Privilege Escalation
Privilege Escalation
Privilege escalation is the process of gaining higher-level permissions or access within a system after an initial foothold has been established. It plays a critical role in post-exploitation, allowing an attacker to move from a limited user account to administrative or root-level access — often enabling lateral movement, persistence, or full system compromise.
Privilege escalation is typically divided into two categories: *vertical escalation* (gaining higher privileges) and *horizontal escalation* (gaining access to resources or accounts of equal privilege).
Vertical Privilege Escalation
Vertical escalation involves moving from a low-privileged account (e.g., www-data, local user) to a higher-privileged one (e.g., Administrator, SYSTEM, or root).
Common Techniques
- Exploiting kernel or driver vulnerabilities
- Abusing misconfigured SUID/SGID binaries (Linux)
- Misusing weak or world-writable service files
- Leveraging unquoted service paths (Windows)
- DLL hijacking or service misconfiguration
- Stealing credentials from memory or config files
- Abusing scheduled tasks or cron jobs
- Exploiting insecure file permissions or ownership
- Leveraging token impersonation or privilege tokens (Windows)
- Dumping and cracking password hashes
Tools
- linPEAS (automated privilege escalation enumeration on Linux)
- winPEAS (automated privilege escalation enumeration on Windows)
- Seatbelt (Windows enumeration tool focused on privilege escalation)
- PowerUp (PowerShell tool for Windows privilege escalation)
- Watson (detects privilege escalation vectors on Windows)
- BeRoot (privilege escalation auditor for Linux, MacOS, and Windows)
- Linux Exploit Suggester (suggests kernel exploits)
- Windows Exploit Suggester (suggests local exploits for Windows)
- g0tmi1k's privesc checklist (manual enumeration and exploitation list)
Horizontal Privilege Escalation
Horizontal escalation involves accessing other accounts, sessions, or resources at the same privilege level, typically through impersonation, session hijacking, or misconfigured file access.
Common Techniques
- Reading other users’ sensitive files due to improper permissions
- Accessing SSH keys, config files, or tokens
- Hijacking user sessions (e.g., TTY snooping or credential reuse)
- Exploiting insecure file-sharing configurations (e.g., SMB shares)
- Abuse of API tokens or database credentials found in cleartext
Tools
- pspy (monitors Linux processes to detect privilege-related activity)
- ls -la /home/ (manual check for exposed user data)
- ssh-agent hijacking scripts
- procmon (process monitor for live file and registry activity on Windows)
- mimikatz (extracts passwords, hashes, and tokens from memory)
Enumeration Checklists
Linux
- SUID/SGID binaries: `find / -perm -4000 2>/dev/null`
- Kernel version: `uname -a`
- Environment variables: `env`
- Running processes: `ps aux`
- Installed packages: `dpkg -l` or `rpm -qa`
- Writable directories: `find / -writable 2>/dev/null`
- Cron jobs: `cat /etc/crontab`
- User and group info: `/etc/passwd` and `/etc/group`
Windows
- Whoami and privileges: `whoami /priv`
- Local groups: `net localgroup administrators`
- Services: `sc query` or `Get-Service`
- Startup folders and registry: `reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
- Scheduled tasks: `schtasks /query`
- Installed programs: `wmic product get name`
- Environment: `set`
- File permissions: `icacls`, `accesschk`
Websites & References
- GTFOBins (trusted repo of SUID/privilege escalation via Linux binaries)
- LOLBAS (Living Off The Land Binaries and Scripts for Windows privilege escalation)
- hacktricks.xyz (comprehensive privilege escalation techniques for Linux and Windows)
- PEASS-ng GitHub (official PEAS suite repository)
- FuzzySecurity Windows Privesc Guide
- rebootuser's Linux privesc cheat sheet