Privilege Escalation Cheatsheet (Vulnhub) This cheatsheet is aimed at CTF players and beginners to help them understand the fundamentals of privilege escalation with examples. It is not a cheatsheet for enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same task. We have performed and compiled this list based on our experience. Please share this with your connections and direct queries and feedback to Hacking Articles . Follow us on Table of Contents Abusing Sudo Rights SUID Bit Kernel Exploit Path Variable Enumeration MySQL Cronjob Wildcard Injection Capabilities Writable /etc/passwd file Writable files or script Buffer Overflow Docker Chkrootkit Bruteforce Crack /etc/shadow NFS Json Redis LXD All Exim Apache2 Writable Abusing Sudo Rights ? No. Machine Name Files/Binaries 1. Ted:1 apt-get 2. KFIOFan : 1 awk 3. 21 LTR: Scene1 cat 4. Skytower cat 5. Matrix : 1 cp 6. Sputnik 1 ed 7. Sunset ed 8. DC-2 git 9. Kioptrix : Level 1.2 ht 10. Matrix-3 manual 11. symfonos : 2 MySQL 12. Development nano 13. SP ike nmap 14. DC6 nmap 15. Dina perl 16. Wakanda : 1 pip 17. Violator proftpd 18. Broken: Gallery reboot/timedatectl 19. DE-ICE:S1.120 script 20. Fristileaks script 21. DerpNStink script 22. Digitalworld.local : JOY script 23. PumpkinFestival script 24. The Ether: Evil Science script 25. HA:Rudra script 26. djinn:1 script 27. UA: Literally Vulnerable script 28. PumpkinRaising strace 29. Unknowndevice64 : 1 strace 30. Holynix: v1 tar 31. Breach 2.1 tcpdump 32. Temple of Doom tcpdump 33. Web Developer : 1 tcpdump 34. DC-4 teehee 35. Serial: 1 vim 36. Zico 2 zip 37. HA: Dhanush zip 38. Sunset: Nightfall cat 39. HA: Infinity Stones ftp 40. Sunset-Sunrise wine 41. Me and My Girlfreind:1 php 42. Symfonos:5 dpkg 43. Five86:2 service 44. Tempus Fugit:1 Diffrent for every user 45. DevRandom CTF:1.1 dpkg 46. Zion: 1.1 cp 47. Seppuku:1 script 48. GitRoot: 1 git 49. Tre:1 shutdown 50. BlackRose: 1 script 51. So Simple:1 script 52. CryptoBank:1 All 53. Star Wars:1 All 54. Mercury script 55. Durian:1 script 56. nyx:1 gcc 57. Relevant:1 node 58. Maskcrafter:1.1 dpkg 59. Hogwarts:Bellatrix vim SUID Bit ? No. Machine Name SUID Bit 1. Kevgir cp 2. digitalworld.local - BRAVERY cp 3. Happycorp : 1 cp 4. FourAndSix : 2 doas 5. DC-1 find 6. dpwwn:2 find 7. MinU: v2 Micro Editor 8. Toppo:1 python 2.7/mawk 9. Mr. Robot nmap 10. Covfefe script 11. /dev/random : K2 script 12. hackme1 script 13. Sunset: dawn zsh 14. HA: Wordy cp 15. bossplayersCTF 1 find 16. In Plain Sight:1 script 17. Five86:1 script 18. Geisha:1 base32 19. Victim:1 nohup 20. eLection: 1 script 21. Photographer 1 php7.2 22. DMV :1 script 23. ShellDredd #1 Hannah cpulimit 24. KB-Vuln:3 systemctl 25. Cybox:1 register Kernel Exploit ? No. Machine Name Kernel Exploit 1. pWnOS -1.0 Linux Kernel 2.6.17 < 2.6.24.1 5092 2. LAMPSecurity: CTF 5 Linux Kernel 2.4/2.6 9479 3. Kioptrix : Level 1.1 CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) 9542 4. Hackademic-RTB1 RDS Protocol' Local Privilege Escalation 15285 5. Hackademic-RTB2 RDS Protocol' Local Privilege Escalation 15285 6. ch4inrulz : 1.0.1 RDS Protocol' Local Privilege Escalation 15285 7. Kioprtix: 5 FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation 28718 8. Simple Apport/Abrt (Ubuntu / Fedora) 36746 9. SecOS: 1 Ubuntu 12.04/14.04/14.10/15.04 37292 10. Droopy Ubuntu 12.04/14.04/14.10/15.04 37292 11. VulnOS: 2.0 Ubuntu 12.04/14.04/14.10/15.04 37292 12. Fartknocker Ubuntu 12.04/14.04/14.10/15.04 37292 13. Super Mario Ubuntu 12.04/14.04/14.10/15.04 37292 14. Golden Eye:1 Ubuntu 12.04/14.04/14.10/15.04 37292 15. Typhoon : 1.02 Ubuntu 12.04/14.04/14.10/15.04 37292 16. GrimTheRipper:1 Ubuntu 12.04/14.04/14.10/15.04 37292 17. 