CoursesAdvanced Linux securityPrivilege escalation

Local privesc: SUID, sudo, capabilities

The misconfigurations attackers find first.

Advanced16 min · lesson 3 of 17

Privilege escalation is the attacker’s pivot from "some access" to "total control," and on Linux the most common paths are not kernel exploits — they are misconfigurations. As a defender you learn these exactly so you can find and fix them on your own hosts before an attacker does. The first family is SUID abuse: a SUID-root binary runs as root regardless of who calls it, so any SUID binary that can be made to read, write, or execute arbitrary things is a road to root.

THREE LOCAL PRIVESC FAMILIES
SUID abuse
SUID-root binary
runs as root for any caller
find / -perm -4000
baseline against GTFOBins = root shell
sudo misconfig
sudo -l grants
what user may run as root
shell-capable / wildcard / editable target
vim -c ':!sh', editable backup.sh = root
File capabilities
cap_setuid / cap_dac_read_search / cap_sys_admin
fine-grained root powers on a binary
getcap -r /
invisible to a SUID search
All three end at root and are misconfigurations you can audit on your own hosts before an attacker does.
terminal
# find every SUID-root binary — the attacker’s first escalation hunt, and yours
$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/passwd # expected
/usr/bin/find # RED FLAG: find is SUID? → find . -exec /bin/sh \; = root shell
# GTFOBins catalogs which binaries become root when SUID — baseline yours against it

sudo misconfigurations

The second family is sudo, and it echoes the hardening course from the attacker’s side. sudo -l reveals what the current user may run as root, and any entry that is shell-capable (an editor, an interpreter, a pager) or uses a wildcard is an escalation. A rule letting a user run a script as root that they can also edit is instant root; NOPASSWD on a program that spawns a shell is instant root. The attacker reads sudo -l the way you read the sudoers file — looking for the one over-broad grant.

terminal
$ sudo -l
(root) NOPASSWD: /usr/bin/vim # vim can spawn a shell: sudo vim -c ':!/bin/sh' = root
(root) NOPASSWD: /opt/app/backup.sh # if the user can EDIT backup.sh, that is root too
# your job: audit sudo -l for every user and remove shell-capable / wildcard / editable-target grants

Linux capabilities

The third family is file capabilities — the fine-grained root powers from the container course, applied to binaries on a host. A binary with cap_setuid permitted can change its UID to root; cap_dac_read_search bypasses file-read permissions; cap_sys_admin is near-total. Attackers hunt for binaries carrying dangerous capabilities the same way they hunt SUID, because the effect is the same escalation with less visibility (a capability does not show up in a SUID search). Enumerate them with getcap -r.

terminal
# find binaries with dangerous capabilities (invisible to a SUID search)
$ getcap -r / 2>/dev/null
/usr/bin/python3.11 = cap_setuid+ep # RED FLAG: python with setuid → os.setuid(0) = root
# baseline capabilities across your fleet; a new/unexpected one is an escalation path or a plant
These are findings on YOUR hosts, not just theory
Everything here is a defensive audit you should run: enumerate SUID binaries, capabilities, and every user’s sudo -l, compare against a known-good baseline, and remediate anything shell-capable, wildcarded, or unexpected. The attacker runs these exact commands in their first minutes on the box; running them first — and continuously — is how you close the escalation paths before they are used. An unexpected SUID binary or capability is also a strong sign someone already got in.