08 - Privilege Escalation
#Overview
Privilege escalation is the process of elevating your access from a low-privileged user to a higher-privileged one -- ideally root on Linux or SYSTEM / Domain Admin on Windows. A foothold without privilege escalation is a dead end. Most sensitive data, critical infrastructure, and lateral movement opportunities require elevated access.
The path from low-privileged user to administrator is rarely a single step; it is typically a chain of misconfigurations, excessive permissions, and vulnerable software. The core principle is: enumerate first, exploit second.
#Linux vs Windows Methodology
While the goal is the same, the approach differs significantly between operating systems:
#Linux Privilege Escalation
Foothold (low-privileged user)
|
v
Automated Enumeration (linpeas, linenum)
|
v
Manual Review: Kernel exploits, SUID/SGID, sudo -l, cron jobs, PATH, capabilities
|
v
Exploit most viable path
|
v
Root / Higher-privileged user
TEXT
#Windows Privilege Escalation
Foothold (low-privileged user)
|
v
Automated Enumeration (winpeas, Seatbelt, PowerUp)
|
v
Manual Review: service permissions, unquoted paths, AlwaysInstallElevated, UAC bypass
|
v
Check for AD context (BloodHound, domain user?)
|
v
Exploit most viable path
|
v
SYSTEM / Administrator / Domain escalation
TEXT
#Common Privilege Escalation Vectors
#Linux
| Vector | Description | Detection |
|---|---|---|
| Kernel Exploits | DirtyCow, DirtyPipe, PwnKit, overlayfs | uname -a + kernel version lookup |
| SUID/SGID Binaries | Binaries with setuid bit that can be abused (find, vim, bash, less) | find / -perm -4000 -type f 2>/dev/null |
| Sudo Misconfigurations | Sudo rules allowing execution as root (sudo -l) | sudo -l |
| Cron Jobs | Writable cron scripts executed by root | cat /etc/crontab, check file permissions |
| Capabilities | Dangerous Linux capabilities (CAP_DAC_READ_SEARCH, CAP_SYS_PTRACE) | getcap -r / 2>/dev/null |
| PATH Hijacking | Writable PATH directories before system binaries | echo $PATH, check writable directories |
| Docker / LXC | Docker group membership, privileged containers | id, docker ps, ls -la /var/run/docker.sock |
| Wildcard Injection | tar/chmod/rsync wildcard abuse | --checkpoint=1, --checkpoint-action=exec |
| NFS no_root_squash | NFS shares mountable without root squash | /etc/exports review |
| Library Hijacking | Writable directories in LD_LIBRARY_PATH / ldconfig | ldd on SETUID binaries |
#Windows
| Vector | Description | Detection |
|---|---|---|
| Service Permissions | Misconfigured services writable by Authenticated Users | accesschk.exe -uwcqv *, sc qc, PowerUp |
| Unquoted Service Paths | Paths with spaces and no quotes exploitable via PATH insertion | wmic service get name,pathname |
| AlwaysInstallElevated | Registry keys allowing MSI installs as SYSTEM | reg query HKLM\...\AlwaysInstallElevated |
| Token Impersonation | SeImpersonatePrivilege, SeAssignPrimaryToken (Potatoes) | whoami /priv |
| UAC Bypass | User Account Control bypass techniques | whoami /groups (check UAC level) |
| Stored Credentials | Cached creds, LSA secrets, auto-logon passwords | cmdkey /list, reg query HKLM\...\Winlogon |
| Kernel Exploits | MS16-032, MS16-135, print spooler, etc. | systeminfo + Windows Exploit Suggester |
| DLL Hijacking | Missing DLLs in service executables' search order | ProcMon (local), manual search order analysis |
| Scheduled Tasks | Writable scheduled tasks running as SYSTEM | schtasks /query /fo LIST /v |
| WSL / Hyper-V | Windows Subsystem for Linux root, VM escape | Check if WSL is installed, VM permissions |
#What's in This Section
| File | Covers |
|---|---|
| Linux | |
linux-enumeration.md | Automated (linpeas, linenum, lse.sh) and manual enumeration scripts, kernel version check, SUID/SGID discovery, sudo -l analysis, cron inspection, capabilities, PATH review, writable files by root |
linux-exploits.md | Kernel exploit compilation and execution (DirtyCow, DirtyPipe, PwnKit), SUID binary abuse (GTFOBins cross-reference), LD_PRELOAD exploitation, Python library hijacking, wildcard injection, NFS exploitation, Docker breakout |
linux-common-misconfigs.md | Sudo rule abuse patterns, cron misconfigurations, writable /etc/passwd and /etc/shadow, world-writable SSH keys, Writable systemd service files, polkit vulnerabilities |
| Windows | |
windows-enumeration.md | winpeas, Seatbelt, PowerUp, JAWS, manual commands for service enumeration, privilege analysis (whoami /priv), patch enumeration, credential discovery, application enumeration |
windows-service-attacks.md | Service binary hijacking, service configuration modification, unquoted service paths, service permission abuse, DLL hijacking via service |
windows-token-impersonation.md | SeImpersonate privilege abuse (Juicy/Rogue/PrintSpoofer/EfsPotato), named pipe impersonation, potato family overview and evolution |
windows-uac-bypass.md | UAC mechanism overview, fodhelper bypass, eventvwr bypass, computerdefaults bypass, silent clean-up task, UAC bypass via DLL hijacking |
windows-kernel-exploits.md | Windows Exploit Suggester (wes.py), Watson, Sherlock, kernel exploit compilation and execution, CVE-2021-36934 (HiveNightmare), CVE-2021-1675 (PrintNightmare), driver exploitation |
windows-credential-theft.md | LSASS dumping (mimikatz, procdump, comsvcs.dll), SAM/SYSTEM/SECURITY extraction, DPAPI decryption, browser credential extraction, RDP connection harvesting, AutoLogon credentials |
#Cross-References
- 07-post-exploitation -- Complete post-exploitation steps before attempting privilege escalation
- 09-lateral-movement -- If domain credentials are found, pivot to lateral movement instead of local escalation