Linux Privilege Escalation
Comprehensive guide to Linux privilege escalation techniques including sudo misconfigurations, cron job abuse, SUID/capabilities exploitation, and path hijacking for penetration testing.
Overview
Linux privilege escalation is the process of exploiting misconfigurations, vulnerabilities, or design weaknesses to gain elevated privileges on a Linux system. While Linux is generally considered secure by design, real-world deployments often contain exploitable weaknesses introduced through misconfiguration, legacy systems, or operational requirements.
Successful privilege escalation typically transforms a low-privileged shell into root access, enabling complete system compromise, credential harvesting, and lateral movement to other systems.
Linux Privilege Escalation in Practice
Linux privilege escalation is a critical phase of penetration testing:
- Sudo misconfigurations are among the most common and reliable escalation paths
- Cron jobs provide both escalation and persistence opportunities
- SUID binaries and capabilities offer quick wins when misconfigured
- Kernel exploits provide last-resort escalation on unpatched systems
Understanding these techniques is essential for comprehensive security assessments.
Privilege Escalation Techniques
Sudo Misconfigurations
Sudo configuration errors are among the most common escalation vectors:
- Sudo Misconfigurations - Exploiting dangerous sudoers entries
Misconfigurations include:
NOPASSWDentries for dangerous commands- Wildcards in sudo rules allowing argument injection
- Sudo rules permitting access to editors, interpreters, or file managers
- Environment variable preservation enabling library injection
Scheduled Task Abuse
Automated tasks often run with elevated privileges:
- Cron Job Abuse - Exploiting scheduled task misconfigurations
Attack vectors include:
- World-writable cron scripts executed as root
- Relative paths in cron jobs enabling PATH hijacking
- Wildcard injection in cron commands
- Writable cron directories for persistence
Path and Library Hijacking
Manipulating execution paths to inject malicious code:
- PATH Abuse - Hijacking command execution through PATH manipulation
- Shared Object Hijacking - Library injection through LD_PRELOAD and RPATH
- Python Library Hijacking - PYTHONPATH and module permission abuse
These techniques exploit:
- Relative paths in privileged scripts
- Writable directories in PATH
- Missing shared libraries
- Insecure library search paths
Capabilities and SUID
Linux permission mechanisms that bypass traditional access controls:
- Linux Capabilities - Exploiting capability-based privilege escalation
File capabilities and SUID binaries can grant:
- Network raw socket access for packet capture
- File system bypass for reading protected files
- Process debugging for memory manipulation
- DAC override for ignoring file permissions
Wildcard Exploitation
Command-line argument injection through filename manipulation:
- Wildcard Abuse - Exploiting wildcard expansion in shell commands
Vulnerable patterns include:
tar *with checkpoint injectionchown *andchmod *for permission manipulationrsync *for arbitrary file read/write
Group-Based Escalation
Membership in privileged groups often grants unexpected access:
- Privileged Groups - Exploiting dangerous group memberships
High-risk groups include:
- docker/lxd - Container escape to root
- disk - Raw disk access bypassing permissions
- adm - Access to sensitive log files
- sudo/wheel - Direct privilege escalation
Enumeration Methodology
Manual Enumeration
# System information
uname -a
cat /etc/os-release
# User context
id
whoami
groups
# Sudo permissions
sudo -l
# SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Capabilities
getcap -r / 2>/dev/null
# Writable files
find / -writable -type f 2>/dev/null
# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*
# Running processes
ps auxwwAutomated Tools
| Tool | Description |
|---|---|
| LinPEAS | Comprehensive privilege escalation scanner |
| LinEnum | Linux enumeration script |
| linux-exploit-suggester | Kernel exploit identification |
| pspy | Process monitoring without root |
Attack Prioritization
Quick Wins (Check First)
sudo -lfor dangerous sudo entries- SUID/SGID binaries with known exploits
- File capabilities on common binaries
- World-writable scripts in cron jobs
Medium Effort
- PATH hijacking in privileged scripts
- Shared object hijacking
- Writable /etc/passwd or /etc/shadow
- NFS root squashing disabled
Last Resort
- Kernel exploits (risky, may crash system)
- Race conditions in privileged processes
- Memory corruption in setuid binaries
System Service Exploitation
Exploiting system services that run with elevated privileges:
- Kernel Exploits - Kernel vulnerabilities for direct root access
- Logrotate Exploitation - Race conditions in log rotation
Defense Evasion
Avoiding Detection
- Minimize process creation and file writes
- Use built-in commands over external tools
- Clean bash history and log entries
- Time attacks during high-activity periods
Persistence Options
- SSH key injection
- Cron job backdoors
- Modified SUID binaries
- Systemd service installation
Related Resources
- Windows Privilege Escalation - Windows escalation techniques
- Container Escape - Docker and Kubernetes breakout
- Active Directory Attacks - Domain privilege escalation
- Impacket - Linux attack tools
References
- GTFOBins - Unix binaries for privilege escalation
- PayloadsAllTheThings - Linux PrivEsc
- HackTricks - Linux Privilege Escalation
Last updated on
Verbose Error Messages
Overview of verbose error message vulnerabilities, their risks, and mitigations. This entry highlights how excessive error details can disclose sensitive information.
Linux Capabilities Exploitation: Breaking Traditional Privilege Models
Technical guide to exploiting Linux capabilities for privilege escalation, focusing on dangerous capabilities like CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, and CAP_SETUID.