When you gain access to a target node you will want to explore, the exact method you use to do this will depend upon operational security considerations, time constraints and style. You will be looking for a range of elements to support progressing an objective.

It should be noted that the objective may NOT require elevation. You may be trying to obtain data and access might already be possible using the context you have assumed.

You also may need to move from a www-data user to a named user account or get to root level of access. If so there’s a range of questions we should be asking ourselves:

  • Are you already admin or have you got admin like privs?
  • Are overly permissive root/sudo/admin/sa rights assigned?
  • Are there insecurely stored passwords you can access?
  • Are there insecure file permissions?
  • Are there known software vulnerabilities e.g., Kernel Exploits?
  • Are SSH Keys stored in an insecure manner?
  • Can you abuse capabilities?
  • Are there cron jobs that are running in an insecure manner that can be hijacked?
  • Are SUID/SGID bits set that can be exploited?
  • Can path variables be exploited?
  • Are there local services that can be abused?
  • Are there local services that are only accessibly via loopback?
  • Are there network adjacent services that can be abused?
  • Are there any NFS Root Squashing
  • Insecure iSCSI Targets
  • Can you abuse applications to escalate?
  • Are you in a jail and need to break out?
  • Are you in a container and need to break out?
  • Can you tap the network traffic to find credentials?

Free Resources

There’s a host of great resources in this space (they are basically famous resources in this space now!)









Online Labs and VM Resources



Operational Security Concerns

Now largely linux machines aren’t monitored for process execution in enterprises, they are largely free zones you can roam around in, so much so that if you are in a windows environment with EDR you might want to pivot to a linux host if you can for evasion.


Privilege Escalation enumeration and analysis is often not a two-minute activity, it’s not just running a script (although it can be). The thing I’m trying to explain here is that it could take hours or even days to progress (that could be because of complexity, or simply you don’t “spot” the route). You also must consider if a custom exploit chain is required! Lastly, there is also the other option. it simply might not be exploitable. So, the time could range from minutes to hours to days (or longer) per server, so bear that in mind, it’s not always going to scream out at you (or even be possible everwhere)


In mainstay business environments often linux servers are black boxes or appliances. They are often not monitored and largely left alone. Obviously for software development companies, cloud services providers etc. this may not be the case, Linux servers may be highly managed, but in my experience in “general” business verticals they are often not highly monitored.

Linux privesc is a key skill to have, from developers through to sysadmins, if you know how something is misconfigured, you will know how to defend against it!  Offensive informed defensive for the win!