Deep Dive: How it works and how to stop it

Privilege escalation (often shortened to priv-esc) is one of the most critical steps in an attack chain. It allows an attacker to gain higher privileges after compromising a low-level account — ultimately leading to root or SYSTEM access. In this article, we’ll explore how it works, real-world examples, and how to protect your systems.

Types of Privilege Escalation

• Vertical: Gaining higher-level privileges (e.g., from user to root).
• Horizontal: Gaining access to another user’s data or processes at the same privilege level.

Common Linux Techniques

1. Sudo misconfigurations: E.g., sudo vim → :!bash for root shell.
2. SUID binaries: Exploiting binaries like /usr/bin/python with setuid bit.
3. Kernel exploits: DirtyCow (CVE-2016-5195), OverlayFS, etc.
4. Writable /etc/passwd: Injecting a fake root user.

Common Windows Techniques

1. Unquoted service paths: Abuse poor service path handling.
2. AlwaysInstallElevated: MSI abuse to gain SYSTEM access.
3. Token impersonation: Tools like Juicy Potato or PrintSpoofer.

Tools for Enumeration

• Linux: LinPEAS, LES.sh, pspy, GTFOBins
• Windows: WinPEAS, Seatbelt, PowerUp.ps1

Defense Strategies

• Enforce the Principle of Least Privilege (PoLP).
• Audit sudoers and SUID binaries regularly.
• Monitor for suspicious cron jobs and startup tasks.
• Apply patches early to reduce kernel and service exploits.
• Use Sysmon, auditd, and log management for detection.

Final Thoughts

Privilege escalation is powerful — and dangerous. Whether you’re a penetration tester or a system administrator, understanding both attack and defense is critical for keeping systems secure. Always think like an attacker… before they do.