Privilege Escalation Methods Kit

Comprehensive techniques for escalating privileges from low-privileged access to root/administrator on both Linux and Windows systems. This skill covers systematic enumeration, exploitation of misconfigurations, kernel exploits, service abuse, and environment-specific escalation paths for authorized penetration testing.

When to Use This Skill

Choose Privilege Escalation Methods Kit when you need to:

• Systematically enumerate and exploit privilege escalation vectors on compromised systems
• Perform post-exploitation escalation during authorized penetration tests
• Understand cross-platform escalation techniques (Linux and Windows)
• Build automated privilege escalation assessment scripts

Consider alternatives when:

• You need Linux-specific deep dive (use Linux Privilege Complete)
• You need Active Directory escalation (use AD Attacks Toolkit)
• You need cloud-specific escalation (use AWS/Cloud Penetration Testing)

Quick Start

Copy
import subprocess
import os
import platform
from dataclasses import dataclass
from typing import List

@dataclass
class EscalationVector:
    name: str
    platform: str  # linux, windows, both
    risk: str      # high, medium, low
    description: str
    check_command: str
    exploit_hint: str

class PrivEscEnumerator:
    """Enumerate privilege escalation vectors on the current system."""

    def __init__(self):
        self.os_type = 'windows' if platform.system() == 'Windows' else 'linux'
        self.findings = []

    def run_check(self, command):
        try:
            result = subprocess.run(
                command, shell=True, capture_output=True,
                text=True, timeout=30
            )
            return result.stdout.strip()
        except Exception:
            return ""

    def enumerate_linux(self):
        checks = [
            ("Sudo permissions", "sudo -l 2>/dev/null"),
            ("SUID binaries", "find / -perm -4000 -type f 2>/dev/null"),
            ("World-writable files", "find /etc -writable -type f 2>/dev/null"),
            ("Cron jobs", "cat /etc/crontab 2>/dev/null; ls -la /etc/cron.d/ 2>/dev/null"),
            ("Kernel version", "uname -a"),
            ("Running as root processes", "ps aux | grep '^root' | head -20"),
            ("Docker group", "id | grep docker"),
            ("Capabilities", "getcap -r / 2>/dev/null"),
            ("SSH keys", "find / -name 'id_rsa' -o -name 'authorized_keys' 2>/dev/null"),
            ("Passwords in files", "grep -rl 'password' /home /var/www /opt 2>/dev/null | head -10"),
        ]

        for name, cmd in checks:
            output = self.run_check(cmd)
            if output:
                self.findings.append({
                    'check': name,
                    'output': output[:500],
                    'platform': 'linux'
                })

    def enumerate_windows(self):
        checks = [
            ("Current privileges", "whoami /priv"),
            ("Local admins", "net localgroup administrators"),
            ("Unquoted service paths", 'wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\\Windows\\\\"'),
            ("Scheduled tasks", "schtasks /query /fo LIST /v | findstr /i 'TaskName\\|Run As'"),
            ("AlwaysInstallElevated", "reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated 2>nul"),
            ("Stored credentials", "cmdkey /list"),
            ("Running services", "sc query state= all | findstr SERVICE_NAME"),
        ]

        for name, cmd in checks:
            output = self.run_check(cmd)
            if output:
                self.findings.append({
                    'check': name,
                    'output': output[:500],
                    'platform': 'windows'
                })

    def report(self):
        print(f"=== Privilege Escalation Enumeration ({self.os_type}) ===")
        print(f"Found {len(self.findings)} potential vectors:\n")
        for f in self.findings:
            print(f"[{f['check']}]")
            print(f"  {f['output'][:200]}")
            print()

# enumerator = PrivEscEnumerator()
# if enumerator.os_type == 'linux':
#     enumerator.enumerate_linux()
# else:
#     enumerator.enumerate_windows()
# enumerator.report()

Core Concepts

Cross-Platform Escalation Matrix

Vector	Linux	Windows
Misconfigured permissions	SUID/SGID, writable scripts	Weak service permissions, writable PATH dirs
Credential harvesting	.bash_history, config files	SAM dump, cached credentials, DPAPI
Service exploitation	Writable cron jobs, systemd units	Unquoted service paths, DLL hijacking
Kernel exploits	Dirty Pipe, Dirty COW	PrintNightmare, EternalBlue
Token/capability abuse	Linux capabilities, LD_PRELOAD	SeImpersonate, SeDebug privileges
Container escape	Docker socket, privileged containers	Hyper-V, WSL escape
Scheduled tasks	Cron jobs with writable scripts	Scheduled tasks with weak ACLs

Configuration

Parameter	Description	Default
platform	Target OS (linux, windows, auto)	"auto"
enumeration_depth	Scan thoroughness (quick, standard, deep)	"standard"
check_kernel	Check for kernel exploit applicability	true
harvest_creds	Search for credentials in files	true
check_containers	Check for container escape vectors	true
timeout	Command execution timeout (seconds)	30
output_format	Report format (text, json, html)	"text"
exploit_suggest	Suggest specific exploits for findings	true

Best Practices

1. Enumerate before exploiting — thoroughness over speed — Run comprehensive enumeration scripts (LinPEAS, WinPEAS) before attempting any exploits. Many testers miss easy wins by jumping to kernel exploits when a misconfigured sudo rule grants instant root. Enumeration reveals the path of least resistance.

2. Check for stored credentials first — it's the easiest path — Search history files, configuration files, environment variables, and backup files before attempting technical exploits. Passwords in .bash_history, database connection strings in web configs, and SSH keys in home directories are common and reliable.

3. Understand the difference between confirmed and potential vectors — A SUID binary existing is a potential vector; being able to exploit it for a shell is a confirmed vector. Only report confirmed escalation paths in pentest reports, with reproduction steps.

4. Test kernel exploits in a lab environment first — Kernel exploits can crash the target system. Match the exact kernel version, distribution, and architecture. Use linux-exploit-suggester or windows-exploit-suggester to identify applicable exploits. Never run unverified kernel exploits on production systems.

5. Document the complete escalation chain — A privilege escalation finding should include: starting access level, each step taken, final access level achieved, and the specific misconfiguration that enabled each step. This helps the client understand the attack path and prioritize remediation.

Common Issues

Enumeration script output is overwhelming — Focus on the colored/highlighted sections of LinPEAS/WinPEAS output. Red and yellow highlights indicate high-probability vectors. Pipe output to a file and search for specific patterns: grep -i 'sudo\|suid\|password\|writable'.

Exploit compiled on attacker machine fails on target — Architecture mismatch (x86 vs x64), missing libraries, or different kernel headers. Cross-compile with the target's architecture: gcc -m32 for 32-bit, ensure libc compatibility. For Python-based exploits, check the Python version on the target.

Escalation vector exists but is blocked by security controls — AppArmor, SELinux, and Windows Defender Application Control may prevent exploitation even when misconfigurations exist. Check security controls with getenforce (SELinux), aa-status (AppArmor), or Get-MpPreference (Windows Defender) and note whether they block the vector.