Linux Privilege Escalation

Overview

Linux Privilege Escalation is the process of elevating access permissions from a lower-privileged user to root on a Linux system. It is a critical post-exploitation phase that follows initial foothold acquisition.

Linux privesc techniques target misconfigured permissions, vulnerable services, kernel exploits, credential harvesting, and SUID/SGID binaries.

Category: Privilege Escalation — Post-exploitation privilege escalation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Linux Privilege Escalation:

find / -perm -4000 -type f 2>/dev/null

sudo -l

find / -writable -type f -user root 2>/dev/null

cat /etc/crontab

ls -la /etc/cron*

uname -a

cat /etc/lsb-release

netstat -tlnp

ss -tlnp

ps aux

getcap -r / 2>/dev/null

cat ~/.bash_history

cat /etc/shadow 2>/dev/null

Tools & Techniques

Recommended tools for Linux Privilege Escalation:

• LinPEAS: automated Linux privilege escalation auditing
• LinEnum: shell-based enumeration script
• pspy: process monitor for cron job discovery
• GTFOBins: SUID/SGID binary exploitation reference
• linux-exploit-suggester: kernel exploit suggestion
• Manual: check sudo -l, SUID binaries, cron jobs, capabilities

Prevention & Mitigation

Security recommendations to prevent Linux Privilege Escalation:

• Apply the principle of least privilege for all services
• Regularly audit SUID/SGID binaries and capabilities
• Restrict sudo access with specific command allowlists
• Keep the kernel and packages updated
• Remove unused software and services
• Secure cron scripts and directories with proper ownership
• Use AppArmor/SELinux for mandatory access control
• Monitor for privilege escalation attempts

References

Additional resources:

• https://gtfobins.github.io/
• https://github.com/peass-ng/PEASS-ng
• https://book.hacktricks.xyz/linux-hardening/privilege-escalation
• https://payatu.com/blog/guide-to-linux-privilege-escalation/