Ethical Hacking Privilege Escalation

Gaining initial access to a system is rarely enough. Most intrusions begin with a low-privilege foothold — perhaps access to a regular user account or a restricted web shell. Privilege escalation is the process of moving from that limited access to a higher level of control, ultimately reaching administrator or root access. With full privileges, an attacker can read any file, create new accounts, install software, and persist on the system indefinitely.

Understanding privilege escalation is critical for ethical hackers because it demonstrates the true impact of an initial compromise. A low-privilege vulnerability becomes catastrophic when it can be chained with a privilege escalation technique to achieve full system control.

Two Types of Privilege Escalation

Vertical Privilege Escalation

Vertical escalation moves from a lower privilege level to a higher one. A standard user becomes an administrator. A web application user gains database administrator rights. This is the most common goal: acquiring root or SYSTEM privileges.

Horizontal Privilege Escalation

Horizontal escalation stays at the same privilege level but moves to a different account. Accessing another user's data by exploiting an IDOR vulnerability (Topic 9) is horizontal escalation. The attacker does not gain more permissions — they access resources belonging to a different user at the same privilege tier.

Privilege Escalation on Windows

Understanding Windows Privilege Levels

Windows has several key privilege contexts:

  • Standard User — Normal account with restricted access
  • Administrator — Elevated local admin rights
  • SYSTEM — The highest privilege level on a local machine; even above Administrator in many contexts
  • Domain Admin — Administrator over the entire Active Directory domain — controls all machines on the network

Unquoted Service Paths

Windows services run programs when the system starts. If a service's executable path contains spaces and is not enclosed in quotes, Windows searches each space-separated portion of the path for the executable. An attacker with write access to a directory earlier in the path can plant a malicious executable that Windows runs as SYSTEM when the service starts.

Example: A service path configured as C:\Program Files\Vulnerable App\service.exe without quotes causes Windows to look for C:\Program.exe first. If the attacker places a malicious Program.exe in C:\, it runs as SYSTEM when the service starts.

Weak Service Permissions

If a standard user has the ability to modify a service's executable or change the service's configuration, they can replace the legitimate program with a malicious one. The next time the service starts — on reboot or when triggered — it runs the attacker's code with the service's privileges.

DLL Hijacking

Windows applications load Dynamic Link Libraries (DLLs) from a search path. If an attacker can place a malicious DLL in a directory that is searched before the legitimate DLL's location, their DLL loads instead. When a privileged application loads that DLL, the attacker's code runs with the application's privileges.

Token Impersonation

Windows uses access tokens to represent a user's privileges. Certain service accounts and processes hold highly privileged tokens. An attacker with the SeImpersonatePrivilege permission — commonly held by service accounts running web servers or databases — can use tools like Juicy Potato, Rogue Potato, or PrintSpoofer to impersonate the SYSTEM token and escalate to full system control.

AlwaysInstallElevated

If two specific Windows Group Policy settings are both enabled, any user can run Windows Installer packages (.msi files) with elevated SYSTEM privileges. An attacker creates a malicious .msi file that adds their account to the administrators group and runs it to escalate.

Privilege Escalation on Linux

Understanding Linux Privilege Levels

Linux uses a simple but powerful privilege model:

  • Every process runs as a user with a UID (User ID).
  • UID 0 is root — the superuser with unrestricted access to everything.
  • Regular users have UIDs above 0 and are restricted to their own files and designated permissions.

SUID Binaries

SUID (Set User ID) is a special file permission. When a binary has the SUID bit set, it runs with the privileges of the file's owner — not the user who executes it. Files owned by root with SUID set run as root regardless of who runs them.

Many legitimate programs use SUID correctly — the passwd command needs root privileges to update /etc/shadow. But misconfigured SUID binaries create escalation opportunities. If a non-essential binary like a text editor, a scripting interpreter, or a file copy utility has the SUID bit set, an attacker runs it to spawn a root shell.

find / -perm -4000 -type f 2>/dev/null

This command finds all SUID binaries on the system. Checking the output against GTFOBins (gtfobins.github.io) — a curated list of Unix binaries with known privilege escalation techniques — quickly identifies exploitable entries.

Sudo Misconfigurations

The sudo command lets standard users run specific commands as root. The sudo configuration file (/etc/sudoers) defines what each user may run. A misconfigured sudoers entry can allow privilege escalation.

If a user can run a text editor as root: sudo vim /etc/hosts — they can open a shell from inside vim: :!/bin/bash. That shell inherits root's privileges. GTFOBins documents this technique for dozens of common programs.

Cron Jobs Running as Root

Cron jobs are scheduled tasks that run automatically at defined intervals. If a cron job running as root executes a script that a standard user can modify, the attacker edits the script to include a command that grants root access — a reverse shell, adding a new root user, or setting the SUID bit on /bin/bash.

Kernel Exploits

Operating system kernels contain vulnerabilities like any other software. A local privilege escalation kernel exploit allows a standard user to exploit a flaw in the kernel to gain root access. Famous examples include DirtyCow (CVE-2016-5195), which affected Linux kernels from 2007 to 2016.

Kernel exploits should be used carefully in penetration tests — they can crash the system. They represent the last resort when other escalation paths are not available.

Automated Privilege Escalation Enumeration

Manual enumeration for privilege escalation opportunities is time-consuming. Automated scripts scan the system and report potential escalation vectors quickly.

ToolOSWhat It Finds
LinPEASLinuxSUID binaries, sudo rules, cron jobs, writable paths, kernel version
WinPEASWindowsUnquoted paths, weak service permissions, token privileges, registry keys
PowerUpWindows (PowerShell)Service misconfigurations, AlwaysInstallElevated, DLL hijacking paths
Linux Smart Enumeration (lse)LinuxComprehensive system enumeration with color-coded severity output

Privilege Escalation Diagram: The Staircase Model

Think of a corporate office building with different access floors:

  • Ground floor (no access) — The attacker has no credentials yet.
  • Floor 1 (initial foothold) — A low-privilege web server account obtained via exploitation.
  • Floor 2 (user account) — Lateral movement to a standard employee account with credential access.
  • Floor 3 (local admin) — SUID exploitation or service misconfiguration grants local administrator rights.
  • Penthouse (Domain Admin / root) — Full control over the system and potentially the entire network.

Each floor has different locks. Privilege escalation techniques are the keys to each lock.

Key Points

  • Vertical escalation moves from low to high privilege; horizontal escalation accesses other accounts at the same level.
  • Windows escalation paths include unquoted service paths, weak service permissions, DLL hijacking, and token impersonation.
  • Linux escalation paths include SUID misconfigurations, sudo misconfiguration, writable cron jobs, and kernel exploits.
  • LinPEAS and WinPEAS automate the discovery of escalation opportunities on Linux and Windows respectively.
  • Kernel exploits provide a last-resort path to root or SYSTEM but risk system instability.
Previous lessons
Back to courses
Next lessons

Leave a Comment