Privilege escalation is a fundamental step in the cyber kill chain, often following initial access. Attackers seek to gain higher-level permissions, typically moving from a standard user to root or administrative privileges. This section introduces the concept and its importance in Linux security.

Privilege escalation refers to exploiting vulnerabilities, misconfigurations, or design flaws to gain unauthorized access to elevated permissions. In Linux, this usually means moving from a low-privileged user account to root or another privileged account. Privilege escalation is often necessary for attackers to:

• Access sensitive files and data
• Install persistent backdoors
• Disable security controls
• Move laterally within a network

For defenders, understanding these methods is crucial to hardening systems and detecting malicious activity.

Ethical hacking must always operate within legal and organizational boundaries. Unauthorized privilege escalation is illegal and unethical. Security professionals should only test systems with explicit permission and adhere to frameworks such as the Offensive Security Certified Professional (OSCP) code of conduct and SANS Institute’s ethical guidelines. For a step-by-step overview of ethical hacking, see our Ethical Hacking Guide 2025.

Privilege escalation in Linux can be categorized based on the direction and method of privilege gain. Understanding these types helps in identifying and mitigating attack vectors.

• Vertical privilege escalation: Gaining higher-level privileges, such as moving from a standard user to root.
• Horizontal privilege escalation: Gaining access to another user’s account with similar privileges, often to access different data or resources.

• Exploiting SUID/SGID binaries
• Abusing misconfigured sudo permissions
• Leveraging kernel vulnerabilities
• Manipulating environment variables
• Abusing weak file permissions
• Exploiting scheduled tasks (cron jobs)
• Harvesting passwords and credentials
• Targeting third-party applications and services

For a detailed mapping of privilege escalation techniques, refer to the MITRE ATT&CK Framework.

Effective privilege escalation begins with thorough reconnaissance. Attackers and ethical hackers alike gather detailed information about the target system to identify potential weaknesses.

Identifying user accounts and group memberships can reveal targets for privilege escalation. Common commands include:

cat /etc/passwd
cat /etc/group
id
whoami

Look for users with sudo privileges or membership in sensitive groups (e.g., wheel, adm).

Knowing the Linux distribution and kernel version helps in matching known exploits. Use:

uname -a
cat /etc/os-release
lsb_release -a

Compare the kernel version against CVE databases for known vulnerabilities.

SUID (Set User ID) and SGID (Set Group ID) binaries run with the privileges of the file owner or group. Attackers search for these binaries to find potential escalation paths:

find / -perm -4000 -type f 2>/dev/null   # SUID
find / -perm -2000 -type f 2>/dev/null   # SGID

Focus on unusual or custom binaries, as these are more likely to be misconfigured.

Misconfigurations in files, directories, or services are common privilege escalation vectors. Check for:

• World-writable files and directories
• Improper sudoers configuration (/etc/sudoers)
• Weak permissions on sensitive files (e.g., /etc/shadow)
• Exposed configuration files with credentials

Sudo allows users to run commands as other users, typically root. Misconfigurations or vulnerabilities in sudo can lead to full system compromise.

Improper entries in /etc/sudoers can allow privilege escalation. Examples include:

• Allowing a user to run any command as root without a password (ALL=(ALL) NOPASSWD: ALL)
• Permitting execution of dangerous binaries (e.g., vim, less, nano)

To check sudo privileges:

sudo -l

If you can run editors or scripting languages as root, you may be able to spawn a root shell.

Certain sudo versions have known vulnerabilities. For example, CVE-2021-3156 (Baron Samedit) allowed heap-based buffer overflows. Always check the installed sudo version:

sudo --version

Consult the official sudo advisories for the latest vulnerabilities and patches.

SUID and SGID binaries are a classic privilege escalation vector when misconfigured or vulnerable.

A file with the SUID bit set runs with the privileges of its owner, often root. Similarly, SGID runs with the group’s privileges. This is necessary for some system binaries but dangerous if applied to insecure programs.

Check SUID/SGID permissions with:

ls -l /path/to/binary

Look for an “s” in the user or group permission fields.

After identifying SUID/SGID binaries, check if any are known to be exploitable. For example, older versions of find, nmap, or custom scripts may allow command execution as root.

• Search GTFOBins for exploitation techniques.
• Test for shell escapes or unintended command execution.

Example: Exploiting SUID vim:

vim -c ':!sh'

If vim is SUID root, this spawns a root shell.

Improper file and directory permissions can allow attackers to modify or replace sensitive files, leading to privilege escalation.

Files or directories with world-writable permissions (-rw-rw-rw- or drwxrwxrwx) are dangerous. Attackers can replace or modify these files to execute malicious code with elevated privileges.

find / -writable -type f 2>/dev/null
find / -perm -2 -type d 2>/dev/null

If sensitive files like /etc/passwd or /etc/shadow are writable, attackers can add users or change passwords. For example:

echo 'attacker::0:0:root:/root:/bin/bash' >> /etc/passwd

This creates a root-level user with no password.

Exploiting Linux kernel vulnerabilities is a powerful privilege escalation method, often leading to full system compromise. Keeping abreast of the latest CVEs is essential.

In recent years, several high-profile kernel vulnerabilities have been exploited in the wild:

• CVE-2022-0847 (Dirty Pipe)
• CVE-2023-32233 (io_uring)
• CVE-2024-1086 (netfilter)

For a curated list of recent exploits, visit Rapid7 Linux Vulnerabilities.

