Linux Privilege Escalation: A Pentester's Checklist

Cybersecurity

A field-tested walkthrough of Linux post-exploitation paths: sudo misconfig, SUID abuse, capabilities, cron, Docker group, NFS, and PATH hijacking. Plus the hardening that actually closes them.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 22, 2025 · 8 min read

Once a foothold lands on a Linux host, root is rarely a single exploit away. It is a series of misconfigurations that any decent enumeration script will surface in 30 seconds. This playbook is what we run on engagements as a low-privilege user trying to reach uid=0.

Methodology

Drop linPEAS or LinEnum into /tmp via a shell upload or curl, set executable, and pipe output to a file. Read it like a checklist. linux-exploit-suggester maps the running kernel against public exploits but treat kernel CVEs as last resort, not first.

• sudo -l: any NOPASSWD entries, any binaries listed on GTFOBins (vim, less, awk, find, env, python, perl, ruby, tar, zip).
• find / -perm -4000 -type f 2>/dev/null: SUID binaries. Cross-reference with GTFOBins for known escalation paths.
• getcap -r / 2>/dev/null: Linux capabilities like cap_setuid+ep on python or perl give instant root.
• id and groups: docker group means container escape to root. lxd group means image-mount escape. disk group reads /dev/sda directly.
• cat /etc/crontab and ls -la /etc/cron.*: writable scripts running as root, or wildcard injection in tar/rsync arguments.
• mount | grep nfs: NFS exports with no_root_squash plus a uid=0 file server-side equals root.
• echo $PATH: a writable directory before /usr/bin lets you hijack a binary called by a SUID script.

Sudo and SUID, the 80 percent of findings

Most real engagements never need a kernel exploit. The two go-to wins: a sudo entry like (root) NOPASSWD: /usr/bin/find, which becomes sudo find . -exec /bin/sh \; -quit, or a custom SUID binary calling a relative path that you can poison via PATH. Always check whether sudoers uses env_reset and secure_path. If LD_PRELOAD is preserved with env_keep, ship a malicious shared object.

Cron, capabilities, and Docker

Cron jobs running as root that source a script in /opt or /tmp are silent gifts. Edit the script, wait one minute, get a shell. Capabilities like cap_dac_read_search let you read /etc/shadow without being root. Membership in the docker group is full root: docker run -v /:/mnt --rm -it alpine chroot /mnt sh. lxc/lxd is the same idea with a crafted Alpine image.

Detection

auditd rules for execve of unusual SUID binaries, especially when called by a non-interactive shell. EDR should alert on chained patterns: low-priv process spawning find or vim with -exec, or python with os.setuid. Watch for newly created files in /tmp with the SUID bit, and for /etc/sudoers.d edits outside change windows.

Remediation

1. Audit /etc/sudoers and sudoers.d quarterly. Remove NOPASSWD on shell-capable binaries listed on GTFOBins. Force secure_path and env_reset.
2. Inventory SUID binaries with a baseline. Diff weekly. Strip the SUID bit from anything not required (find / -perm -4000 piped to a known-good list).
3. Patch kernels on a 30-day cadence. Where impossible, apply kpatch or livepatch. Disable user namespaces if you do not need rootless containers.
4. Restrict the docker group to admins only. Prefer rootless Docker or Podman for developer workstations.
5. Set noexec,nosuid,nodev on /tmp, /var/tmp, /dev/shm via fstab.
6. Deploy auditd with rules for execve of suid binaries, sudo invocations, and writes to cron directories. Forward to your SIEM.
7. For NFS, replace no_root_squash with all_squash and an anon uid. Move sensitive shares to Kerberos-authenticated NFSv4.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.