Finding privesc before they do
Audit your own hosts like an attacker.
Understanding escalation paths is only useful if you act on it, and the action is proactive: audit your own hosts the way an attacker would enumerate them, continuously, and alert on both the misconfigurations and the signs someone is exploiting them. This is where the offensive knowledge becomes defensive practice — you run the attacker’s reconnaissance as a scheduled security check, so the escalation paths are closed before they are found and any change to them is noticed.
# a privesc audit you schedule fleet-wide and diff against a baseline:$ find / -perm -4000 -type f 2>/dev/null | sort # SUID binaries$ getcap -r / 2>/dev/null # file capabilities$ find / -perm -0002 -type f 2>/dev/null # world-writable files# then, per user: sudo -l ; and check writable root cron scripts + PATH dirs
Baseline, then alert on change
The pattern is baseline-and-diff. Capture the known-good set of SUID binaries, capabilities, world-writable files, and sudo grants on a clean host, store it, and re-run the enumeration on a schedule. A new SUID binary, a newly-capable binary, a fresh world-writable root script, or an added sudo rule are each either a misconfiguration to fix or — more alarmingly — a persistence or escalation mechanism an attacker just planted. The diff is the detection: on a stable server these things should almost never change, so any change is worth a look.
Purpose-built tools
You do not have to script all of this by hand. Established tools run the enumeration for you: LinPEAS and linux-smart-enumeration are the offensive scanners (run them on your own hosts to see what an attacker would find), and Lynis is a defender-oriented auditing tool that scores a host and flags escalation paths and hardening gaps. Running an offensive privesc scanner against your own infrastructure — an internal purple-team exercise — is one of the most direct ways to find the escalation paths that matter, because it finds exactly what the real attacker would.
# audit your OWN hosts with the same tools the attacker uses:$ ./linpeas.sh | tee linpeas-$(hostname).txt # enumerates SUID, caps, cron, creds, kernel$ sudo lynis audit system # defender-side hardening + privesc audit + score# feed the findings into your baseline; alert when the next scan differs