This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Privilege Escalation Fundamentals

Why Do We Need This?

Picture this: You've successfully infiltrated a system, but you're stuck with the digital equivalent of a janitor's key card when you really need the CEO's access. That's where privilege escalation comes in - it's your promotion from intern to manager in the world of system compromise.

Real-World Scenarios Where This Matters:

  • Web Application Pentests: Gained shell access through RCE but only as www-data user

  • Phishing Campaigns: Compromised employee workstation but need admin rights for lateral movement

  • Physical Assessments: Plugged in USB and got user shell but need SYSTEM for domain access

  • Red Team Operations: Initial foothold achieved but objective requires administrative control

  • CTF/Lab Environments: Learning fundamental escalation techniques before real-world application

Understanding Privilege Escalation

The Big Picture

What It Is: Escalating from low-privilege access to administrative or root access on target systems.

The Journey: You start as "just some user" and end up as "master of the digital universe" (at least on that one system). Think of it as climbing the corporate ladder, except instead of years of brown-nosing, you use technical exploitation.

Why It's Critical: Most initial compromises give you limited access. Without privilege escalation, you're like a burglar who broke into a house but can only access the guest bathroom.

The Privilege Escalation Methodology

Phase 1: Current Situation Assessment

Understanding your starting point is crucial - you can't plan a route if you don't know where you are.

Key Activities:

  1. Identity Check: Determine current user account and its attributes

  2. Privilege Assessment: Catalog available permissions and restrictions

  3. System Overview: Identify operating system, version, and architecture

  4. Environment Analysis: Understand security controls and monitoring

Phase 2: Information Gathering

Systematic enumeration forms the foundation of successful privilege escalation.

Critical Areas to Investigate:

  • Running services and their configurations

  • File and folder permissions across the system

  • Installed software and patch levels

  • User accounts and their privileges

  • Network services and internal connections

  • Scheduled tasks and automated processes

Phase 3: Weakness Identification

Raw enumeration data becomes actionable intelligence through careful analysis.

Common Goldmines:

  • Services running with excessive privileges

  • SUID files that shouldn't exist

  • Weak file permissions on important files

  • Stored credentials in configuration files

  • Outdated software with known exploits

Phase 4: Attack Vector Selection

Choose your approach based on multiple factors to maximize success probability.

Decision Factors:

  • Success probability vs effort required

  • Stealth level needed for the engagement

  • Risk of system instability or detection

  • Your skill level and available tools

Phase 5: Exploitation and Verification

Execute the chosen attack and confirm successful privilege escalation.

Execution Steps:

  1. Execute chosen attack vector

  2. Verify new privilege level

  3. Test administrative capabilities

  4. Document the successful method

  5. Consider persistence if needed

Common Attack Vectors (The Greatest Hits)

The Easy Wins

Service Misconfigurations: Services running with admin privileges but weak security

File Permission Issues: Important files that regular users can modify

Stored Credentials: Passwords hiding in plain sight in config files

The Technical Challenges

Kernel Exploits: Attacking the operating system itself (high risk, high reward)

Token Manipulation: Stealing privileges from other processes

Application Vulnerabilities: Exploiting specific software weaknesses

Platform Differences

Linux Systems: Often focus on SUID binaries, sudo misconfigurations, and cron job abuse

Windows Systems: Typically involve service permissions, registry abuse, and token impersonation

Automated vs Manual: The Eternal Debate

The Automated Approach (The Speed Demon)

Pros: Fast, comprehensive, catches obvious issues

Cons: Noisy, might trigger alarms, generates false positives

Best For: Initial reconnaissance, time-pressured assessments

The Manual Approach (The Ninja)

Pros: Stealthy, thorough understanding, finds unique issues

Cons: Slow, requires expertise, might miss obvious things

Best For: Stealth operations, learning, complex environments

The Hybrid Method (The Best of Both Worlds)

Strategy: Use automated tools for the baseline, then go manual for the interesting stuff

Reality Check: This is what most professionals actually do in real engagements

Target Systems and Use Cases

System Type
Common Scenarios
Primary Techniques

Linux Servers

Web apps, databases, file servers

SUID abuse, service exploits, sudo misconfig

Windows Workstations

Employee machines, kiosks

Service permissions, registry abuse, scheduled tasks

Windows Servers

Domain controllers, app servers

Service exploits, token manipulation, kernel exploits

Embedded Systems

IoT devices, industrial systems

Default credentials, firmware exploits, service abuse

Success Framework: How to Know You're Winning

Enumeration Completeness Checklist

  • Current user context fully understood

  • System architecture and patch level identified

  • All running services and their configs enumerated

  • File permission weaknesses mapped

  • Network services and configurations discovered

  • Multiple potential attack vectors identified

Escalation Success Indicators

  • Administrative/root access achieved

  • New privileges verified and tested

  • Method documented for reproducibility

  • System stability maintained

  • Operational security preserved

The Bottom Line

Privilege escalation is like solving a puzzle where the pieces are scattered across the entire system. Some pieces are obvious (like that SUID binary sitting there begging to be exploited), while others require connecting multiple small findings into a bigger picture.

The key to success isn't memorizing every possible technique - it's developing a systematic methodology that helps you find the puzzle pieces and understand how they fit together. Whether you're dealing with a Windows domain controller or a Linux web server, the fundamental approach remains the same: enumerate thoroughly, analyze carefully, and exploit precisely.

Remember: Every system has weaknesses. Your job is to find them before the defenders do. And if you can't find any? Well, that just means you haven't enumerated hard enough yet.

PreviousHTTP Request SmugglingNextWindows Privilege Escalation

Last updated

Was this helpful?