100 ways to achieve privilege escalation in Linux

December 8, 2024

Tags

• PrivilegeEscalation

100 ways to achieve privilege escalation in Linux

Privilege escalation in a Linux environment can be achieved through a variety of methods, often depending on misconfigurations, vulnerabilities, or unintended behaviors in the system. Here’s a list of 100 potential ways to escalate privileges from a non-root user to a root user. These are categorized into common areas like misconfigurations, vulnerabilities, binaries, and kernel exploits.

---

1-20: Misconfigurations

1. World-writable files in sensitive directories like /etc/.
2. Misconfigured sudo privileges allowing execution of unintended binaries.
3. Misconfigured setuid binaries owned by root.
4. Writable /etc/passwd or /etc/shadow.
5. Writable /etc/sudoers or /etc/sudoers.d/.
6. Cron jobs running as root with writable scripts.
7. Writable /var/spool/cron/ directory.
8. Root-owned files with improper ACL permissions.
9. Sticky-bit misconfigurations on sensitive directories.
10. Writable scripts executed by services running as root.
11. SSH keys in /root/.ssh/ with world-readable permissions.
12. World-writable /var/log/ files.
13. Incorrect permissions on kernel module files.
14. Improper permissions on shared libraries.
15. Misconfigured capabilities (e.g., binaries with CAP_SYS_ADMIN).
16. NFS exports with no_root_squash enabled.
17. Improper mount options (exec in /tmp or /home).
18. User writable /dev devices.
19. Writable LD_PRELOAD directories.
20. docker group membership allowing root-level access.

---

21-40: Exploitable Binaries

1. Exploiting vi/vim through sudo with improper configurations.
2. Exploiting less when invoked with sudo.
3. Using awk to escalate privileges via sudo.
4. Using python to execute arbitrary code with sudo.
5. Exploiting tar with sudo for arbitrary file writes.
6. Using find with sudo to execute arbitrary commands.
7. Exploiting bash with sudo to open a root shell.
8. Using perl to execute code with sudo.
9. Exploiting rsync with root permissions.
10. Using cp to overwrite critical files with sudo.
11. Exploiting git when configured with root access.
12. Using scp to overwrite files via sudo.
13. Leveraging zip or unzip for privilege escalation.
14. Exploiting mysql to gain code execution.
15. Using vim temporary files to escalate privileges.
16. Exploiting journalctl with improper configurations.
17. Using env with sudo for privilege escalation.
18. Misusing screen if running with setuid or sudo.
19. Exploiting tmux session misconfigurations.
20. Using node.js or node in sudo context.

---

41-60: Kernel and Software Vulnerabilities

1. Exploiting Dirty COW (CVE-2016-5195).
2. Exploiting OverlayFS vulnerabilities (e.g., CVE-2021-3493).
3. Exploiting polkit vulnerabilities (e.g., CVE-2021-4034).
4. Exploiting vulnerable sudo versions (e.g., CVE-2019-14287).
5. Exploiting systemd vulnerabilities.
6. Exploiting ptrace to attach to a privileged process.
7. Exploiting vulnerable X11 configurations.
8. Exploiting SELinux bypass vulnerabilities.
9. Exploiting vulnerable kernel versions (e.g., buffer overflows).
10. Exploiting glibc vulnerabilities.
11. Exploiting snapd vulnerabilities.
12. Exploiting Apache misconfigurations or vulnerabilities.
13. Leveraging CVE-2018-14665 (Xorg exploit).
14. Exploiting SSH agent forwarding vulnerabilities.
15. Exploiting container breakout vulnerabilities.
16. Using overlay mount escape in containers.
17. Kernel module exploits like RDS (CVE-2010-3904).
18. Leveraging cron race conditions.
19. Exploiting chroot escapes.
20. Exploiting vulnerable applications with privilege escalation paths.

---

61-80: Abusing Services

1. Exploiting vulnerable web applications.
2. Manipulating database services (e.g., MySQL, PostgreSQL).
3. Exploiting openvpn misconfigurations.
4. Leveraging misconfigured rsync services.
5. Exploiting tftp or ftp with root files.
6. Exploiting vulnerable SMB shares.
7. Using NFS shares with weak permissions.
8. Abusing cups (printing service) vulnerabilities.
9. Exploiting email services running as root.
10. Abusing systemd service file misconfigurations.
11. Exploiting docker.sock for container breakout.
12. Manipulating kubernetes configurations for root access.
13. Exploiting vulnerable cron jobs for root users.
14. Misconfigurations in PHP or web server modules.
15. Exploiting weak database passwords for services running as root.
16. Exploiting vulnerable or exposed admin interfaces.
17. Abusing sudoedit for file overwrite attacks.
18. Manipulating journalctl for command injection.
19. Leveraging nmap with root capabilities.
20. Exploiting misconfigured rsyslog service.

---

81-100: Advanced Techniques

1. Kernel rootkits for privilege escalation.
2. Exploiting /proc pseudo-filesystem vulnerabilities.
3. Leveraging writable LD_LIBRARY_PATH for library injection.
4. Exploiting race conditions in system calls.
5. Using ptrace to hijack root processes.
6. Exploiting /etc/environment file manipulation.
7. Using pivot_root for privilege escalation.
8. Exploiting cgroups misconfigurations.
9. Leveraging dbus for privilege escalation.
10. Exploiting /run directory misconfigurations.
11. Manipulating PAM modules for root access.
12. Using fake binaries in PATH for privilege escalation.
13. Injecting malicious commands into .bashrc of root.
14. Exploiting writable /boot/ directory.
15. Abusing passwd command with setuid.
16. Exploiting init system configurations.
17. Leveraging misconfigured network services (e.g., DHCP).
18. Exploiting legacy or abandoned software.
19. Using symbolic links to overwrite sensitive files.
20. Exploiting user-to-root trust relationships (e.g., SSH keys).

---

Final Notes

• Always get permission before testing these techniques (penetration testing or ethical hacking).
• Many methods require specific preconditions like vulnerable software, misconfigurations, or inadequate permissions.
• Keeping your Linux system updated and configured properly can mitigate many of these risks.

Share Tweet LinkedIn Reddit