Hack That Shit
Privilege Escalation Techniques on Linux Systems

Privilege Escalation Techniques on Linux Systems

by

⚠️ Safety & Ethics

This article explains where privilege escalation opportunities commonly exist and how to detect and fix them. The goal is defensive learning and safe lab practice only. Do not attempt any of these techniques on systems you do not own or have explicit authorization to test. Misuse is illegal.

🧠 What is Privilege Escalation (Privesc)?

Privilege escalation means moving from a lower-privileged account (e.g., alice) to a higher-privileged one (usually root). Attackers do this to gain full control of a system after an initial foothold. As defenders or learners, your job is to understand common vectors so you can find them in lab boxes and eliminate them in production.

🔍 Common Privesc Vectors (What to look for)

Below are frequent patterns that lead to privilege escalation. For each pattern I’ll explain why it matters, how to detect it safely in a lab, and how to mitigate it.

1 — Misconfigured sudo (Too-permissive rules)

Why: Overly broad sudo entries (e.g., ALL or NOPASSWD) let users run powerful commands as root.
Detect (lab): Inspect /etc/sudoers and /etc/sudoers.d/* using visudo or safe reads. sudo -l shows allowed commands for your account.
Mitigate: Apply least-privilege: allow only specific binaries, avoid NOPASSWD, and use groups to manage privileges.

2 — SUID / SGID Binaries with Bad Permissions

Why: SUID programs run with the file owner’s privileges. A vulnerable or writable SUID binary can be abused.
Detect (lab): List SUID/SGID binaries (find / -perm -4000 -type f 2>/dev/null) and research their purpose.
Mitigate: Remove SUID from unneeded binaries, ensure SUID files are owned by root and not writable by others, and keep packages updated.

3 — World-Writable Files & Directories

Why: Files or directories writable by everyone (777) enable attackers to drop or modify scripts/configs used by higher-privilege processes.
Detect (lab): Find writable paths (find / -writable -type d 2>/dev/null).
Mitigate: Remove world-write permissions, set correct owner/group, and use umask/ACLs to control access.

4 — Insecure Cron Jobs & Scheduled Tasks

Why: Cron jobs that run as root but use writable scripts or temporary files can be hijacked.
Detect (lab): Inspect crontabs for root and system cron directories (/etc/cron.*, /var/spool/cron). Look for jobs calling scripts in writable directories.
Mitigate: Ensure cron-run scripts are owned by root, stored in non-writable locations, and use absolute paths.

5 — PATH and Binary Hijacking

Why: If scripts run with elevated privileges call binaries without absolute paths (e.g., python instead of /usr/bin/python), an attacker can place a malicious binary earlier in PATH.
Detect (lab): Search for root-run scripts that invoke programs without full paths.
Mitigate: Use absolute paths in privileged scripts, sanitize PATH, and run scripts with restricted environments.

6 — Misconfigured Services & Daemons

Why: Services running as root or with excessive rights expand the attack surface. Web apps or local services with writable configs are risky.
Detect (lab): List services (systemctl list-units --type=service) and check running user for each. Review configuration file permissions.
Mitigate: Run services as dedicated unprivileged users, restrict config file permissions, and apply capability drops where possible.

7 — Docker / Container Misconfigurations

Why: Membership in docker or lxd groups can let that user control containers and potentially escape to host. Containers with mounted host volumes expose host files.
Detect (lab): Check group membership (groups) and inspect running containers and mounts.
Mitigate: Avoid adding non-trusted users to docker group, follow container security best practices, and use namespaces/SElinux/AppArmor.

8 — Sensitive Files with Weak Permissions

Why: Files like backups, config files, or private keys readable by low-privileged users leak secrets.
Detect (lab): Audit /etc, home directories, and backup locations for files readable by others.
Mitigate: Enforce correct ownership and permissions (e.g., private keys 600), and store secrets in vaults.

9 — Kernel Vulnerabilities & Outdated Packages

Why: Unpatched kernel or privileged binaries may contain exploits that yield root.
Detect (lab): Check kernel version and compare against advisories (in lab/research only). Tools like uname -r show kernel version.
Mitigate: Keep kernels and packages updated, use vendor security patches, and restrict access to exploit-prone interfaces.

🛠️ Safe Detection Commands & Auditing (Lab Use Only)

Use these only on systems you control or are explicitly authorized to test. They are meant for auditing and defense:

  • List SUID/SGID files:

 
find / -perm -4000 -o -perm -2000 -type f 2>/dev/null

  • Find world-writable files/directories:

 
find / -perm -o+w -type d 2>/dev/null

  • Show sudo privileges for current user:

 
sudo -l

  • List cron jobs for root and system:

 
ls -la /etc/cron.* /var/spool/cron*

For comprehensive lab scans use vetted audit tools (see next section).

🧰 Tools for Auditing & Hardening (Use responsibly)

  • Lynis — security auditing and compliance scanner (defensive).

  • AIDE / Tripwire — file integrity monitoring.

  • auditd — kernel-level auditing to track system events.

  • LinPEAS / Unix-privesc-check — community tools for lab enumeration (use only in controlled environments).

Use these tools to build detection rules and baseline behavior — and always review what each tool reports rather than blindly trusting outputs.

🛡️ Remediation Checklist (Defender’s To-Do)

  • Audit and tighten /etc/sudoers and /etc/sudoers.d/*. Remove NOPASSWD unless necessary.

  • Remove unnecessary SUID/SGID bits and lock down SUID binaries.

  • Fix world-writable files and restrict directory permissions.

  • Harden cron jobs: use secure directories, absolute paths, and root-owned scripts.

  • Use absolute paths in privileged scripts; restrict PATH and environment exposure for services.

  • Run services as dedicated unprivileged users and minimize capabilities.

  • Avoid granting docker group membership to untrusted users.

  • Keep kernels and packages patched; subscribe to vendor advisories.

  • Implement file integrity monitoring and alerting for permission changes.

🧪 Lab Exercises (Snapshot your VM first)

Perform these only in your lab VM:

  1. Inventory high-risk items

    • Run the SUID/SGID and world-writable searches above. Research each result to understand why it exists.

  2. Harden a cron job

    • Create a harmless cron job in /etc/cron.daily that runs a root-owned script placed in /usr/local/bin (owned by root, 750), and verify permissions.

  3. Audit sudoers safely

    • Use visudo -c to check for syntax issues; create a narrow sudoers.d file allowing a single safe command to a test user.

  4. Container group research

    • Add a throwaway VM user to docker in a lab and observe what docker access allows — document risks and mitigations.

  5. Implement monitoring

    • Install auditd or AIDE and configure a rule to watch for changes in /etc/sudoers and /usr/bin.

Always revert to a clean snapshot after each exercise.

🧠 How This Fits in the Series

Privilege escalation is the bridge between having a foothold and owning a machine. In later posts we’ll cover post-exploitation techniques, safe lab walkthroughs, and how to write automation to speed up your auditing (Bash scripting incoming in Part 7).

🎯 Coming Up Next

Part 7: Bash Scripting Basics for Hackers — Automate discovery, checks, and safe lab tasks so you can repeat audits and speed up hardening.

💬 Got Questions?

Drop them in the comments or join our community on Discord for exclusive hacking tips and resources.

Don’t worry — mastery comes with practice.
Just open your terminal and hack your brain into CLI mode daily.

Let’s keep building. 💻⚔️

Leave a comment

Table of Contents

Index