BIPI
BIPI

Linux Privilege Escalation Methodology: A Repeatable Checklist

Cybersecurity

A field tested order of operations for going from a low privilege Linux shell to root, covering enumeration scripts, quick wins, and the boring kernel checks most operators skip.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 2, 2025 · 10 min read

#linux#privesc#pentesting#linpeas#methodology

Why a checklist beats vibes

Every operator has a favorite trick, sudo -l on a forgotten jump box, a writable cron, a kernel from 2017. The problem is consistency. Without a written order of operations you will skip the boring checks on the engagement where they actually matter.

Phase one, situational awareness

  • id, groups, sudo -l -n to map current privileges without prompting for a password
  • uname -a, cat /etc/os-release, lsb_release -a to fingerprint the kernel and distro
  • hostnamectl and cat /proc/version for build tags that hint at kernel patches
  • cat /etc/passwd and /etc/group, looking for unusual UIDs and admin groups
  • ss -tulpen and ps -ef --forest for listening services and parent processes

Phase two, run the enumerators

LinPEAS is the default, but stack it with linux-smart-enumeration for a second view and LinEnum for legacy boxes. Drop the binaries via a writable tmpfs, run with -a for the verbose dump, and tee output to a file you can grep later.

  • linpeas.sh -a, look for red and yellow flags first
  • lse.sh -l2 for medium verbosity that surfaces sudo and SUID quickly
  • pspy64 in a screen session to watch cron and systemd timers fire
  • traitor for an automated exploit attempt once enumeration is done

Phase three, quick wins

  1. sudo -l output cross referenced with GTFOBins for instant root
  2. SUID binary list compared against the GTFOBins SUID page
  3. Linux capabilities via getcap -r / 2>/dev/null, especially cap_setuid
  4. Writable files in /etc, /opt, and any application install directory
  5. Cron jobs from /etc/crontab, /etc/cron.d, and per user crontabs

Phase four, kernel and exploits

Only after the cheap checks fail do you reach for kernel exploits. linux-exploit-suggester-2 maps your uname to candidate CVEs. Verify the kernel is actually vulnerable, not just within the version range, by checking the distro patch level with dpkg -l linux-image or rpm -qa kernel.

  • CVE-2022-0847 Dirty Pipe for kernels 5.8 through 5.16.11 on writable file overlays
  • CVE-2021-3493 OverlayFS on unpatched Ubuntu 20.04 and 21.04
  • CVE-2023-32233 nf_tables use after free on kernels 5.x through 6.3.x
  • CVE-2021-4034 PwnKit, almost universal on older Polkit installs

Phase five, persistence and cleanup

Once you have root, capture the proof, hash files, screenshots, and command output, then either persist for the next phase of the engagement or clean up. Persistence belongs in a separate checklist, do not improvise it during the privesc phase.

Detection notes for blue teams

  • auditd rules on execve of /usr/bin/sudo with parent shells that are not interactive
  • Falco rules for new SUID binaries appearing in /tmp or /dev/shm
  • Sysmon for Linux process create events with command lines matching linpeas patterns
  • File integrity monitoring on /etc/sudoers.d and /etc/cron.d
Methodology is a force multiplier. The same operator with a written checklist roots boxes faster than a more skilled one working from memory.

What to write down

Every BIPI engagement notebook has the same five phases as headers, with checkboxes underneath. By the time the retest comes around the checklist is the deliverable, not an afterthought.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.