Linux Privilege Escalation

Sudo Rights

sudo -l
ls -salth /etc/sudoers

SUID & GUID Files

# find suid/guid
find / -type f -perm -04000 -ls 2>/dev/null

# find suid
find / -perm -u=s -type f 2>/dev/null

# find guid
find / -perm -g=s -type f 2>/dev/null

Capabilities

getcap -r 2>/dev/null

Cron Jobs

crontab -u root -l
crontab -l
cat /etc/crontab
ls /etc/cron.*
grep CRON /var/log/syslog

Network Services

netstat -antup
netstat -tunlp

Mounted Filesystems

cat /etc/fstab

Root-owned Processes

ps aux | grep -i 'root' --color=auto

Kernel & OS Info

uname -a
cat /etc/*-release
cat /etc/issue

High-Value Locations to Check

ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/
ls -lsaht /var/lib/
ls -lsaht /var/db/
ls -lsaR /home/                 # Look for .ssh keys
ls -lsaht | grep -i '.conf'    # Config files

Scripts & Tools

• GTFOBins – Abuse legitimate binaries for priv-esc
  

• LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
  

• LinEnum: https://github.com/rebootuser/LinEnum
  

• LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
  

• Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
  

• Linux Priv Checker: https://github.com/linted/linuxprivchecker

Windows Privilege Escalation

Unquoted Service Paths

Look for services that start automatically and include spaces in their executable path without quotes:

wmic service get name,displayname,pathname,startmode 2>nul | findstr /i "Auto" | findstr /i /v "C:\\Windows\\" | findstr /i /v '"'

If writable by low-priv users, inject a malicious binary in the path.

Scheduled Tasks / Services

Use these tools to enumerate and investigate file permissions:

schtasks /query /fo LIST /v
net start

Weak File or Folder Permissions

Check for misconfigured permissions on system binaries or config files:

accesschk.exe -uws "Everyone" C:\

Stored Credentials

Common places to find saved creds:

• Registry keys

• Group Policy Preferences

• Configuration files

Tools: mimikatz, creddump, reg query, etc.

Windows Credential Manager

cmdkey /list

Check for stored credentials under each listed item.

SAM File

• Location: C:\Windows\System32\config\SAM

• Stores local user hashes

• Requires SYSTEM-level access to read

Extract using mimikatz, pwdump, or samdump2

NTDS.dit (Domain Controllers)

• Location: C:\Windows\NTDS\NTDS.dit

• Contains Active Directory data (including password hashes)

Use tools like secretsdump.py to extract remotely.

User Directories

Look through:

C:\Users\[USERNAME]\Documents\
C:\Users\[USERNAME]\Desktop\
C:\Users\[USERNAME]\Downloads\

Look for saved passwords, private keys, cloud creds, and config files.

Pagefile.sys & Hiberfil.sys

Both can contain remnants of credentials in memory.

• pagefile.sys: Virtual memory

• hiberfil.sys: Hibernate state

Analyze with Volatility or carve with forensic tools.