Privilege Escalation


I’m probably not qualified enough to do a post on this subject, however, it is my favourite thing about attacking a vulnerable CTF style machine and more often than not it’s the shell part I have trouble with.

I’m not an expert on the method of privilege escalation, but hopefully I can put to bed some ideas that some people may have about it. Based on my experience obviously.

When you start out, you are told to visit a few sites to learn about priv esc. I’ll list them below.

That’s it! – That is all you get told to review.

So what’s the deal?

From my experience of being a sysadmin for 11 years and passing OSCP (recently), there is no stick in the mud method for privilege escalation. It comes in several forms.

  • Old Linux Kernel exploit
  • Old SMB Windows exploits for remote admin access
  • Vulnerable bit of software running as root
  • Some Powershell Windows exploits (few)

To enumerate as much as you can, you’ll want to run something against your target to shave off a bit of time punching in a load of commands. The below script is quite useful for that.

It’s extremely useful to just glean as much info out of a box locally once you get access. It’s not perfect but it’ll give you a quick glance at what you’re dealing with.

Lately I’ve found a great deal of success where users of the system create files. Remember, a human user will create mistakes when creating files/folders and jobs on a server. I’m a sysadmin, and I’ve made loads of mistakes too. Check home directories for interesting files created by admins for users.


  • /home/
  • /tmp
  • ls -al /etc/cron*

Pay extremely close attention to permissions of files. It’s going to be worthless to you if you miss out learning about permissions.


  • C:/Users/ (check the folders for files)
  • schtasks /query /fo LIST /v (shows list of scheduled tasks)
  • Accesschk.exe to check for files/Services with Authenticated Users write permissions

But why?

Ok, so in order for a standard user to escalate their privileges on a target system, sometimes we need to do some digging into processes running as root/admin. If we can get the system to perform our commands instead of the intended command, the system will execute that command as the root user.

Think outside of the box here. You have checked a windows batch file that just does a check to see if a service is up and running and reports back to the admin in a console prompt on the screen. You’ve checked the permissions and you can edit the file with your limited access. The scheduled tasks runs every 20 mins. That means you have 20 mins to figure out a way to edit the file and have it run your command as root.

Get inventive

The above links merely show you where to get the information you need. Sometimes you might find admin creds in a file, or see creds in .bash_history (but not always) Even if you find a file that you can edit, can you do anything with it?

The first thing a type when I get into a Linux system is;

find / -perm -4000 -exec ls -al -print 2>/dev/null {} \;

What that does is search from the root system ‘/’ for all files where the SUID executable bit is set. That means all the files that run as root. I won’t be able to edit them most of the time, however, sometimes they can lead to other files that you can edit.

For instance if it’s an executable file in Linux, you can run ‘strings’ on it so see if it’s doing anything to any other files on the system.


A neat trick I learned lately was finding root user creds for MySql on the system in a file I ran strings on. Logged in locally to MySql as root and executed a bash command in MySQL that executed a simple file to give back a shell. Because I was the root user it gave me a root shell. Amazing trick learned on the Pentest Ltd Securi-tay 2017 CTF.


Like I said, I’m no expert but one thing I know is to pay close attention to the files that human users create. Focus in on that and you’ll likely find something to play with. Even for sysadmins, file and folder permissions can be a nightmare and extremely dangerous if they are not set correctly.

It’s worth going over the above links in detail and have a play around with testing things on your own too. It’s not difficult to set something up to be vulnerable to attack. Privilege Escalation isn’t an exact science and if you’re looking to write down step by step guides on how it’s done you’re going to be chasing unicorns.

Learn how to look out for files that look out of place. Learn permissions like the back of your hand and use the find function in Linux to quickly sift through the files you need. In Windows, you can use a meterpreter shell to get the same permissions your used to in Linux, if Accesschk.exe isn’t an option, however, Accesschk.exe will always give you a ton of information.