Deep Dive into Linux Privilege Escalation

Linux access control sits on three legs: the UID/GID model with traditional discretionary permissions, capabilities (POSIX.1e) that decompose root's powers into 41+ granular flags, and Linux Security Modules (SELinux, AppArmor) that overlay mandatory access control. Namespaces (mount, PID, user, network) add containerization isolation, and seccomp filters can block syscalls outright.

Privilege boundaries in Linux are surprisingly soft: a single misconfigured setcap cap_dac_read_search+ep /usr/bin/cat lets an attacker read /etc/shadow. Understanding which capabilities, SUID binaries, sudo rules, and writable cron jobs translate to root is the entire game.

The canonical enumeration toolkit:

• linpeas.sh — automated, color-coded, comprehensive.
• LinEnum, linux-smart-enumeration — alternative scanners.
• pspy — observes process spawns without root, exposes cron and systemd timers.
• GTFOBins — the curated database of binaries that can be abused to escape restricted shells, escalate, or read files.

The set-user-ID bit makes a binary execute with the owner's UID. Root-owned SUID binaries are escalation gold:

find / -perm -4000 -type f 2>/dev/null

Modern attacks rarely involve exploiting buffer overflows in passwd or mount. Instead, GTFOBins documents how to abuse the intended functionality of dozens of standard binaries:

• find . -exec /bin/sh -p \; -quit — if find is SUID, gives a root shell.
• awk 'BEGIN {system("/bin/sh -p")}' — SUID awk.
• vim.basic -c ':!/bin/sh -p' — SUID vim.
• cp SUID with --no-preserve=mode to overwrite /etc/passwd.

Capabilities split root into pieces, but several pieces are equivalent to root:

• cap_dac_read_search — read any file (shadow, SSH keys).
• cap_setuid — change UID; python -c 'import os; os.setuid(0); os.system("sh")'.
• cap_sys_admin — effectively root; mount filesystems, change namespaces.
• cap_sys_ptrace — attach to any process, inject shellcode.
• cap_chown, cap_fowner — overwrite key files' ownership/permissions.

getcap -r / 2>/dev/null

sudo -l is the single most rewarding command on a fresh Linux foothold. Look for:

• NOPASSWD entries for unusual binaries.
• Wildcards in command paths (/usr/bin/cat /var/log/*) — append arguments to escape.
• Editor escapes — sudoedit, vim, less, more, man, nano all permit shell escapes (GTFOBins).
• LD_PRELOAD / LD_LIBRARY_PATH preserved in env_keep — write a shared object with _init(), preload it, root.
• Sudo CVEs — Baron Samedit (CVE-2021-3156) heap overflow in sudo, exploitable without any sudo permissions; CVE-2023-22809 sudoedit arbitrary file write via EDITOR=$EDITOR -- /etc/passwd.

# Baron Samedit check
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# Segfault → likely vulnerable

Scheduled tasks run with the scheduler's privileges. cat /etc/crontab, ls /etc/cron.*, systemctl list-timers --all, and pspy64 reveal them. Common wins:

• World-writable scripts invoked by root cron — append your payload.
• Wildcards in tar/rsync/zip invoked by root — tar wildcard injection via --checkpoint-action=exec=sh files like --checkpoint=1 in the target directory.
• Relative PATH in a root-cron script — drop a malicious binary earlier in PATH.
• Writable systemd unit files (/etc/systemd/system/*.service) — modify ExecStart=, then systemctl restart.

When userland is locked down, the kernel surface remains. Modern wins:

• Dirty Pipe (CVE-2022-0847) — splice-flag handling lets a low-priv user write to read-only files (overwrite /etc/passwd or hijack SUID binaries). Affects 5.8+ until 5.16.11.
• Dirty COW (CVE-2016-5195) — classic race in COW handling, used by ransomware and rootkits for years.
• GameOver(lay) (CVE-2023-2640 / 2023-32629) — Ubuntu OverlayFS LPE.
• nf_tables (CVE-2024-1086) — use-after-free in netfilter, root via unprivileged user namespaces.
• PwnKit (CVE-2021-4034) — polkit's pkexec argument-handling LPE; 12-year-old bug, present on default installs of every major distro.

# PwnKit one-liner check
ls -l $(which pkexec)   # SUID? Likely vulnerable on pre-2022 systems.

Container breakouts deserve their own line: Leaky Vessels (CVE-2024-21626) in runc, Dirty Pipe inside containers, and abuse of mounted Docker sockets all turn container root into host root.

• NFS no_root_squash — mount the export, drop a SUID bash, execute on the target.
• Writable /etc/passwd — append a line with a known password hash and UID 0.
• Docker group membership — docker run -v /:/mnt -it alpine chroot /mnt sh = root.
• LXD/LXC group — similar mount-host trick via an image.
• SSH keys in /home/*/.ssh/, backup archives, or .bash_history.
• Database credentials in wp-config.php, .env, application.yml files.
• Hard-coded credentials in custom service binaries — strings is your friend.

Volt Typhoon (Chinese state actor) used Linux router and edge-device escalations via vendor-default SSH keys and weak sudo rules to maintain persistence in US critical infrastructure throughout 2023–2024. Looney Tunables (CVE-2023-4911) glibc tunables overflow gave attackers an LPE on virtually every Linux distro for months; Mandiant and Crowdstrike reported active exploitation by initial-access brokers feeding ransomware affiliates. Kinsing cryptominer routinely escalates inside misconfigured Kubernetes pods via mounted Docker sockets and writable /proc/sys/kernel/core_pattern.

1. Patch promptly. Sudo, polkit, glibc, and kernel CVEs are the bread and butter of post-exploitation; an unpatched 60-day-old box is a guaranteed root.
2. Minimize SUID surface. chmod u-s on binaries you do not need. Replace with capabilities only where strictly required.
3. Lock down sudoers. No wildcards, no NOPASSWD for shells or editors, Defaults env_reset, and explicit Defaults secure_path.
4. Disable unprivileged user namespaces (kernel.unprivileged_userns_clone=0) — closes a huge class of recent LPEs.
5. Enable SELinux/AppArmor in enforcing mode and write profiles for custom services.
6. Run containers rootless or with --security-opt no-new-privileges and a tight seccomp profile.
7. Audit cron and systemd for writable scripts, relative paths, and wildcard misuse.
8. Linux Audit (auditd) + Falco for runtime detection of execve from /tmp, mounts inside containers, capability changes, and unexpected SUID invocations.
9. Use pam_faillock, fail2ban, and SSH key-only auth to prevent the foothold in the first place.