You have a low-privileged shell on a Linux box. Walk me through how you'd escalate to root.
Short answer
Enumerate first: current privileges, sudo rights, SUID/SGID binaries, cron jobs, writable files in PATH, kernel version, and stored credentials. Then exploit the easiest reliable path — often a misconfigured sudo rule or a SUID GTFOBin — before reaching for a kernel exploit.
Privilege escalation is about turning a foothold into control. On Linux, the winning strategy is disciplined enumeration first, exploitation second — most boxes fall to a misconfiguration, not a 0-day.
Enumerate the environment
Start by understanding who you are and what's around you:
- Identity and sudo:
id,sudo -l. A single misconfigured sudo rule (especiallyNOPASSWD) is often the whole answer. - SUID/SGID binaries:
find / -perm -4000 -type f 2>/dev/null. A SUID binary that can spawn a shell or read arbitrary files is a direct route — GTFOBins catalogs exactly how to abuse common ones likefind,vim,nmap, orcp. - Scheduled tasks: cron jobs (
/etc/crontab, cron dirs) that run as root and reference a script you can write to. - Writable paths: files in root's PATH, world-writable scripts, weak file permissions on sensitive files.
- Credentials: config files, history files,
.sshkeys, database passwords reused for root. - Kernel and OS version:
uname -a— relevant if nothing else pans out.
Tools like LinPEAS or linux-smart-enumeration automate this sweep, but you should understand each check by hand.
Exploit the most reliable path
Once you have candidates, pick the most reliable, lowest-risk one. A sudo rule like (ALL) NOPASSWD: /usr/bin/tar lets you abuse tar's --checkpoint-action to run commands as root — clean and repeatable. A writable cron script gives root on the next tick.
Why kernel exploits are a last resort
Kernel exploits (Dirty COW, Dirty Pipe, etc.) can panic the box, are version-specific, and are noisy. In a real engagement, crashing a production server is a serious incident. So you reach for them only when misconfigurations don't pan out.
What interviewers look for
A methodology, not a memorized exploit. They want to hear "enumerate, then take the safest reliable win," with concrete examples (sudo -l, SUID + GTFOBins) and an awareness that kernel exploits carry real stability risk.
Likely follow-ups
- Why do you prefer a sudo or SUID misconfiguration over a kernel exploit?
- How would GTFOBins help once you find a SUID binary like find or vim?
- What does an entry like '(ALL) NOPASSWD: /usr/bin/tar' let you do?