You popped a shell—nice. But you’re still the intern, and we want root. This is your privilege escalation checklist: a no-fluff terminal command guide to start poking around and climbing the ladder. Copy, paste, listen to the machine.

🧠 System Info

uname -a                       # Kernel version
cat /etc/issue                # OS info
cat /etc/*-release            # More distro details
echo $PATH | tr ":" "\n"     # Break $PATH into readable lines

🚀 Network Info

ifconfig -a                   # IP addresses, interfaces
route -n                     # Routing table
cat /etc/resolv.conf         # DNS resolver
arp -en                      # ARP table
netstat -auntp               # Active TCP/UDP connections
cat /etc/NetworkManager/system-connections/* | grep -E "^id|^psk" # Dump WiFi PSKs

🕵️‍♂️ User Recon

id                           # Current user
w                            # Who else is logged in
lastlog | grep -v 'Never'   # Who logged in before
for user in $(cut -d: -f1 /etc/passwd); do id $user; done   # UIDs, GIDs
cat /etc/passwd | cut -d: -f1,3,4 | grep "0:0" | cut -d: -f1 # Root users

💪 Processes

ps auxwww                   # All processes
ps -u root                 # Root-owned processes
ps -u $USER                # Your processes

🌐 File & Folder Permissions

cat /etc/shadow                            # Can you read this? You're basically root
find / -perm -1000 -type d 2>/dev/null     # Sticky bit dirs
find / -perm -u=s -type f 2>/dev/null      # SUID files
find / -perm -g=s -type f 2>/dev/null      # SGID files
find / -perm -2 -type f 2>/dev/null        # World-writable files
ls -al /etc/*.conf                         # Config files
grep 'pass' /etc/*.conf 2>/dev/null        # Look for passwords
grep 'key' /etc/*.conf 2>/dev/null
grep 'secret' /etc/*.conf 2>/dev/null
ls -als /root/                             # Can you access /root?
find / -name *.*history* 2>/dev/null       # History files from other users

⏰ Cronjobs

cat /etc/crontab
ls -als /etc/cron.*
find /etc/cron* -type f -perm -o+w -exec ls -l {} \; # Writable jobs run as root?

🧰 Metasploit Modules (for the lazy and efficient)

post/linux/gather/enum_configs
post/linux/gather/enum_system
post/linux/gather/enum_network
post/linux/gather/enum_psk
post/linux/gather/hashdump
post/linux/gather/openvpn_credentials
post/linux/gather/phpmyadmin_credsteal

Don’t just run commands. Pay attention to what feels off—an old kernel, a lazy cron job, world-writable SUIDs. Priv esc isn’t about memorizing commands. It’s about knowing where to look.

If this helped, you’ll love the roadmap I put together outlining the courses, books and other resources you need to get started: everything from getting a low-priv shell to chaining it all the way to root. It’s hands-on, no-BS, and built for people who want to break stuff (ethically).