██████╗ ██████╗ ██╗██╗ ██╗ ███████╗███████╗ ██████╗ ██╔══██╗██╔══██╗██║██║ ██║ ██╔════╝██╔════╝██╔════╝ ██████╔╝██████╔╝██║██║ ██║ █████╗ ███████╗██║ ██╔═══╝ ██╔══██╗██║╚██╗ ██╔╝ ██╔══╝ ╚════██║██║ ██║ ██║ ██║██║ ╚████╔╝ ███████╗███████║╚██████╗ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚══════╝╚══════╝ ╚═════╝
LINUX PRIVILEGE ESCALATION
POST-EXPLOITATION — ENUMERATION TO ROOT
MODULE 06 — SUID · SUDO · CRON · PATH HIJACK · KERNEL
Dropping into www-data shell...

OBJECTIVES

Enumerate current user and system info
Find SUID binaries
Check sudo permissions
Find writable cron script
Identify the escalation path
Escalate to root
Read the root flag
Submit the pentest report
💻
Shell
📋
Enum Checklist
📖
GTFOBins
📝
Notepad
📋
Report
PRIVESC LAB
Shell
Checklist
GTFOBins
Notepad
Report
--:--:--
PHASE 1 — ENUMERATION
MISSION BRIEF
POST-EXPLOITATION — PRIVESC

LINUX PRIVILEGE ESCALATION

HOST: 10.10.16.10 — Shell: www-data

SITUATION

The file upload exploit from the previous phase landed a shell as www-data on 10.10.16.10. This is a low-privilege service account. Your objective is to enumerate the system, identify a privilege escalation path, and escalate to root.

CURRENT ACCESS

PropertyValue
Userwww-data
UID33
Shell/bin/sh (via web shell)
Home/var/www
Groupswww-data

METHODOLOGY

  • Start with basic enumeration — who are you, what OS, what kernel
  • Check sudo permissions — can www-data run anything as root?
  • Find SUID binaries — executables that run as their owner (often root)
  • Check cron jobs — scheduled tasks running as root with writable scripts
  • Look for writable files in sensitive locations
  • Consult GTFOBins for exploitation techniques

GOAL

Achieve a root shell and read /root/flag.txt.

SHELL — www-data@webserver-01
www-data@webserver-01:/var/www/html/uploads$ # Shell obtained via web shell upload
# Type "help" for available commands
www-data@webserver-01:/var/www$
ENUMERATION CHECKLIST
SYSTEM INFO
Current userwhoami / id
OS and kernel versionuname -a
Hostnamehostname
User accountscat /etc/passwd
Environment variablesenv / printenv
PERMISSIONS
Sudo permissionssudo -l
SUID binariesfind / -perm -4000 2>/dev/null
Group membershipsgroups / id
File capabilitiesgetcap -r / 2>/dev/null
PROCESSES & CRON
Cron jobscat /etc/crontab
Running processesps aux
Network servicesss -tlnp / netstat -tlnp
FILES
World-writable filesfind / -writable -type f 2>/dev/null
Home directoriesls -la /home /root 2>/dev/null
Config files with credsfind / -name "*.conf" 2>/dev/null
GTFOBINS — UNIX BINARY EXPLOITATION
NOTEPAD — PRIVESC NOTES
SUBMIT ROOT FLAG
ROOT FLAG

Read /root/flag.txt after gaining root access and paste the flag below to complete the lab.