Field Manual

Linux PrivEsc Methodology

5 min read

🛡️ Methodology Checklist

Global — run once per host

Per user — re-run after every shell / pivot

🎯 Operational Context

Use when: A Linux shell is obtained and you need a complete, ordered escalation procedure — not a single technique. This note is the entry point; each checklist item links to the detailed note that covers it.

Think Dumber First: Two checks before anything else: sudo -l and find / -perm -4000 -type f 2>/dev/null. They cover the highest-yield paths in seconds. Then run LinPEAS and read the red output. Only reach for kernel exploits (DirtyCow / DirtyPipe / PwnKit) when the misconfiguration paths are exhausted — they are noisier and can panic the box.

Skip when: Already root.

⚡ Tactical Cheatsheet

CommandTactical Outcome
(Procedure/index note — see linked notes and Master_PrivEsc_Commands for commands)

🔬 Deep Dive & Workflow

Global vs Per-User

Split the procedure in two. Global facts (distro, kernel, capabilities, NFS exports, sudo version, running processes, listening ports) describe the host — enumerate them once. Per-user facts (groups, sudo -l, env, home-directory keys/history/hidden files) change with every identity you land as — re-run the per-user block after each lateral move or credential reuse, because a new user often unlocks a path the previous one couldn’t see.

Ordering — highest yield first

1. sudo -l                → GTFOBins → instant root if NOPASSWD exists   [[Linux_PrivEsc_Permissions_Sudo]]
2. id / groups            → docker, lxd, disk, adm, shadow groups        [[Linux_PrivEsc_Groups_Capabilities]]
3. SUID/SGID + getcap     → GTFOBins for each binary / capability        [[Linux_PrivEsc_Groups_Capabilities]]
4. Credentials            → env, configs, history, SSH keys, web roots   [[Linux_PrivEsc_Enumeration]]
5. Cron / processes       → writable scripts, pspy, tmux hijack          [[Linux_PrivEsc_Services_Cron]]
6. Host misconfigs        → NFS no_root_squash, LogRotate, writable libs  [[Linux_PrivEsc_Misc_NFS_Logrotate]] / [[Linux_PrivEsc_Shared_Libs_Wildcard_Shell]]
7. Known-CVE binaries     → sudo (CVE-2023-22809), PwnKit                 [[Linux_PrivEsc_Permissions_Sudo]] / [[Linux_PrivEsc_Kernel_Python]]
8. Kernel exploits        → DirtyCow, DirtyPipe (LAST RESORT)             [[Linux_PrivEsc_Kernel_Python]]

Coverage notes

Every procedure item now resolves to a note with real content:

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
Nothing obvious after global passHost hardenedRe-run the per-user block as every reachable user; one identity often unlocks a path
sudo -l needs a passwordInteractive sudoStill check the sudo version for CVE-2023-22809 / Baron Samedit → Linux_PrivEsc_Permissions_Sudo
Found SUID binary, no known exploitNon-standard binaryCheck GTFOBins for every SUID/SGID/capability binary, not just well-known ones
Kernel exploit panics the boxUnstable PoCTreat kernel exploits as last resort; exhaust misconfig paths first

📝 Reporting Trigger

Finding Title: Local Privilege Escalation to root via Host/User Misconfiguration Impact: A low-privileged user can escalate to root through misconfigured sudo rules, excessive SUID/capabilities, writable cron/service paths, insecure NFS exports, or unpatched local-privesc CVEs. Root Cause: Host not hardened to CIS Linux Benchmark; unpatched packages (sudo, polkit, kernel); excessive privileges granted without review. Recommendation: Patch sudo/polkit/kernel; remove unnecessary SUID/SGID bits and capabilities; audit sudo rules and cron jobs; set root_squash on NFS exports; apply CIS hardening.

🔗 Related Nodes

This note is the hub — it links to everything in the field manual on Linux privilege escalation.

Techniques (per vector)

Quick reference & commands

Credentials feeding escalation

Graph View

Backlinks