You have a low-priv shell on a Linux box. How do you escalate?
Short answer
Enumerate systematically: check sudo -l, SUID/SGID binaries, cron jobs, the kernel and OS version, writable files in privileged paths, capabilities, and stored credentials. Tools like LinPEAS automate the sweep, but you still verify each finding against GTFOBins or a known technique.
Getting a shell is half the job; the OSCP wants root. Linux privesc is overwhelmingly about finding a misconfiguration, not a memory bug, so the work is structured enumeration.
What to enumerate
Walk the high-value checks in order:
sudo -l— any command you can run as root, even one, is often a direct win via GTFOBins.- SUID/SGID binaries —
find / -perm -4000 2>/dev/null. A SUID binary that can spawn a shell or read arbitrary files (per GTFOBins) escalates instantly. - Cron jobs — root-owned cron scripts you can write to, or that call a writable/relative-path binary, let you inject commands that run as root.
- Kernel and OS version — note them for a possible exploit, but treat that as a last resort.
- Capabilities, writable paths, PATH abuse, and credentials —
getcap, world-writable scripts in privileged locations, and passwords sitting in config files, history, or backups.
Automate, then verify
LinPEAS (or linux-smart-enumeration) runs all of these and colour-codes likely wins, which saves enormous time. But the tool only points; you still confirm each finding — look the SUID binary up on GTFOBins, read the cron script, test the sudo entry.
Why kernel exploits come last
Kernel exploits can panic the box, are version-fragile, and on the exam crashing the target costs you. A clean misconfiguration (sudo, SUID, cron) is faster, more reliable, and shows better tradecraft.
What interviewers look for
A named checklist — sudo, SUID, cron, capabilities, writable files — plus knowing LinPEAS automates it and GTFOBins turns a binary into a shell. Reaching for a kernel exploit first is the answer that flags inexperience.
Likely follow-ups
- How does GTFOBins help once you find an interesting SUID binary?
- Why is a kernel exploit usually your last resort, not your first?