AI: Web: 1
13.	Tr0ll 1

Buffer Overflow

No	Machine Name
1.	Tr0ll 2
2.	IMF
3.	BSides London 2017
4.	PinkyPalace
5.	ROP Primer
6.	CTF KFIOFAN:2
7.	Kioptrix : Level 1
8.	Quaoar

Docker

No	Machine Name
1.	Donkey Docker
2.	Game of Thrones
3.	HackinOS : 1

Chkrootkit

No	Machine Name
1.	SickOS 1.2
2.	Sedna

Bruteforce

No	Machine Name
1.	Rickdiculouslyeasy
2.	RootThis : 1
3.	LAMPSecurity: CTF 8
4.	Cyberry:1
5.	Born2root

Crack /etc/shadow

No	Machine Name
1.	DE-ICE:S1.140
2.	Minotaur
3.	Moonraker:1
4.	Basic Penetration
5.	W1R3S.inc

NFS

No	Machine Name
1.	Orcus
2.	FourAndSix