Privilege Escalation Cheatsheet (Vulnhub)

This cheasheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples. It is not a cheatsheet for Enumeration using Linux Commands. Privilege escalation is all about proper enumeration. There are multiple ways to perform the same tasks. We have performed and compiled this list on our experience. Please share this with your connections and direct queries and feedback to Pavandeep Singh.

Table of Contents

• Abusing Sudo Rights
• SUID Bit
• Kernel Exploit
• Path Variable
• Enumeration
• MySQL
• Crontab
• Wildcard Injection
• Capabilities
• Apache2.conf writable
• Writable etc/passwd file
• Writable files or script as root
• Buffer Overflow
• Docker

Abusing Sudo Rights

1. Holynix: v1
2. DE-ICE:S1.120
3. 21 LTR: Scene1
4. Kioptrix : Level 1.2
5. Skytower
6. Fristileaks
7. Breach 2.1
8. Zico 2
9. RickdiculouslyEasy
10. Dina
11. Depth
12. The Ether: Evil Science
13. Basic penetration
14. DerpNStink
15. W1R3S.inc
16. Bob:1.0.1
17. The blackmarket
18. Violator
19. Basic Pentesting : 2
20. Temple of Doom
21. Wakanda : 1
22. Matrix : 1
23. KFIOFan : 1
24. W34n3ss 1
25. Replay : 1
26. Unknowndevice64 : 1
27. Web Developer : 1
28. SP ike
29. DC-2
30. DC6
31. Born2Root2
32. DC-4
33. Development
34. Sputnik 1
35. PumpkinRaising
36. Matrix-3
37. symfonos : 2
38. Digitalworld.local : JOY
39. PumpkinFestival
40. Sunset
41. Symfonos:3
42. Ted:1
43. CLAMP 1.0.1
44. Torment
45. WestWild: 1.1
46. Broken: Gallery

SUID Bit

1. Tr0ll 1
2. Mr. Robot
3. Covfefe
4. Toppo:1
5. /dev/random : K2
6. FourAndSix : 2
7. DC-1
8. HackinOS : 1
9. digitalworld.local - BRAVERY
10. Happycorp : 1
11. MinU: v2
12. hackme1
13. dpwwn:2
14. Kevgir

Kernel Exploit

1. LAMPSecurity: CTF 5
2. pWnOS -1.0
3. Hackademic-RTB1
4. Kioptrix : Level 1.1
5. Kioprtix: 5
6. SecOS: 1
7. Droopy
8. Stapler
9. Sidney
10. Simple
11. VulnOS: 2.0
12. Lord of the Root
13. Acid Reloaded
14. Pluck
15. Fartknocker
16. Nightmare
17. Super Mario
18. BTRSys:dv 2.1
19. Trollcave
20. Golden Eye:1
21. Lampiao : 1
22. WinterMute : 1
23. ch4inrulz : 1.0.1
24. Typhoon : 1.02
25. DC-3
26. DC-5
27. GrimTheRipper:1

Path Variable

1. PwnLab
2. Nullbyte
3. USV
4. The Gemini inc
5. Silky-CTF: 0x01
6. symfonos : 1
7. Beast 2
8. Zeus:1

Enumeration

1. The Library:1
2. The Library:2
3. LAMPSecurity: CTF 4
4. LAMPSecurity: CTF 7
5. LAMPSecurity: CTF 8
6. Xerxes: 1
7. pWnOS -2.0
8. DE-ICE:S1.130
9. DE-ICE:S1.140
10. Hackademic-RTB2
11. SickOS 1.1
12. Tommyboy
13. Minotaur
14. VulnOS: 1
15. Spyder Sec
16. Acid
17. Necromancer
18. Freshly
19. Fortress
20. Billu : B0x
21. Defence Space
22. Moria 1.1
23. Analougepond
24. Lazysysadmin
25. Bulldog
26. BTRSys 1
27. G0rmint
28. Blacklight : 1
29. RootThis : 1
30. Cyberry:1

MySQL

1. Kioptrix : Level 1.3
2. Raven
3. Raven : 2

Crontab

1. Billy Madison
2. Born2root
3. BSides Vancuver: 2018
4. Jarbas : 1
5. SP:Jerome

Wildcard Injection

1. Milnet
2. Pipe

Capabilities

1. Kuya : 1
2. DomDom: 1

Apache2.conf Writable

1. Torment

Writable etc/passwd file

1. Hackday Albania
2. Billu Box 2
3. Bulldog 2

Writable files or script as root

1. Skydog
2. Breach 1.0
3. Bot Challenge: Dexter
4. Fowsniff : 1
5. Mercy
6. Casino Royale
7. SP eric
8. PumpkinGarden
9. dpwwn: 1
10. Tr0ll: 3
11. Nezuko:1

Buffer Overflow

1. Tr0ll 2
2. IMF
3. BSides London 2017
4. PinkyPalace
5. ROP Primer
6. CTF KFIOFAN:2

Docker

1. Donkey Docker
2. Game of Thrones