⬆️ Privilege Escalation for Pentesters

A practical Privilege Escalation cheat sheet and reference guide designed for CTF players, penetration testers, and cybersecurity learners to understand how attackers escalate privileges on compromised systems

🌐 Connect With Us

🔵 Telegram – Join Channel
⚫ Twitter/X – Follow Us
🟣 Discord – Join Server
💼 LinkedIn – Follow HackingArticles

🎓 Training Program

🚀 Join Our Cybersecurity Training Program

Hands-on training in Penetration Testing, Red Teaming, and Cybersecurity.

Table of Contents

• Abusing Sudo Rights
• SUID Bit
• Kernel Exploit
• Path Variable
• Enumeration
• MySQL
• Cronjob
• Wildcard Injection
• Capabilities
• Writable /etc/passwd file
• Writable files or script
• Buffer Overflow
• Docker
• Chkrootkit
• Bruteforce
• Crack /etc/shadow
• NFS
• Json
• Redis
• LXD
• All
• Exim
• Apache2 Writable

Abusing Sudo Rights ⤴

No.	Machine Name	Files/Binaries
1.	Ted:1	apt-get
2.	KFIOFan : 1	awk
3.	21 LTR: Scene1	cat
4.	Skytower	cat
5.	Matrix : 1	cp
6.	Sputnik 1	ed
7.	Sunset	ed
8.	DC-2	git
9.	Kioptrix : Level 1.2	ht
10.	Matrix-3	manual
11.	symfonos : 2	MySQL
12.	Development	nano
13.	SP ike	nmap
14.	DC6	nmap
15.	Dina	perl
16.	Wakanda : 1	pip
17.	Violator	proftpd
18.	Broken: Gallery	reboot/timedatectl
19.	DE-ICE:S1.120	script
20.	Fristileaks	script
21.	DerpNStink	script
22.	Digitalworld.local : JOY	script
23.	PumpkinFestival	script
24.	The Ether: Evil Science	script
25.	HA:Rudra	script
26.	djinn:1	script
27.	UA: Literally Vulnerable	script
28.	PumpkinRaising	strace
29.	Unknowndevice64 : 1	strace
30.	Holynix: v1	tar
31.	Breach 2.1	tcpdump
32.	Temple of Doom	tcpdump
33.	Web Developer : 1	tcpdump
34.	DC-4	teehee
35.	Serial: 1	vim
36.	Zico 2	zip
37.	HA: Dhanush	zip
38.	Sunset: Nightfall	cat
39.	HA: Infinity Stones	ftp
40.	Sunset-Sunrise	wine
41.	Me and My Girlfreind:1	php
42.	Symfonos:5	dpkg
43.	Five86:2	service
44.	Tempus Fugit:1	Diffrent for every user
45.	DevRandom CTF:1.1	dpkg
46.	Zion: 1.1	cp
47.	Seppuku:1	script
48.	GitRoot: 1	git
49.	Tre:1	shutdown
50.	BlackRose: 1	script
51.	So Simple:1	script
52.	CryptoBank:1	All
53.	Star Wars:1	All
54.	Mercury	script
55.	Durian:1	script
56.	nyx:1	gcc
57.	Relevant:1	node
58.	Maskcrafter:1.1	dpkg
59.	Hogwarts:Bellatrix	vim

SUID Bit ⤴

No.	Machine Name	SUID Bit
1.	Kevgir	cp
2.	digitalworld.local - BRAVERY	cp
3.	Happycorp : 1	cp
4.	FourAndSix : 2	doas
5.	DC-1	find
6.	dpwwn:2	find
7.	MinU: v2	Micro Editor
8.	Toppo:1	python 2.7/mawk
9.	Mr. Robot	nmap
10.	Covfefe	script
11.	/dev/random : K2	script
12.	hackme1	script
13.	Sunset: dawn	zsh
14.	HA: Wordy	cp
15.	bossplayersCTF 1	find
16.	In Plain Sight:1	script
17.	Five86:1	script
18.	Geisha:1	base32
19.	Victim:1	nohup
20.	eLection: 1	script
21.	Photographer 1	php7.2
22.	DMV :1	script
23.	ShellDredd #1 Hannah	cpulimit
24.	KB-Vuln:3	systemctl
25.	Cybox:1	register

