Security · Topic 16 of 23 · Part III — Pentesting in depth

Privilege escalation (Linux & Windows)

Privilege escalation turns initial access into meaningful impact — from a low-privileged foothold, the question is whether an attacker can reach root, administrator, or domain admin.

Syllabus: Aligned to PTES §6 (Post-Exploitation), specifically the privilege-escalation portion.
Topic 16 · Privilege escalation

From foothold to full control — recognizing the patterns

By the end of this topic you can:
  • Define privilege escalation and distinguish vertical from horizontal escalation.
  • Enumerate a foothold systematically to identify candidate escalation paths.
  • Recognize the common pattern classes — misconfigurations, weak ACLs, leaked credentials, dangerous capabilities, vulnerable software — and the techniques each enables.
  • Apply the same pattern-recognition approach across Linux and Windows.
  • Report privilege-escalation findings with root-cause framing, not just technique titles.

What privilege escalation is

Vertical escalation

Moving from a lower to a higher privilege level on the same system.

  • User → root (Linux)
  • User → Administrator / SYSTEM (Windows)
  • Ordinary user → domain admin (AD)
  • Application user → underlying service account

Horizontal escalation

Moving from one user to another at the same privilege level.

  • User A → User B (same tier)
  • Often a stepping stone toward someone with more rights
  • A pivot to an IT helpdesk admin account can exceed the value of vertical escalation on a sandboxed system
Modern context Privilege is multidimensional. An attacker may be root on a host but have no Active Directory rights, or have cloud-IAM permissions but no shell. Escalation can move along any of these axes.

The post-foothold enumeration discipline

The first move after gaining any foothold is not to try an exploit — it is to enumerate the local environment.

  • Identity: current user, groups, capabilities, tokens, sudo rights, cloud role
  • Host: OS version, kernel / patch state, hostname, environment role
  • Execution: processes, services, scheduled tasks, listeners
  • Installed software: package versions, third-party apps, scripts
  • Filesystem: configs, secrets in env vars, world-readable files
  • Network: other hosts, internal services, cloud metadata endpoints
  • Credentials & tokens: env vars, config files, browser stores, agent forwarding, process memory
Pattern Enumerate exhaustively → triage to a small set of high-probability paths → attempt the least disruptive first.
Tools vs. manual Automated helpers (LinPEAS, WinPEAS) give speed. A careful manual pass catches what they miss. Use both.

Cross-platform escalation patterns

The same pattern classes appear on Linux and Windows. Learn the class; the specific technique follows.

#Pattern classCore idea
1Misconfigured privileged operationA configured grant broader than the configurer realized
2Weak ACLs on privileged objectsMutable state that influences privileged execution
3Leaked credentials / tokensSecrets in places low-privilege contexts can read
4Dangerous capabilities / membershipsThe identity already holds a key — recognize it
5Vulnerable privileged softwareA privileged process has a bug; exploit the bug
6Trust / identity relationship abuseIdentity infrastructure can be walked from low to high
7Container / virtualization escapeThe guest-to-host boundary is weaker than expected

Patterns 1 & 2 — Misconfiguration and weak ACLs

1 Misconfigured privileged operation

A configured grant that is broader than the configurer realized.

  • Linux: sudo rule allowing a command GTFOBins can abuse to spawn a shell — vim, find, awk, tar, less, man, tee, …
  • Windows: SeImpersonatePrivilege on a service account enables "potato" attacks (PrintSpoofer, RoguePotato) → SYSTEM

2 Weak ACLs on privileged objects

A binary, service, task, config, or registry key runs with privilege but is writable by an unprivileged user.

  • Linux: SUID binary calls a helper via PATH lookup; privileged cron job executes a user-writable script
  • Windows: Unquoted service path — C:\Program Files\Foo Bar\service.exe without quotes causes Windows to try C:\Program.exe first

Patterns 3 & 4 — Leaked credentials and dangerous capabilities

3 Leaked credentials / tokens

The privileged credential is accessible to a less-privileged context.

  • Linux: .env files, history files, ~/.aws/credentials, SSH keys with weak permissions, config files with database credentials
  • Windows: Unattend.xml, sysprep.xml, Winlogon autologon registry keys, Group Policy Preferences (cpassword), LSASS memory

4 Dangerous capabilities / memberships

The attacker's identity already holds a key — the task is recognizing it.

  • Linux: docker group (mount host FS → root); CAP_SYS_ADMIN on a binary
  • Windows: Backup Operators, Print Operators, DnsAdmins; SeBackupPrivilege (read any file including SAM)
Key insight The docker group is functionally equivalent to root membership. Treating it as a normal group is the misconfiguration.

Patterns 5, 6 & 7 — Vulnerabilities, trust abuse, container escape

5 Vulnerable software

  • Linux: kernel CVEs (Dirty Pipe, Dirty COW); PwnKit / CVE-2021-4034 (pkexec)
  • Windows: kernel LPE chains; PrintNightmare lineage; LSASS / service-specific bugs

Kernel exploits can panic systems — use only when explicitly authorized.

6 Trust / identity abuse

  • Linux: SSH agent forwarding; Kerberos ticket cache files in /tmp
  • AD: Kerberoasting, AS-REP roasting, ACL abuse, unconstrained delegation, AD CS (ESC1–ESC15), NTLM relay, DCSync

7 Container escape

  • Docker: privileged mode, host mounts, dangerous capabilities, exposed Docker socket
  • Kubernetes pod escapes via mounts or capabilities
  • runc CVEs

Container-escape literacy is now first-tier for modern pentesting.

