Chapter 15 Key Takeaways

Linux Exploitation and Privilege Escalation

1. Enumeration Before Exploitation

Thorough enumeration is the foundation of successful Linux privilege escalation. Rushing to exploit without understanding the system leads to wasted time, missed vectors, and potential detection. Your enumeration checklist should cover: system information, users and groups, sudo permissions, SUID/SGID binaries, capabilities, cron jobs, network services, writable files, and container indicators.

2. Follow a Risk-Based Methodology

Always attempt the safest privilege escalation vectors first. The recommended order is: sudo misconfigurations, SUID/capabilities abuse, cron job/PATH hijacking, writable scripts, then kernel exploits as a last resort. Kernel exploits can crash systems and should only be used when other vectors are exhausted and the client has accepted the risk.

3. SUID, Capabilities, and Sudo Are Your Primary Targets

The most common privilege escalation paths on real-world Linux systems involve misconfigured SUID binaries, overly permissive Linux capabilities, or sudo entries that allow shell escapes. GTFOBins is your essential reference for mapping discoverable binaries to exploitation techniques.

4. Cron Jobs and PATH Hijacking Are Pervasive

Cron jobs that execute scripts as root with insufficient protections remain one of the most frequently exploited misconfigurations. Always check for writable scripts called by root cron jobs, writable directories in the system PATH, and wildcard injection opportunities.

5. Container Isolation Is Not Security Without Additional Controls

Containers (Docker, Kubernetes) provide process isolation, not security boundaries. Docker socket exposure, privileged containers, excessive Kubernetes RBAC, and missing Pod Security Policies routinely defeat container isolation. Always check for container indicators and escape vectors.

6. Automated Tools Accelerate But Do Not Replace Manual Analysis

LinPEAS, Linux Exploit Suggester, pspy, and other tools dramatically speed up enumeration, but they can produce false positives and miss custom misconfigurations. Use automated tools for broad coverage and manual analysis for depth. Always verify automated findings manually.

7. Kernel Exploits Are Powerful but Dangerous

Vulnerabilities like Dirty COW, Dirty Pipe, and PwnKit provide near-guaranteed root access on affected systems, but kernel exploits can cause system instability, kernel panics, and data corruption. Always check kernel version against exploit databases and consider the risk-reward tradeoff before deploying kernel exploits.

8. Understand the Defenses to Bypass Them

SELinux, AppArmor, and seccomp represent significant barriers to privilege escalation. Understanding how these mechanisms work allows you to assess whether your exploitation technique will succeed and helps you advise clients on effective hardening strategies.

9. Documentation and Cleanup Are Non-Negotiable

Every privilege escalation attempt must be documented, and every artifact (files created, configurations modified, persistence mechanisms installed) must be tracked for cleanup. In a professional engagement, incomplete cleanup can cause operational disruptions.

10. Defense Is the Reverse of Attack

Every offensive technique in this chapter maps directly to a defensive measure. For every SUID finding, recommend removal. For every writable cron script, recommend permission hardening. Your penetration test report should translate offensive findings into actionable defensive recommendations.

Quick Reference: Linux Privilege Escalation Checklist