CoursesAdvanced Linux securityPrivilege escalation

Finding privesc before they do

Audit your own hosts like an attacker.

Advanced12 min · lesson 5 of 17

Understanding escalation paths is only useful if you act on it, and the action is proactive: audit your own hosts the way an attacker would enumerate them, continuously, and alert on both the misconfigurations and the signs someone is exploiting them. This is where the offensive knowledge becomes defensive practice — you run the attacker’s reconnaissance as a scheduled security check, so the escalation paths are closed before they are found and any change to them is noticed.

AUDIT AS BASELINE-AND-DIFF
1Enumerate like an attacker
SUID, caps, sudo -l, world-writable, cron/PATH
2Capture baseline
store known-good set from a clean host
3Re-scan on schedule
fleet-wide (osquery, LinPEAS, Lynis)
4Diff and alert on change
new SUID/cap/sudo rule = fix or backdoor
The diff is the detection: on a stable host these rarely change, so any unexplained addition is an incident lead.
terminal
# a privesc audit you schedule fleet-wide and diff against a baseline:
$ find / -perm -4000 -type f 2>/dev/null | sort # SUID binaries
$ getcap -r / 2>/dev/null # file capabilities
$ find / -perm -0002 -type f 2>/dev/null # world-writable files
# then, per user: sudo -l ; and check writable root cron scripts + PATH dirs

Baseline, then alert on change

The pattern is baseline-and-diff. Capture the known-good set of SUID binaries, capabilities, world-writable files, and sudo grants on a clean host, store it, and re-run the enumeration on a schedule. A new SUID binary, a newly-capable binary, a fresh world-writable root script, or an added sudo rule are each either a misconfiguration to fix or — more alarmingly — a persistence or escalation mechanism an attacker just planted. The diff is the detection: on a stable server these things should almost never change, so any change is worth a look.

Purpose-built tools

You do not have to script all of this by hand. Established tools run the enumeration for you: LinPEAS and linux-smart-enumeration are the offensive scanners (run them on your own hosts to see what an attacker would find), and Lynis is a defender-oriented auditing tool that scores a host and flags escalation paths and hardening gaps. Running an offensive privesc scanner against your own infrastructure — an internal purple-team exercise — is one of the most direct ways to find the escalation paths that matter, because it finds exactly what the real attacker would.

terminal
# audit your OWN hosts with the same tools the attacker uses:
$ ./linpeas.sh | tee linpeas-$(hostname).txt # enumerates SUID, caps, cron, creds, kernel
$ sudo lynis audit system # defender-side hardening + privesc audit + score
# feed the findings into your baseline; alert when the next scan differs
A new SUID binary or sudo rule is guilty until proven innocent
On a stable production host, the set of SUID binaries, file capabilities, and sudo grants is nearly constant — so a newly-appeared one is rarely benign. It is either an unreviewed change that widened your attack surface, or an attacker establishing an escalation path or backdoor. Baseline these, diff them on a schedule (osquery makes this easy, as a later lesson shows), and treat any unexplained addition as an incident lead, not a curiosity.