Getting initial access to a system is just the beginning for an attacker. The next step is almost always privilege escalation — the process of gaining higher permissions than you were initially granted. A regular user account becomes an administrator. A local admin becomes a domain admin. Understanding how this works is critical for both attackers (in penetration testing) and defenders.
Types of Privilege Escalation
Vertical Privilege Escalation
Moving up the privilege hierarchy — from a low-privilege user to a higher-privilege user. Examples: standard user → local administrator → domain administrator → SYSTEM/root. This is the classic definition of privilege escalation and the most sought-after outcome in attacks.
Horizontal Privilege Escalation
Gaining access to another user’s account or resources at the same privilege level. Example: accessing another customer’s account in a web application without having higher permissions — just different permissions. Also called an “Insecure Direct Object Reference (IDOR)” in web security.
Common Privilege Escalation Techniques
1. Exploiting SUID/SGID Binaries (Linux)
In Linux, SUID (Set User ID) binaries run with the permissions of the file owner, not the person running them. If a binary owned by root has the SUID bit set, it runs as root. Attackers search for misconfigured SUID binaries (find / -perm -u=s -type f 2>/dev/null) that can be abused to execute commands as root.
# Find all SUID files on a Linux system
find / -perm -u=s -type f 2>/dev/null
# GTFOBins (gtfobins.github.io) documents how to exploit each binary2. Sudo Misconfigurations (Linux)
If sudo is configured to allow a user to run certain commands as root without a password, those commands can often be exploited. For example, if a user can run “sudo vim,” they can spawn a shell from within vim with “:!bash” — getting a root shell. GTFOBins documents these for hundreds of programs.
3. Unquoted Service Paths (Windows)
When a Windows service has an unquoted path with spaces, Windows will try multiple path interpretations. If an attacker can write to one of those intermediate paths, they can place a malicious executable that runs when the service starts (usually as SYSTEM). Example: “C:Program FilesVulnerable Appapp.exe” — if attacker can write to C:Program.exe, it executes as SYSTEM.
4. Weak File Permissions (Windows)
If a service executable has write permissions for regular users, an attacker can replace it with malicious code. When the service restarts (often on reboot or manually), the malicious code runs with the service’s privileges (often SYSTEM).
5. Token Impersonation (Windows)
Windows uses access tokens to determine what a process is allowed to do. If a low-privilege process can steal a high-privilege token (from an administrator logged into the same machine), it can impersonate that administrator. Metasploit’s getsystem command uses exactly this technique. Tools like Mimikatz and Incognito specialize in token manipulation.
6. Kernel Exploits
Unpatched kernel vulnerabilities can allow any local user to escalate to root or SYSTEM. Famous examples include Dirty COW (CVE-2016-5195) in Linux — a race condition that allowed any unprivileged user to gain write access to read-only memory and overwrite system files to gain root. It affected Android devices as well.
7. Credential Access and Pass-the-Hash
Dumping credentials from memory (using Mimikatz on Windows) provides plaintext passwords or NTLM hashes for other accounts. These can be used to authenticate to other systems — especially effective when administrators reuse passwords or use domain admin accounts on regular workstations.
8. DLL Hijacking (Windows)
Windows applications load DLL files at runtime. If an application searches for DLLs in writable directories, an attacker can place a malicious DLL with the right name in that directory. When the application runs, it loads the malicious DLL instead of the legitimate one — executing attacker code with the application’s privilege level.
Privilege Escalation in Action: A Penetration Test Scenario
Here’s how a real pentest privilege escalation might look on a Windows machine:
- Initial foothold: Phishing email delivers PowerShell reverse shell as standard user “jsmith”
- Enumeration: Run WinPEAS (Windows Privilege Escalation Awesome Scripts) to identify misconfigurations
- Discovery: WinPEAS finds an unquoted service path in “C:Program FilesCompany Appservice.exe” with write access to C:
- Exploitation: Place malicious “Program.exe” in C: that adds jsmith to the Administrators group
- Trigger: Restart the vulnerable service (or wait for reboot)
- Result: jsmith is now a local administrator
- Further escalation: Use Mimikatz to dump domain admin credentials cached on the workstation
- Domain compromise: Use domain admin credentials to access domain controller
How to Defend Against Privilege Escalation
- Patch aggressively: Kernel exploits and local privilege escalation vulnerabilities are fixed in patches. Apply them promptly.
- Principle of Least Privilege: Users and services should have only the minimum permissions needed. Audit and remove excessive permissions regularly.
- Don’t use domain admin accounts for daily tasks: Domain admin credentials cached on workstations are a massive escalation risk. Use tiered administration models.
- Run security scanners: Tools like Lynis (Linux), BeRoot, or Nessus can identify privilege escalation vulnerabilities proactively.
- Monitor for suspicious activity: Log and alert on new admin account creation, privilege changes, unusual service restarts, and token manipulation attempts.
- Use Windows LAPS: Local Administrator Password Solution randomizes local admin passwords on all workstations, preventing lateral movement via shared local admin credentials.
- Enable Windows Credential Guard: Protects NTLM hashes and Kerberos tickets from being extracted by Mimikatz and similar tools.
Tools for Testing (Use Only on Systems You Own or Have Permission)
- WinPEAS / LinPEAS — automated privilege escalation enumeration scripts for Windows and Linux
- GTFOBins (gtfobins.github.io) — Linux binaries that can be exploited for escalation
- LOLBAS (lolbas-project.github.io) — Windows “Living Off the Land” binaries
- Mimikatz — Windows credential extraction tool (also used by defenders for testing)
- BloodHound — Active Directory attack path mapping
Summary
Privilege escalation is a critical phase of every serious attack and penetration test. Understanding these techniques helps defenders identify and fix misconfigurations before attackers exploit them. The key defenses are least privilege, aggressive patching, monitoring for anomalous behavior, and protecting credential material with tools like Credential Guard and LAPS.