This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Privilege Escalation Fundamentals

Why Privilege Escalation Matters

Imagine you’ve infiltrated a system but only have the equivalent of a janitor’s key card when you need the CEO’s access. Privilege escalation is your promotion, from low-level user to system administrator, enabling you to achieve objectives that require higher access.

Real-World Scenarios:

  • Web App Pentests: Shell access as www-data, need root

  • Phishing Campaigns: Compromised workstation, need admin for lateral movement

  • Physical Assessments: USB drop gives user shell, need SYSTEM/domain access

  • Red Team Operations: Initial foothold gained, objective requires admin control

  • CTF/Labs: Practice fundamental escalation techniques

What Privilege Escalation Is

Definition: Moving from limited access to administrative/root access. Why It Matters: Most compromises start with low-level access; without escalation, you’re limited in impact.

Think of it like climbing a corporate ladder, except you use exploitation skills instead of office politics.

Methodology for Privilege Escalation

1. Assess Current Situation

  • Identify current user and privileges

  • Understand system OS, version, and architecture

  • Analyze environment for security controls

2. Information Gathering (Enumeration)

  • Running services & configurations

  • File/folder permissions

  • Installed software & patch levels

  • User accounts & privileges

  • Network services & connections

  • Scheduled tasks/automation

3. Identify Weaknesses

  • Misconfigured services with excessive privileges

  • SUID/SETUID binaries

  • Weak file permissions

  • Stored credentials in configs

  • Outdated software with known exploits

4. Select Attack Vector

  • Balance effort, success probability, stealth, and risk

  • Consider skills and tools available

5. Exploit & Verify

  • Execute chosen method

  • Verify new privileges & administrative capabilities

  • Document method & consider persistence

Common Attack Vectors

Easy Wins:

  • Misconfigured services

  • Weak file permissions

  • Stored credentials

Technical Challenges:

  • Kernel exploits

  • Token manipulation

  • Application-specific vulnerabilities

Platform-Specific Focus:

  • Linux: SUID binaries, sudo misconfigurations, cron abuse

  • Windows: Service permissions, registry abuse, token impersonation

Automated vs Manual Approaches

Approach
Pros
Cons
Best Use

Automated

Fast, comprehensive

Noisy, false positives

Initial recon, time-limited assessments

Manual

Stealthy, thorough

Slow, expertise required

Complex environments, stealth ops

Hybrid

Baseline with automated, focus manual

Most professional engagements

Success Framework

Checklist for Complete Enumeration:

  • User context & privileges understood

  • System architecture & patch level identified

  • Services & configs enumerated

  • File permission weaknesses mapped

  • Network services explored

  • Multiple attack vectors identified

Bottom Line

Privilege escalation is solving a puzzle. Some pieces are obvious; others require connecting small findings. Success comes from a methodical approach: enumerate thoroughly, analyze carefully, exploit precisely. Every system has weaknesses; your task is to find them before defenders do.

PreviousCapturing HandshakesNextWindows Privilege Escalation

Last updated

Was this helpful?