Kernel Exploit ⤴

No.	Machine Name	Kernel	Exploit
1.	pWnOS -1.0	Linux Kernel 2.6.17 < 2.6.24.1	5092
2.	LAMPSecurity: CTF 5	Linux Kernel 2.4/2.6	9479
3.	Kioptrix : Level 1.1	CentOS 4.4/4.5 / Fedora Core 4/5/6 x86)	9542
4.	Hackademic-RTB1	RDS Protocol' Local Privilege Escalation	15285
5.	Hackademic-RTB2	RDS Protocol' Local Privilege Escalation	15285
6.	ch4inrulz : 1.0.1	RDS Protocol' Local Privilege Escalation	15285
7.	Kioprtix: 5	FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation	28718
8.	Simple	Apport/Abrt (Ubuntu / Fedora)	36746
9.	SecOS: 1	Ubuntu 12.04/14.04/14.10/15.04	37292
10.	Droopy	Ubuntu 12.04/14.04/14.10/15.04	37292
11.	VulnOS: 2.0	Ubuntu 12.04/14.04/14.10/15.04	37292
12.	Fartknocker	Ubuntu 12.04/14.04/14.10/15.04	37292
13.	Super Mario	Ubuntu 12.04/14.04/14.10/15.04	37292
14.	Golden Eye:1	Ubuntu 12.04/14.04/14.10/15.04	37292
15.	Typhoon : 1.02	Ubuntu 12.04/14.04/14.10/15.04	37292
16.	GrimTheRipper:1	Ubuntu 12.04/14.04/14.10/15.04	37292
17.	6days	Ubuntu 12.04/14.04/14.10/15.04	37292
18.	Lord of the Root	Ubuntu 14.04/15.10	39166
19.	Acid Reloaded	Ubuntu 14.04/15.10	39166
20.	Stapler	Ubuntu 16.04	39772
21.	Sidney	Ubuntu 16.04	39772
22.	DC-3	Ubuntu 16.04	39772
23.	Pluck	Dirty COW	40616
24.	Lampiao : 1	Dirty COW /proc/self/mem' Race Condition	40847
25.	WinterMute : 1	GNU Screen 4.5.0	41154
26.	DC-5	GNU Screen 4.5.0	41154
27.	BTRSys:dv 2.1	Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free	41458
28.	Nightmare	Ubuntu 14.04/16.04 (KASLR / SMEP)	43418
29.	Trollcave	Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)	44298
30.	Prime: 1	Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4)	44298
31.	LAMPSecurity: CTF6	Linux Kernel 2.6	8478
32.	My File Server:1	Dirty COW	40616
33.	VulnUni 1.0.1	GUnet OpenEclass E-learning platform 1.7.3	48106
34.	Sumo: 1	Dirty COW	40839
35.	CyberSploit: 1	Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs'	37292
36.	Loly: 1	Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)	45010
37.	Tomato: 1	Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)	45010

Path Variable ⤴

No.	Path Variable	Files
1.	PwnLab	cat
2.	USV	cat
3.	Zeus:1	date
4.	The Gemini inc	date
5.	EW-Skuzzy	id
6.	Nullbyte	ps
7.	symfonos : 1	curl
8.	Silky-CTF: 0x01	whoami
9.	Beast 2	whoami
10.	HA:Arsenal Avengers	ifconfig
11.	Inclusiveness:1	whoami
12.	MuzzyBox:1	ls
13.	TBBT:2	sl
14.	Sunset: Midnight	service
15.	Healthcare:1	fdisk