Linux specifics

Tooling

  • LinPEAS — comprehensive; colored output signals likelihood
  • LinEnum, linprivchecker — older, still useful alternatives
  • lse.sh / linux-smart-enumeration — lighter-touch option

Key manual checks

  • sudo -l reconciled with GTFOBins
  • SUID/SGID: find / -perm -4000 -type f 2>/dev/null
  • Capabilities: getcap -r / 2>/dev/null
  • Writable parents of binaries on PATH
  • Cron jobs — system and per-user; world-writable paths in cron execution
  • NFS exports — no_root_squash is a classic path
GTFOBins gtfobins.github.io — catalogue of how each Unix utility can be abused. Operational reference; understanding the underlying pattern matters more than memorizing entries.
Kernel exploits Often not the right answer in commercial pentests — they can panic the system. A misconfiguration finding carries the same report weight.

Windows specifics

Tooling

  • WinPEAS — Windows counterpart to LinPEAS
  • PowerUp — PowerShell-based enumeration (PowerSploit)
  • Seatbelt — situational awareness collector (C#)
  • BloodHound + SharpHound — AD attack-path analysis

Key manual checks

  • whoami /priv, whoami /groups — token and privilege list
  • Service configs: unquoted paths, weak ACLs, modifiable binaries
  • Scheduled tasks running elevated; registry autorun entries
  • AlwaysInstallElevated registry setting
  • DLL hijacking — services loading DLLs from writable paths
  • Cached credentials: Credential Manager, DPAPI, browser stores, RDP saved
  • Unattended install files left on disk; LAPS deployed?

Active Directory escalation

AD is one of the most reliable escalation surfaces in real engagements — structural drift (ACL changes, legacy delegation, AD CS misconfigurations) accumulates faster than it is cleaned up.

  • Kerberoasting — request service tickets for SPN accounts; crack offline
  • AS-REP Roasting — request AS-REPs for pre-auth-disabled accounts; crack offline
  • ACL abuse — GenericWrite, GenericAll, WriteDACL, ForceChangePassword on higher-privileged objects
  • Unconstrained delegation — compromised host captures privileged Kerberos tickets
  • RBCD abuse — add a machine account to a target's msDS-AllowedToActOnBehalfOfOtherIdentity
  • AD CS (ESC1–ESC15) — certificate templates allowing privilege elevation (SpecterOps "Certified Pre-Owned")
  • DCSync / DCShadow — replicate domain credentials once sufficient rights exist
BloodHound Encodes most AD attack paths as graph queries. "Shortest path from owned principals to Domain Admins." Modern AD pentesting is largely: run BloodHound, choose a path it surfaces, execute it.

Cloud escalation

In cloud-native environments, privilege escalation is largely an identity problem. The attack surface is IAM, not filesystem permissions.

Common paths

  • Over-permissive IAM roles — workload can do more than its function requires
  • Cross-service privilege chains — assume role A → assume role B → admin
  • IMDS abuse — read cloud credentials from a workload with metadata-service access
  • Service account key leakage — keys committed to repos or stored in configs

Tooling

  • PACU — AWS post-exploitation framework
  • MicroBurst — Azure enumeration
  • GCPBucketBrute and similar for GCP
Mental model Build the IAM graph; identify the escalation paths. The same discipline as BloodHound for AD — map the identity graph, walk the edges.

Reporting findings and professional discipline

Root cause > technique title

Weak finding title "vsftpd 2.3.4 backdoor → wildcard tar → root"
Better finding title "Privileged cron job executes wildcard expansion in writable directory, permitting arbitrary code execution as root"

Best: also name the control category that should have prevented it — this frames the remediation the client pays for.

Discipline during escalation

  • Avoid kernel exploits on production unless explicitly authorized and necessary
  • Do not escalate further than the report needs
  • Preserve evidence at every step — screenshot, command output, time-stamped
  • Be aware of EDR detection — LSASS reads, suspicious child processes, token manipulation are well-instrumented
  • Watch for system stability — kernel LPEs can destabilize hosts

Check — dangerous capability recognition

Scenario

A user is in the docker group on a Linux host. No SUID binaries are present. Is this a privilege-escalation finding? Why?

Reveal answer

Yes. The docker group lets the user start containers and mount the host filesystem into a container, then read or write arbitrary files as root. This is Pattern 4 — dangerous capability already held. The docker group is functionally equivalent to root membership; treating it as a normal group is the misconfiguration. The absence of SUID binaries is irrelevant.

Check — writing an actionable finding title

Exercise

The previous version of this course named a finding "Privilege escalation using LinPEAS". Rewrite it as a finding title the client can act on without reading the body.

Reveal example answer

Something like: "Privileged scheduled task executes script in user-writable directory, enabling local privilege escalation to root" — or, depending on the actual root cause: "Sudo configuration grants execution of find as root, enabling shell breakout." Name the cause the client can fix. LinPEAS is the discovery method, not the finding.

What you take home

  • Privilege escalation is where the most consequential findings live — it turns a foothold into real impact.
  • Enumerate before you exploit: identity, host, execution, filesystem, network, credentials, trust position.
  • Seven pattern classes cover the overwhelming majority of real escalation paths on any OS.
  • Linux and Windows differ in syntax and tooling; the underlying patterns are the same — learn the pattern, adapt the technique.
  • GTFOBins, LinPEAS, WinPEAS, and BloodHound are accelerators; understanding why each entry works makes them durable skills.
  • In AD and cloud environments, escalation is primarily an identity graph problem — map the paths, walk the edges.
  • Report the root cause the client can fix, not the tool that uncovered it.

Next: Topic 17 — Web application testing. How the OWASP attack surface connects to the pattern classes covered here.

END · TOPIC 16

Learn the pattern. Not just the technique.

Before next session: review the seven escalation pattern classes and find one real example of each in GTFOBins, LOLBAS, or BloodHound.