cyber revision

Privilege escalation

Turning a foothold into full control: the Linux and Windows techniques, and the enumeration mindset that finds them.

~4 min read

Why it's almost always needed

Your initial foothold on a target is rarely privileged; you land as www-data, a low-rights service account, or a standard user. Privilege escalation is the step from that foothold to full control (root on Linux, SYSTEM/Administrator on Windows, Domain Admin in AD) and it is a stage in every engagement and the second half of nearly every boot2root box.

Two directions:

  • Vertical escalation: gaining higher privileges than you have (user → root). The usual goal.
  • Horizontal escalation: moving sideways to another account at the same level, to reach data or access that account has (and sometimes as a stepping stone to vertical).

The universal method is the same as everywhere else in this topic: enumerate relentlessly. Privilege escalation is overwhelmingly about finding the one misconfiguration or weakness the system administrator left, not about exotic exploits. Automated enumeration scripts (LinPEAS/WinPEAS, linenum, PowerUp) exist precisely to surface these, but you should understand what they're checking for.

Linux privilege escalation

The high-value checks, roughly in order of how often they pay off:

  • Sudo misconfigurations: sudo -l shows what you may run as root. A single program runnable as root can often be abused to spawn a root shell. GTFOBins is the reference catalogue of how to abuse legitimate binaries (e.g. sudo rights on find, vim, less or python → root shell).
  • SUID/SGID binaries: find / -perm -4000 -type f 2>/dev/null lists files that run as their owner. A SUID-root binary that can be coerced into running your commands (again, see GTFOBins) gives root.
  • Cron jobs: scheduled tasks running as root. If a script they run is writable by you, edit it and wait for it to fire. Check /etc/crontab and cron directories.
  • Writable sensitive files: a writable /etc/passwd (add a root-equivalent user) or /etc/shadow; writable service scripts or config.
  • Kernel exploits: an old kernel (uname -r) may be vulnerable to a known local exploit (e.g. DirtyCOW historically). Effective but a last resort, since kernel exploits can crash the box, which is bad on a real engagement.
  • Credentials lying around: passwords in config files, scripts, .bash_history, environment variables, or reused from the web app's database. Always grep for them.
  • PATH and weak file permissions: if a root-run program calls another by relative name and you control the PATH, you can hijack it.

Windows privilege escalation

Different system, same philosophy: find the misconfiguration:

  • Unquoted service paths: a service path with spaces and no quotes (C:\Program Files\My App\svc.exe) lets you drop a malicious Program.exe that Windows runs as the service account.
  • Weak service permissions: if you can modify a service's binary path or its executable, you can make it run your payload at its (often SYSTEM) privilege.
  • Always-elevated installs / token abuse: misconfigurations (AlwaysInstallElevated) and abusable privileges like SeImpersonatePrivilege (the "Potato" family of attacks → SYSTEM) are classic routes.
  • Stored credentials: saved credentials, unattended-install files (Unattend.xml), the registry, the Credential Manager, and (in AD) the memory/credential attacks from the Windows chapter (Mimikatz, Pass-the-Hash) for lateral and domain escalation.
  • Missing patches: unpatched local-privilege-escalation vulnerabilities.
  • DLL hijacking: placing a malicious DLL where a privileged program will load it.

WinPEAS and PowerUp automate hunting for most of these.

Lateral movement and pivoting

In larger environments, escalation interleaves with lateral movement (using access and harvested credentials on one machine to reach others) and pivoting, which means routing traffic through a compromised host to reach a network segment you couldn't otherwise touch. This is the ATT&CK flow (credential access → discovery → lateral movement) made concrete, and it's why network segmentation and least privilege are such effective defences: they break the chain between the foothold and the goal.

How defenders stop all this

Every technique above maps to a defence already covered, which is the satisfying part of ending here; privilege escalation is the offensive mirror of good system hardening:

  • Least privilege: fewer SUID binaries, minimal sudo rights, no unnecessary admin. The single biggest reducer of escalation paths.
  • Patch management: closes kernel and local-privilege-escalation exploits.
  • Secure configuration: quoted service paths, correct file/service permissions, no writable root-run scripts; benchmarks like the CIS Benchmarks codify these.
  • Credential hygiene: no passwords in scripts/configs; protect credentials in memory (Credential Guard, LAPS).
  • Segmentation and monitoring: contain lateral movement and detect the enumeration and abuse as it happens.

Quick recall

  • Initial access is rarely privileged; privilege escalation gets you to root/SYSTEM/Domain Admin. Vertical = higher; horizontal = sideways to another account.
  • Method = thorough enumeration (LinPEAS/WinPEAS); it's about finding a misconfiguration, not exotic exploits.
  • Linux: sudo -l + GTFOBins, SUID binaries (find / -perm -4000), writable cron jobs, writable sensitive files, kernel exploits (last resort), stray credentials, PATH hijacking.
  • Windows: unquoted service paths, weak service permissions, token-privilege abuse (SeImpersonate/"Potato"), stored creds, missing patches, DLL hijacking.
  • Lateral movement + pivoting extend a foothold across the network; defences are least privilege, patching, secure config (CIS Benchmarks), credential hygiene, segmentation and monitoring.
Previous