Enumeration ⤴

No.	Machine Name
1.	The Library:1
2.	The Library:2
3.	LAMPSecurity: CTF 4
4.	LAMPSecurity: CTF 7
5.	Xerxes: 1
6.	pWnOS -2.0
7.	DE-ICE:S1.130
9.	Tommyboy
10.	VulnOS: 1
11.	Spyder Sec
12.	Acid
13.	Necromancer
14.	Freshly
15.	Fortress
16.	Billu : B0x
17.	Defence Space
18.	Moria 1.1
19.	Analougepond
20.	Lazysysadmin
21.	Bulldog
22.	BTRSys 1
23.	G0rmint
24.	Blacklight : 1
25.	The blackmarket
26.	Matrix 2
27.	Basic Pentesting : 2
28.	Depth
29.	Bob: 1.0.1
30.	W34kn3ss 1
31.	Replay: 1
32.	Born2Root: 2
33.	CLAMP 1.0.1
34.	WestWild: 1.1
35.	64base
36.	C0m80
37.	Gibson
38.	Quaoar
39.	Hacker Fest: 2019
40.	EVM: 1
41.	EnuBox:Mattermost
42.	2much:1
43.	mhz_cxf:c1f
44.	HA: Pandavas
45.	GreenOptic:1
46.	Cewlkid:1
47.	PowerGrid:1.0.1
48.	Insanity:1
49.	Tempus Fugit:3
50.	HA: Forensics
51.	HA: Vedas
52.	HA: Sherlock

MySQL ⤴

No	Machine Name
1.	Kioptrix : Level 1.3
2.	Raven
3.	Raven : 2

Cronjob ⤴

No	Machine Name
1.	Billy Madison
2.	BSides Vancuver: 2018
3.	Jarbas : 1
4.	SP:Jerome
5.	dpwwn: 1
6.	Sar
7.	TBBT
8.	Glasgow Smile: 1.1
9.	LemonSqueezy:1

Wildcard Injection ⤴

No	Machine Name
1.	Milnet
2.	Pipe

Capabilities ⤴

No	Machine Name
1.	Kuya : 1
2.	DomDom: 1
3.	HA: Naruto
4.	Connect The Dots:1
5.	Katana
6.	Presidential: 1

Writable /etc/passwd file ⤴

No	Machine Name
1.	Hackday Albania
2.	Billu Box 2
3.	Bulldog 2
4.	AI: Web: 1
5.	Westwild: 2
6.	Misdirection 1
7.	HA: ISRO
8.	Gears of War: EP#1
9.	DC:9
10.	Sahu
11.	Sunset: Twilight
12.	Chili:1

Writable files or script ⤴

No	Machine Name
1.	Skydog
2.	Breach 1.0
3.	Bot Challenge: Dexter
4.	Fowsniff : 1
5.	Mercy
6.	Casino Royale
7.	SP eric
8.	PumpkinGarden
9.	Tr0ll: 3
10.	Nezuko:1
11.	Symfonos:3
12.	Tr0ll 1
13.	DC:7
14.	View2aKill
15.	CengBox:1
16.	Broken 2020: 1
17.	CengBox:2
18.	HA:Narak

Buffer Overflow ⤴

No	Machine Name
1.	Tr0ll 2
2.	IMF
3.	BSides London 2017
4.	PinkyPalace
5.	ROP Primer
6.	CTF KFIOFAN:2
7.	Kioptrix : Level 1
8.	Silky-CTF: 0x02

Docker ⤴

No	Machine Name
1.	Donkey Docker
2.	Game of Thrones
3.	HackinOS:1
4.	HA: Chakravyuh
5.	Mumbai:1
6.	Sunset:dusk
7.	Pwned:1

Chkrootkit ⤴

No	Machine Name
1.	SickOS 1.2
2.	Sedna
3.	HA: Chanakya
4.	Sunset: decoy

Bruteforce ⤴

No	Machine Name
1.	Rickdiculouslyeasy
2.	RootThis : 1
3.	LAMPSecurity: CTF 8
4.	Cyberry:1
5.	Born2root

Crack /etc/shadow ⤴

No	Machine Name
1.	DE-ICE:S1.140
2.	Minotaur
3.	Moonraker:1
4.	Basic Penetration
5.	W1R3S.inc

NFS ⤴

No	Machine Name
1.	Orcus
2.	FourAndSix

Json ⤴

No	Machine Name	Json
1.	MinU: 1	Json Token
2.	Symfonos:4	Json Pickle

Redis ⤴

No	Machine Name
1.	Gemini inc:2

LXD ⤴

No	Machine Name
1.	AI: Web: 2
2.	HA: Joker
3.	CyNix:1

ALL ⤴

No	Machine Name
1.	Lin.Security
2.	Escalate_Linux
3.	Jigsaw:1

Exim⤴

No	Machine Name
1.	DC:8

Apache2 Writable ⤴

No	Machine Name
1.	Torment
2.	HA: Armour

|3.|HA: Natraj