6days Ubuntu 12.04/14.04/14.10/15.04 37292 18. Lord of the Root Ubuntu 14.04/15.10 39166 19. Acid Reloaded Ubuntu 14.04/15.10 39166 20. Stapler Ubuntu 16.04 39772 21. Sidney Ubuntu 16.04 39772 22. DC-3 Ubuntu 16.04 39772 23. Pluck Dirty COW 40616 24. Lampiao : 1 Dirty COW /proc/self/mem' Race Condition 40847 25. WinterMute : 1 GNU Screen 4.5.0 41154 26. DC-5 GNU Screen 4.5.0 41154 27. BTRSys:dv 2.1 Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free 41458 28. Nightmare Ubuntu 14.04/16.04 (KASLR / SMEP) 43418 29. Trollcave Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) 44298 30. Prime: 1 Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) 44298 31. LAMPSecurity: CTF6 Linux Kernel 2.6 8478 32. My File Server:1 Dirty COW 40616 33. VulnUni 1.0.1 GUnet OpenEclass E-learning platform 1.7.3 48106 34. Sumo: 1 Dirty COW 40839 35. CyberSploit: 1 Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' 37292 36. Loly: 1 Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) 45010 37. Tomato: 1 Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) 45010 Path Variable ? No. Path Variable Files 1. PwnLab cat 2. USV cat 3. Zeus:1 date 4. The Gemini inc date 5. EW-Skuzzy id 6. Nullbyte ps 7. symfonos : 1 curl 8. Silky-CTF: 0x01 whoami 9. Beast 2 whoami 10. HA:Arsenal Avengers ifconfig 11. Inclusiveness:1 whoami 12. MuzzyBox:1 ls 13. TBBT:2 sl 14. Sunset: Midnight service 15. Healthcare:1 fdisk Enumeration ? No. Machine Name 1. The Library:1 2. The Library:2 3. LAMPSecurity: CTF 4 4. LAMPSecurity: CTF 7 5. Xerxes: 1 6. pWnOS -2.0 7. DE-ICE:S1.130 9. Tommyboy 10. VulnOS: 1 11. Spyder Sec 12. Acid 13. Necromancer 14. Freshly 15. Fortress 16. Billu : B0x 17. Defence Space 18. Moria 1.1 19. Analougepond 20. Lazysysadmin 21. Bulldog 22. BTRSys 1 23. G0rmint 24. Blacklight : 1 25. The blackmarket 26. Matrix 2 27. Basic Pentesting : 2 28. Depth 29. Bob: 1.0.1 30. W34kn3ss 1 31. Replay: 1 32. Born2Root: 2 33. CLAMP 1.0.1 34. WestWild: 1.1 35. 64base 36. C0m80 37. Gibson 38. Quaoar 39. Hacker Fest: 2019 40. EVM: 1 41. EnuBox:Mattermost 42. 2much:1 43. mhz_cxf:c1f 44. HA: Pandavas 45. GreenOptic:1 46. Cewlkid:1 47. PowerGrid:1.0.1 48. Insanity:1 49. Tempus Fugit:3 50. HA: Forensics 51. HA: Vedas 52. HA: Sherlock MySQL ? No Machine Name 1. Kioptrix : Level 1.3 2. Raven 3. Raven : 2 Cronjob ? No Machine Name 1. Billy Madison 2. BSides Vancuver: 2018 3. Jarbas : 1 4. SP:Jerome 5. dpwwn: 1 6. Sar 7. TBBT 8. Glasgow Smile: 1.1 9. LemonSqueezy:1 Wildcard Injection ? No Machine Name 1. Milnet 2. Pipe Capabilities ? No Machine Name 1. Kuya : 1 2. DomDom: 1 3. HA: Naruto 4. Connect The Dots:1 5. Katana 6. Presidential: 1 Writable /etc/passwd file ? No Machine Name 1. Hackday Albania 2. Billu Box 2 3. Bulldog 2 4. AI: Web: 1 5. Westwild: 2 6. Misdirection 1 7. HA: ISRO 8. Gears of War: EP#1 9. DC:9 10. Sahu 11. Sunset: Twilight 12. Chili:1 Writable files or script ? No Machine Name 1. Skydog 2. Breach 1.0 3. Bot Challenge: Dexter 4. Fowsniff : 1 5. Mercy 6. Casino Royale 7. SP eric 8. PumpkinGarden 9. Tr0ll: 3 10. Nezuko:1 11. Symfonos:3 12. Tr0ll 1 13. DC:7 14. View2aKill 15. CengBox:1 16. Broken 2020: 1 17. CengBox:2 18. HA:Narak Buffer Overflow ? No Machine Name 1. Tr0ll 2 2. IMF 3. BSides London 2017 4. PinkyPalace 5. ROP Primer 6. CTF KFIOFAN:2 7. Kioptrix : Level 1 8. Silky-CTF: 0x02 Docker ? No Machine Name 1. Donkey Docker 2. Game of Thrones 3. HackinOS:1 4. HA: Chakravyuh 5. Mumbai:1 6. Sunset:dusk 7. Pwned:1 Chkrootkit ? No Machine Name 1. SickOS 1.2 2. Sedna 3. HA: Chanakya 4. Sunset: decoy Bruteforce ? No Machine Name 1. Rickdiculouslyeasy 2. RootThis : 1 3. LAMPSecurity: CTF 8 4. Cyberry:1 5. Born2root Crack /etc/shadow ? No Machine Name 1. DE-ICE:S1.140 2. Minotaur 3. Moonraker:1 4. Basic Penetration 5. W1R3S.inc NFS ? No Machine Name 1. Orcus 2. FourAndSix Json ? No Machine Name Json 1. MinU: 1 Json Token 2. Symfonos:4 Json Pickle Redis ? No Machine Name 1. Gemini inc:2 LXD ? No Machine Name 1. AI: Web: 2 2. HA: Joker 3. CyNix:1 ALL ? No Machine Name 1. Lin.Security 2. Escalate_Linux 3. Jigsaw:1 Exim ? No Machine Name 1. DC:8 Apache2 Writable ? No Machine Name 1. Torment 2. HA: Armour 3. HA: Natraj