To determine if a kernel exploit is applicable:

• Check kernel version with uname -r
• Search for matching CVEs on MITRE CVE or NIST NVD
• Use automated tools like Linux Exploit Suggester (see Section 13)

As an example, Dirty Pipe (CVE-2022-0847) allowed overwriting read-only files. A typical exploitation workflow:

1. Verify kernel version is vulnerable (5.8 <= version < 5.16.11)
2. Compile and run a public exploit (see GitHub PoC)
3. Overwrite /etc/passwd to add a root user

Note: Always test exploits in a controlled, authorized environment.

Manipulating environment variables such as PATH, LD_PRELOAD, and LD_LIBRARY_PATH can trick privileged processes into executing malicious code.

If a privileged script or binary calls another program without specifying the full path, attackers can place a malicious executable earlier in the PATH environment variable.

export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/sh' > /tmp/ls
chmod +x /tmp/ls

If a SUID binary or root cron job runs ls without a full path, it may execute the attacker’s version.

LD_PRELOAD allows users to load custom shared libraries before others. If a SUID binary is vulnerable, attackers can preload a malicious library to execute code as root.

echo 'void __attribute__((constructor)) init() { setuid(0); setgid(0); system("/bin/sh"); }' > shell.c
gcc -shared -fPIC -o shell.so shell.c
LD_PRELOAD=./shell.so ./vulnerable_suid_binary

Note: Many modern systems restrict LD_PRELOAD for SUID binaries, but misconfigurations persist.

Cron jobs run scheduled tasks, often as root or other privileged users. Weaknesses in their configuration can be exploited for privilege escalation.

Check for world-writable cron jobs or scripts:

ls -l /etc/cron* /var/spool/cron/crontabs

If a script executed by cron is writable, attackers can inject malicious commands.

Attackers may:

• Modify user crontabs to run malicious payloads
• Replace scripts called by root’s cron jobs
• Abuse @reboot tasks for persistence

For more on cron security, see CIS Linux Benchmarks.

Weak, reused, or exposed credentials are a perennial privilege escalation risk in Linux environments.

Attackers often attempt to brute-force or guess passwords for privileged accounts. Common techniques:

• Dictionary and brute-force attacks with tools like Hydra or John the Ripper
• Trying default or commonly used passwords

Enforce strong password policies and multi-factor authentication as recommended by NIST. For more on effective password policies, check out our guide to Password Policy Best Practices 2025.

Sensitive credentials are sometimes stored in configuration files, scripts, or environment variables. Common locations:

• /etc/shadow
• ~/.ssh/id_rsa and ~/.ssh/authorized_keys
• Application config files (e.g., wp-config.php, .env)

Automated searches can help:

grep -r "password" /etc/*

Never store plaintext credentials in accessible locations. If you need to test password strength, try our How Secure is this password? tool.

Vulnerabilities in third-party software and misconfigured services are frequent sources of privilege escalation.

• Web servers (e.g., Apache, Nginx)
• Database servers (e.g., MySQL, PostgreSQL)
• Content management systems (e.g., WordPress)
• Custom or legacy applications

Keep software up to date and monitor CISA’s Known Exploited Vulnerabilities Catalog.

Common misconfigurations include:

• Services running as root unnecessarily
• Exposed management interfaces
• Weak or default credentials
• Improper file permissions on service files

Refer to OWASP Top 10 for web application risks. For those interested in wordlist-based attacks against application logins, see our resource on Details about Wordlist Attacks.

Automated tools streamline the process of identifying privilege escalation vectors in Linux.

• LinPEAS: Comprehensive script for privilege escalation auditing. GitHub: LinPEAS
• Linux Exploit Suggester: Identifies potential kernel exploits based on system information. GitHub: Linux Exploit Suggester
• Les.sh: Another popular enumeration script. GitHub: Les.sh

These tools automate much of the reconnaissance and vulnerability matching process. For a comprehensive approach, you can also review our Password Cracking Guide 2025.

Advanced users may develop custom scripts tailored to specific environments or use frameworks like Metasploit for exploitation. Custom scripts can automate:

• Searching for writable files and directories
• Checking for vulnerable SUID/SGID binaries
• Parsing sudoers files for misconfigurations

For scripting inspiration, see Metasploit Unleashed.

Defending against privilege escalation Linux attacks requires a layered approach, combining hardening, monitoring, and regular audits.

• Apply the principle of least privilege (PoLP) for users and services
• Regularly update and patch the kernel and applications
• Restrict SUID/SGID binaries to only those absolutely necessary
• Harden sudoers configuration; avoid ALL=(ALL) NOPASSWD: ALL
• Enforce strong password policies and use MFA
• Audit file and directory permissions
• Disable or sandbox unnecessary services

Consult the CIS Linux Benchmarks and SANS Hardening Guides for detailed recommendations. For a deep dive on securely configuring brute-force defenses, see How to configure a Bruteforce Attack.

• Monitor logs for suspicious sudo or su activity
• Set up file integrity monitoring (e.g., AIDE, Tripwire)
• Use Security Information and Event Management (SIEM) solutions
• Alert on changes to SUID/SGID binaries
• Regularly review cron jobs and scheduled tasks

For advanced detection, refer to CrowdStrike’s Privilege Escalation Detection Guide.

Privilege escalation Linux remains a top concern for organizations in 2025, as attackers continually evolve their techniques. By understanding the latest methods, regularly auditing systems, and applying robust defense strategies, security professionals can significantly reduce the risk of privilege escalation attacks. Ethical hackers play a vital role in identifying and remediating these weaknesses before malicious actors can exploit them.

• MITRE ATT&CK: Exploitation for Privilege Escalation
• CIS Linux Benchmarks
• Sudo Security Advisories
• SANS Linux Hardening Guide
• Rapid7 Linux Vulnerabilities
• GTFOBins: Unix Binaries for Escalation
• LinPEAS Privilege Escalation Audit Script
• CrowdStrike: Privilege Escalation
• OWASP Top 10 Security Risks