Skip to content

You have a low-privileged shell on a Linux box. Walk me through how you'd escalate to root.

Short answer

Enumerate first: current privileges, sudo rights, SUID/SGID binaries, cron jobs, writable files in PATH, kernel version, and stored credentials. Then exploit the easiest reliable path — often a misconfigured sudo rule or a SUID GTFOBin — before reaching for a kernel exploit.

Privilege escalation is about turning a foothold into control. On Linux, the winning strategy is disciplined enumeration first, exploitation second — most boxes fall to a misconfiguration, not a 0-day.

Enumerate the environment

Start by understanding who you are and what's around you:

  • Identity and sudo: id, sudo -l. A single misconfigured sudo rule (especially NOPASSWD) is often the whole answer.
  • SUID/SGID binaries: find / -perm -4000 -type f 2>/dev/null. A SUID binary that can spawn a shell or read arbitrary files is a direct route — GTFOBins catalogs exactly how to abuse common ones like find, vim, nmap, or cp.
  • Scheduled tasks: cron jobs (/etc/crontab, cron dirs) that run as root and reference a script you can write to.
  • Writable paths: files in root's PATH, world-writable scripts, weak file permissions on sensitive files.
  • Credentials: config files, history files, .ssh keys, database passwords reused for root.
  • Kernel and OS version: uname -a — relevant if nothing else pans out.

Tools like LinPEAS or linux-smart-enumeration automate this sweep, but you should understand each check by hand.

Exploit the most reliable path

Once you have candidates, pick the most reliable, lowest-risk one. A sudo rule like (ALL) NOPASSWD: /usr/bin/tar lets you abuse tar's --checkpoint-action to run commands as root — clean and repeatable. A writable cron script gives root on the next tick.

Why kernel exploits are a last resort

Kernel exploits (Dirty COW, Dirty Pipe, etc.) can panic the box, are version-specific, and are noisy. In a real engagement, crashing a production server is a serious incident. So you reach for them only when misconfigurations don't pan out.

What interviewers look for

A methodology, not a memorized exploit. They want to hear "enumerate, then take the safest reliable win," with concrete examples (sudo -l, SUID + GTFOBins) and an awareness that kernel exploits carry real stability risk.

Likely follow-ups

  • Why do you prefer a sudo or SUID misconfiguration over a kernel exploit?
  • How would GTFOBins help once you find a SUID binary like find or vim?
  • What does an entry like '(ALL) NOPASSWD: /usr/bin/tar' let you do?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.