Dark Arts
  • index
  • BUY ME A BOOK
  • ๐Ÿช„Dark Magic
    • Pentesting
      • Industry Methodologies
    • Scopes of Testing
    • Reconnaissance
      • Passive
        • WHOIS
        • DNS
          • nslookup
          • dig
        • WAF
        • Subdomain
        • Google Dork
        • Misc. Techniques
        • Leaked Passwords
      • Active
        • Browser & Plugins
        • ping & traceroute
        • fping
        • telnet & netcat
        • DNS
          • Zone Transfer
          • DNS Amplification DDoS Attack Breakdown
        • Misc. Techniques
    • Vulnerability Assessment
    • Attack Types
  • ๐Ÿ•ท๏ธAragoogs Nest
    • Web Application Overview & Security
      • Security Testing
      • Common Threats & Risks
    • Web Application Architecture
      • Technologies
    • HTTP/S
      • Message
      • Request
      • Response
        • Status Code
    • Crawling/Spidering
  • ๐ŸงชPotions
    • Web Browsers
    • Computer Networking
      • Network Protocol
      • Packets
      • OSI Layer
        • Layer 3: Network
        • Layer 4: Transport
      • DNS
        • Primary-Secondary
        • Local Name Resolution
        • Domain Hierarchy
        • FQDN
        • Lookups
        • DNS Resolution
        • DNS Records
        • Security: Attack-Defense (Default)
  • ๐ŸŽ†Spells
    • ๐Ÿ“œLinux Scroll
    • ๐Ÿ“œWebShell Scroll
    • git
      • Attacks + Vulnerabilities
  • ๐Ÿ–ผ๏ธFlaws w/ Magical Frameworks
    • Windows
      • In a Nutshell
      • CVE-2019-0708: BlueKeep
      • CVE-2017-0144: EternalBlue: MS17-010
      • Attacking Services
        • MS IIS - WebDAV
        • SMB
        • HTTP File Server (HFS)
        • Apache Tomcat Web Server
        • RDP
        • WinRM
      • File System Vulnerabilities
      • Credential Dumping
        • Password Search in Windows Configuration Files
        • Mimikatz
        • Pass-the-Hash Attack
    • Linux
      • In a Nutshell
      • CVE-2014-6271: Shellshock
      • Attacking Services
        • FTP
        • SSH
        • SAMBA
        • SMTP
        • RSYNC
      • Dumping Hashes
  • ๐ŸŒผMarauder's Boost
    • Privilege Escalation
    • Windows PrivEsc
      • Windows Kernel Exploit
      • Bypassing UAC
      • Access Token Impersonation
    • Linux PrivEsc
      • Linux Kernel Exploit
      • Misconfigured Cron Jobs
      • Exploiting SUID Binaries
      • shells
      • File Permissions
  • โ˜ ๏ธDeath Eaters
    • Post Exploitation
      • Windows
      • Linux
  • ๐Ÿช„OLLIVANDERS
    • nmap
      • Host Discovery
      • Port Scan
      • Service & OS
      • NSE
      • Firewall/IDS Evasion
      • Scan Optimization
      • Misc. Methods
    • ffuf
    • Hydra
    • Metasploit Framework
      • Architecture
      • Must to Know
      • msfvenom
      • Auxiliary Modules
      • Service Enumeration
      • Vulnerability Scanning
      • Imports
      • Automating
    • Vulnerability Scanners
    • Wireshark
  • ๐Ÿš‚Platform 9(3/4)
    • Auth-Auth
      • Authentication
        • Password-based Authentication
        • Basic Authentication
        • Multi-factor Authentication
        • Access Token
        • Token-based Authentication
          • JWT
          • OAuth 2.0
    • Secure Headers
      • Content-Security-Policy (CSP)
    • Cryptography
      • Caesar Cipher
  • โ›ฒPort Pensieve
    • Enumeration
      • SMB & NetBIOS
      • SNMP
    • Wordlists
  • ๐Ÿ”†DUELS
    • Pivoting
    • SMB Relay Attack
  • ๐Ÿ—บ๏ธMarauder's Map
    • Web Application Pentesting
    • API Pentesting
      • GraphQL
        • Primer
    • Mobile Application Pentesting
  • ๐ŸŽงSIDE CHANNEL
    • Side Channel Analysis
    • Timing Side-Channel Attacks
      • Vulnerable Login
  • ๐ŸฅƒSky
    • Cloud Basics
    • Cloud Management
      • Shared Responsibility Model
    • Using Cloud Resources
      • Monitoring & Alerts
      • Identity & Access Management
      • Scalability & Availability
      • Solution Design
    • Cloud Providers
    • Cloud Security & Regulatory Compliance
      • Resource Protection
      • ICCA: Cloud Security & Regulatory Compliance
    • ICCA Preparation
      • Knowledge Tests
      • Lab
  • ๐Ÿ”ทObsidian
    • Pentest Engagement
      • Scoping
    • Pentest Ethics
      • Rules of Engagement
    • Auditing Fundamentals
      • Process/Lifecycle
      • Pentest & Security Auditing
      • GRC
      • Standards, Frameworks & Guidelines
      • From Audit to Pentest
  • ๐Ÿ“กTHREAT INTEL
    • Threat Intelligence
    • Tool Dump
  • ๐Ÿ“ฑAnything-Mobile-IoT
    • Firmware
    • Firmware Analysis
      • Example: CVE-2016-1555
    • Firmware Installation/Flashing
  • ๐ŸŽ‰Mischeif
    • Social Engineering
    • Phishing
      • GoPhish
    • Pretexting
Powered by GitBook
On this page
  1. Marauder's Boost
  2. Linux PrivEsc

shells

cat /etc/shells
# Displays the list of available login shells on the system.

cat /etc/shells | while read shell; do ls -l $shell 2>/dev/null; done
# Reads each shell listed in /etc/shells and checks its file permissions using ls -l. Errors (e.g., non-existing files) are redirected to /dev/null to avoid clutter.

find / -perm -4000 2>/dev/null
# Searches the entire filesystem (/) for SUID binaries (files with the set-user-ID bit enabled). Errors (e.g., permission denied) are suppressed by redirecting them to /dev/null.


find / -exec /bin/rbash -p \; -quit
# Searches the entire filesystem (/) and executes /bin/rbash (a restricted shell) with the -p flag, which prevents privilege reduction. The -quit ensures that the command stops after the first match is found and executed.

I started by listing all available login shells on the system using cat /etc/shells. Then, I iterated over each shell path and checked its permissions using ls -l, ensuring that errors were suppressed.

Next, I searched the system for SUID binaries using find / -perm -4000, which can help identify files that run with elevated privileges. Finally, I attempted to execute /bin/rbash with elevated privileges using find -exec, allowing me to see if a restricted shell could be invoked without privilege reduction.

PreviousExploiting SUID BinariesNextFile Permissions

Last updated 9 days ago

๐ŸŒผ