Kernel level exploits exist for a variety of Linux kernel versions. A very well-known example is Dirty COW and pwnkit (CVE-2016-5195)
**Searching Kernel Version
uname -a
cat /etc/lsb-release
Vulnerable Service
Many services may be found, which have flaws that can be leveraged to escalate privileges. An example is the popular terminal multiplexer Screen In simple words services with older version which already have a exploit https://github.com/hac01/exploit/blob/main/lpe/screen4.5.0_exploit.sh
Cron Job Abuse
Cron Jobs are set to run a particular Task at a particular interval of Times . For ex :- Running a script which backups a dir or entire OS after 3 days .
How u abuse this to get root ?? Sometimes sysadmins makes major misconfiguration . For ex:- there is a script which backups x dir and it runs as root but all global user can make changes in that dir .
There are two types of permission setuid and setgid .
Setuid permission let's to run a program as another user . Setuid bit appears with s.
Setgid is another special permission which let's us run a program as we are part of the same group which created them .
Finding setuid
Finding setgid
Sudo Rights Abuse
Sudo privs can be granted to a account allowing them to run certain command as root without the password of root user .
**Finding **
Path Abuse
privileged groups
Some groups have special rights over certain folder . for ex:- group called Adm has special root over /var/log u may not be able to get root but can definitely get sensitive information .
Other Technique
U can sniff the traffic using tcpdump (if installed) . Which may result in getting clear text password .
NFS root squashing
C code
now upload the compiled binary on nfs share with chmod u+s