Skip to content

You have a low-priv shell on a Linux box. How do you escalate?

Short answer

Enumerate systematically: check sudo -l, SUID/SGID binaries, cron jobs, the kernel and OS version, writable files in privileged paths, capabilities, and stored credentials. Tools like LinPEAS automate the sweep, but you still verify each finding against GTFOBins or a known technique.

Getting a shell is half the job; the OSCP wants root. Linux privesc is overwhelmingly about finding a misconfiguration, not a memory bug, so the work is structured enumeration.

What to enumerate

Walk the high-value checks in order:

  • sudo -l — any command you can run as root, even one, is often a direct win via GTFOBins.
  • SUID/SGID binariesfind / -perm -4000 2>/dev/null. A SUID binary that can spawn a shell or read arbitrary files (per GTFOBins) escalates instantly.
  • Cron jobs — root-owned cron scripts you can write to, or that call a writable/relative-path binary, let you inject commands that run as root.
  • Kernel and OS version — note them for a possible exploit, but treat that as a last resort.
  • Capabilities, writable paths, PATH abuse, and credentialsgetcap, world-writable scripts in privileged locations, and passwords sitting in config files, history, or backups.

Automate, then verify

LinPEAS (or linux-smart-enumeration) runs all of these and colour-codes likely wins, which saves enormous time. But the tool only points; you still confirm each finding — look the SUID binary up on GTFOBins, read the cron script, test the sudo entry.

Why kernel exploits come last

Kernel exploits can panic the box, are version-fragile, and on the exam crashing the target costs you. A clean misconfiguration (sudo, SUID, cron) is faster, more reliable, and shows better tradecraft.

What interviewers look for

A named checklist — sudo, SUID, cron, capabilities, writable files — plus knowing LinPEAS automates it and GTFOBins turns a binary into a shell. Reaching for a kernel exploit first is the answer that flags inexperience.

Likely follow-ups

  • How does GTFOBins help once you find an interesting SUID binary?
  • Why is a kernel exploit usually your last resort, not your first?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.