Unique Priv-Esc Methods

I will be adding to this post occasionally, but the purpose of this post is to cover one-off privilege escalation methods found in the wild that are too specific to be covered in a dedicated post. If you find any unique methods please let me know in the contact form.

TMUX socket running as root

If the TMUX session is running as root, attach to the session and run any commands you’d like as root. You can run the history command as well to get more info about how the TMUX session was started.


Reading deleted files off mounted drive

In a HackTheBox machine called Mirai, you needed to mount a USB storage device and recover the contents using the strings command. The root flag was in the last location.


Heartbleed credential leak

You can use the Heartbleed bug to extract credentials from a server.


Wget with root privileges

Technically this technique could fall under my Abusing SUDO article, but I thought it was interesting so I put it here. Essentially, if you run sudo -l and you see that you can run wget with sudo privileges, you can do quite a few things since wget can get and send files:


Non-tty shell

This one is kinda vague and it may be a little “CTF-like”, but the idea is that some shells that aren’t TTY, may have some escape sequences that can be found using the man-page:


World writable /etc/passwd file

This one will never be on a server by default because the permissions -rw-rw-rw are not the default for the /etc/passwd file, but you may find it in some labs and CTF boxes.


pip install with sudo

If we have sudo privileges to run pip install, after checking with sudo -l, we can create a file called setup.py and include our reverse shell below in it:


On our computer we have a netcat listener using nc -nvlp 1234. Now we run our pip install . command and we can get a root shell:



Steganography is the hiding of information within another file. This subject has so many other resources out there for how to file hidden files within files and images.