HackPath
BBoooottccaammppNEWCCoouurrsseessRRooaaddmmaappPPrraaccttiicceePPrriicciinngg
>_
HACKPATH

COURSE.EXE

Privilege Escalation Linux

0%
FUNDAMENTALS
01Linux Post-Exploitation Enumeration
45m
02SUID & SGID
55m
SUDO ABUSE
03Sudo Abuse
52m
04Sudoers Misconfigurations
48m
SCHEDULED TASKS & SERVICES
05Cron Jobs
52m
06Vulnerable Services
50m
ADVANCED TECHNIQUES
07Linux Capabilities
48m
08Path Hijacking
52m
09Weak File Permissions
48m
KERNEL & WRAP-UP
10Kernel Exploits
55m
Lesson 01·1 / 10·45 min

Linux Post-Exploitation Enumeration

Lesson details coming soon.

/

Linux Post-Exploitation Enumeration

Enumeration is the first step after obtaining initial access. Before exploiting anything, you must understand the environment to identify privilege escalation vectors.

◆
Privilege escalation is usually found during enumeration: map the boundaries before you try anything.

System information

enumeration linux privesc
◆

User context

◆

Permissions and sensitive files

◆

Sudo and configurations

◆

Network and processes

◆

Environment variables and PATH

◆

Scheduled tasks

◆

Automatic enumeration tools

ToolDescriptionUsage
LinPEASComprehensive, color-coded, highly detailed enumerationcurl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
LinEnumLighter enumeration script./LinEnum.sh -t
linux-exploit-suggesterSuggests kernel exploits based on version./linux-exploit-suggester.sh
pspyMonitors processes without being root./pspy64
◆

Flashcards

FLASHCARDS · 1/2
CARD #0001
_□×
UNSEEN

Which Linux groups often allow privilege escalation?

◆
Exercises

Exercise 1 — Build a privilege escalation enumeration checklist

  1. On a Linux VM (TryHackMe "Linux PrivEsc" or HackTheBox), run id and sudo -l
  2. Find all SUID files: find / -perm -4000 -type f 2>/dev/null
  3. List all cron jobs: cat /etc/crontab + crontab -l
  4. Download and run LinPEAS — read the red (critical) sections
  5. Download pspy64 and observe root-launched processes for 5 minutes

◆
Open Questions

Question 1 — Why is enumeration the most important step in Linux privilege escalation?

◆

Next Lesson

With enumeration complete, the next lesson exploits the most common Linux privilege escalation vector: SUID and SGID binaries.

Next: SUID & SGID

Hands-on challenge

Practice what you learned — run it on your machine.

Do the challenge →

You're on a free lesson

Ready to go further?

Unlock all courses, exercises, real-world scenarios and flashcards — everything to build real skills.

Unlock full access →

No commitment · Cancel anytime

Sign in to track your progress.

Sign in to validate →

9 lessons locked in this course · 800+ students enrolled

$99/year — save 31% vs monthly

Unlock full access →
You type
# Operating system and version
uname -a
cat /etc/os-release
cat /etc/issue
lsb_release -a

# Architecture and kernel

uname -m # x86_64, aarch64...
uname -r # kernel version

# Uptime and load

uptime
w
You type
# Who am I?
id
whoami

# Group memberships (interesting: docker, lxd, disk, sudo, adm)

groups
id | grep -oP 'groups=\K.\*'

# System user accounts

cat /etc/passwd
cat /etc/passwd | grep -v nologin | grep -v false

# Command history

cat ~/.bash_history
cat ~/.zsh_history
history
You type
# SUID files (Set User ID)
find / -perm -4000 -type f 2>/dev/null

# SGID files (Set Group ID)

find / -perm -2000 -type f 2>/dev/null

# World-writable files

find / -writable -type f 2>/dev/null | grep -v proc

# Recently modified files

find / -mmin -60 -type f 2>/dev/null

# Capabilities

getcap -r / 2>/dev/null
You type
# List sudo privileges (without password)
sudo -l

# Sudoers file

cat /etc/sudoers 2>/dev/null
ls -la /etc/sudoers.d/
You type
# Network interfaces
ip a
ifconfig

# Locally open ports (internal services)

ss -tlnp
netstat -tlnp
ss -unlp # UDP

# Running processes (look for root-owned ones)

ps aux
ps aux | grep root

# Active network connections

ss -tnp
You type
# Environment variables
env
printenv
cat /proc/self/environ | tr '\0' '\n'

# Current PATH

echo $PATH

# Configuration files with credentials

find / -name '_.conf' -o -name '_.config' -o -name '\*.cfg' 2>/dev/null | head -20
grep -r 'password\|passwd\|secret\|key' /etc/ 2>/dev/null | grep -v Binary
You type
# Current user's cron
crontab -l

# System cron

cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.hourly/
ls -la /etc/cron.daily/

# Monitor created processes (requires pspy)

./pspy64 # Detects processes launched by root