Linux privilege escalation is one of the most important skills to learn if you are practicing Hack The Box, CTFs, ProLabs, internal pentesting, or real-world Linux post-exploitation.
Getting a shell is only the beginning. The real challenge often starts after that.
Once you land as a low-privileged user, you need to answer questions like:
What can this user run?Are there sudo misconfigurations?Are there unusual SUID binaries?Are there writable root scripts?Are cron jobs running in the background?Are there passwords or SSH keys on the system?Is Docker misconfigured?Is there an NFS no_root_squash issue?Is the kernel vulnerable?
That is why Part 3 of my Practical Hacking Cheatsheet Series focuses on:
Linux Privilege Escalation Cheatsheet
This cheatsheet is designed as a clean, practical reference for common Linux privesc vectors seen in HTB machines, CTFs, ProLabs, and pentesting labs. It is not just a random list of commands. The goal is to help you follow a proper methodology after getting a shell and quickly identify realistic paths to root.
The full Linux Privilege Escalation Cheatsheet covers areas like:
Quick wins after getting a shellsudo -l checksGTFOBins-based sudo abuseSUID and SGID binary discoveryPATH hijackingShared library injectionLinux capabilitiescron job abusepspy monitoringwildcard injectionkernel exploit checksDirtyCow, DirtyPipe, PwnKit and sudo-related exploitsDocker escape checksDocker socket abuseprivileged container abuseNFS no_root_squashwritable systemd services and timersinternal services on localhostpassword reuseSSH key discoveryMySQL running as rootscreen and tmux session hijackinguseful Linux enumeration commands
This part is especially useful when you already have a foothold and need a structured way to move from a normal user shell to root.
For example:
What should I check first after getting a Linux shell?How do I find SUID binaries?How do I abuse sudo permissions?How do I identify dangerous Linux capabilities?How do I find writable cron scripts?How do I monitor hidden root processes?How do I check if I am inside Docker?How do I exploit an exposed Docker socket?How do I test for NFS no_root_squash?When should I consider kernel exploits?
The main idea is simple: Linux privilege escalation is mostly careful enumeration. In many labs, the fastest route to root is not a kernel exploit. It is usually a misconfigured sudo rule, a writable script, a reused password, a leaked SSH key, a custom SUID binary, a Docker misconfiguration, or a root cron job running something you can modify.
Full Cheatsheet Series
This is the complete Practical Hacking Cheatsheet Series:
| Part | Cheatsheet | Focus |
|---|---|---|
| Part 1 | Active Directory | AD attack methodology and commands |
| Part 2 | Web Application | Web exploitation techniques and payloads |
| Part 3 | Linux Privesc | Linux privilege escalation vectors |
| Part 4 | Windows Privesc | Windows privilege escalation vectors |
| Part 5 | Reverse Shells | Reverse shell one-liners for all languages |
| Part 6 | File Transfers | Methods to transfer files between machines |
| Part 7 | Pivoting | SSH tunneling, Chisel, Ligolo, SOCKS |
| Part 8 | Password Attacks | Cracking, spraying, brute-forcing |
| Part 9 | Linux Enumeration | Post-exploitation Linux enumeration |
| Part 10 | Windows Enumeration | Post-exploitation Windows enumeration |
Each part is made to be practical, clean, and easy to use while solving machines or revising methodology.
Who This Is For
This cheatsheet series is made for:
Hack The Box playersCTF learnersProLab studentsBeginner and intermediate pentestersLinux security learnersPrivilege escalation beginnersCybersecurity studentsPeople preparing for practical examsAnyone building organized hacking notes
If you are practicing Linux machines, this cheatsheet gives you a reliable checklist for going from initial shell to root without randomly guessing commands.
One subscription.
Every cheatsheet, forever.
Get the full Linux Privilege Escalation Cheatsheet now — plus every new part of the Practical Hacking Series as it drops, and access to additional series too. No waiting. No separate purchases.
