Privilege Escalation
Privilege escalation is like a hotel guest using a stolen master key to access rooms they were never assigned. An attacker who has limited access to a system (like a regular user account) exploits a vulnerability to gain administrator or root access, giving them full control. It is usually the second step in an attack: first, gain a foothold (phishing, stolen credentials); then, escalate privileges to do real damage.
Privilege escalation is the exploitation of a vulnerability, misconfiguration, or design flaw to obtain elevated access rights beyond what was originally authorized.
Types:
- Vertical escalation: lower-privilege user gains higher-privilege access (user to root/admin). More dangerous.
- Horizontal escalation: user accesses resources of another user at the same privilege level (user A reads user B’s data).
Common vertical escalation vectors (Linux):
| Vector | Description |
|---|---|
| SUID binaries | Executables that run with the owner’s permissions (often root). Misconfigured SUID binaries can be abused. |
| sudo misconfigurations | Overly permissive sudoers rules (e.g., ALL=(ALL) NOPASSWD: /usr/bin/vim) |
| Kernel exploits | Exploit a vulnerability in the Linux kernel to gain root (e.g., DirtyPipe CVE-2022-0847) |
| Writable scripts run by root | Cron jobs or systemd services running root-owned scripts in world-writable directories |
| Weak file permissions | World-readable /etc/shadow, writable /etc/passwd |
| Docker group membership | Users in the docker group can mount the host filesystem and become root |
| Path hijacking | Placing a malicious binary in a PATH directory that is searched before the legitimate one |
Common vectors (Windows): unquoted service paths, DLL hijacking, token impersonation, AlwaysInstallElevated policy, credential dumping (Mimikatz).
Defense:
- Principle of least privilege
- Regular audits of SUID binaries and sudo rules
- Prompt kernel patching
- SELinux/AppArmor mandatory access controls
- Monitoring for unusual privilege use (SIEM alerting)
Privilege escalation enumeration (Linux)
# Find SUID binaries (potential escalation vectors)
$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/pkexec # CVE-2021-4034 (PwnKit)
# Check sudo permissions for current user
$ sudo -l
User mokey may run the following commands:
(ALL) NOPASSWD: /usr/bin/apt-get
# Dangerous: apt-get can spawn a shell via pre-invoke
# Check for writable cron scripts
$ ls -la /etc/cron.d/ /etc/cron.daily/ /var/spool/cron/
# Any file writable by your user = escalation path
# Check for credentials in environment or config files
$ env | grep -i pass
$ find / -name "*.conf" -exec grep -l "password" {} \; 2>/dev/null
# Check Docker group membership
$ id
uid=1000(mokey) gid=1000(mokey) groups=1000(mokey),998(docker)
# docker group = trivial root escalation via host mountPrivilege escalation is a step in nearly every successful cyberattack. Attackers gain initial access through phishing or a web vulnerability, land with low-privilege access, then escalate to root/admin to install persistence, exfiltrate data, or deploy ransomware. Penetration testers routinely find privilege escalation paths through misconfigured sudo rules, SUID binaries, and Docker group membership. The PwnKit vulnerability (CVE-2021-4034) in polkit’s pkexec affected virtually every Linux distribution and provided trivial root escalation for over a decade before discovery. Defense starts with the principle of least privilege: users and services should have the minimum permissions necessary. Tools like LinPEAS and WinPEAS automate privilege escalation enumeration, and both attackers and defenders use them.