Root escalation — getting from “regular user” to “root” or SYSTEM — is how most breaches turn catastrophic. A foothold becomes domain compromise via privilege escalation. This module covers the technique classes, the defences, and what a practitioner should be able to recognise on both the offensive and defensive sides.

The privesc landscape

Privilege escalation falls into five broad buckets:

Kernel exploits — memory-corruption or logic bugs in the OS kernel grant root
Misconfigurations — setuid binaries, writable sudoers, cron jobs running as root
Weak credentials — reused passwords, password in memory, SSH key theft
Service exploitation — privileged services with exploitable bugs (systemd, polkit, cron)
Stored credentials — AWS keys on disk, tokens in env, credentials in shell history

Classic Linux privesc patterns

SUID binaries

Any binary with setuid root permission runs as root when executed by any user. Legitimate: passwd, sudo, ping. Dangerous: custom scripts, old packages.

# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Many SUID binaries have GTFOBins entries — documented escalation
# e.g. find, vim, less can all pop shells if SUID
# See gtfobins.github.io

Sudo misconfigurations

Check what you can sudo:

sudo -l

# Common escalation patterns:
# (ALL) NOPASSWD: /usr/bin/vim  — sudo vim → :!/bin/bash
# (ALL) NOPASSWD: /usr/bin/find — sudo find . -exec /bin/sh \;
# (ALL) NOPASSWD: ALL            — trivial: sudo su -

Writable critical files

/etc/passwd or /etc/shadow writable by user — add root entry, set password
/etc/sudoers writable — add own NOPASSWD line
/etc/cron.d/* writable — schedule root-executed script
Service unit files writable — modify ExecStart to run malicious

Kernel exploits

Historical high-impact kernel CVEs:

Dirty Pipe (CVE-2022-0847) — kernel 5.8 to 5.16; rewrite arbitrary read-only files
Dirty CoW (CVE-2016-5195) — race condition in copy-on-write; overwrite read-only memory
PwnKit (CVE-2021-4034) — polkit/pkexec; near-universal Linux LPE
Stack Clash (CVE-2017-1000364) — glibc/kernel stack boundary smash

Run linpeas or LinEnum for automated privesc reconnaissance. Run kernel-checker type tools. Patch kernels promptly — most kernel CVEs have rapidly-developed public exploits.

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

6 more sections locked below

Module 5 · Privilege Escalation Defence 🔒

The privesc landscape

Classic Linux privesc patterns

SUID binaries

Sudo misconfigurations

Writable critical files

Kernel exploits

Continue reading with Pro tier (₹4,999/year)

Other modules in this track

Module 1 · Linux Hardening Fundamentals <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 7 · Threat Hunting Workflow <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 6 · Memory Forensics <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>