Linux Privilege Escalation — Complete Course (Beginner to Advanced)

Course Roadmap

This complete Linux Privilege Escalation course is designed as a practical path from zero-to-advanced. Follow modules in order and practice each checklist item on HTB/THM/VulnHub/labs.

Module 1 — Linux Internals for PrivEsc

• Users, groups, UID/GID, supplementary groups
• Filesystem hierarchy and ownership semantics
• Permissions: rwx, umask, sticky bit, SGID directories
• PAM, shells, environment and profile loading order

Module 2 — Fast Enumeration Methodology

id; whoami; hostname; uname -a
cat /etc/os-release
ip a; ip route; ss -lntup
ps aux --sort=-%mem | head
sudo -l
find / -perm -4000 -type f 2>/dev/null
find / -writable -type d 2>/dev/null | head

Use manual-first + tools-second: linpeas/linenum/les. Always validate tool output manually.

Module 3 — Credential & Secret Hunting

• Config files: /var/www, /opt, /home, backup copies
• History files, SSH keys, tokens, cloud creds
• Service account creds in systemd/unit/env files
• Database creds reuse and lateral privilege impact

Module 4 — Sudo Misconfigurations

• NOPASSWD entries and wildcard abuse
• GTFOBins sudo primitives
• SETENV and env_keep based bypass paths
• sudoedit edge-cases, path injection

Module 5 — SUID/SGID Abuse

• Classic binaries (find, vim, nmap, less, awk, perl, python)
• Custom SUID binaries and unsafe library/function usage
• Relative path + environment + race opportunities
• Shared object hijacking and LD abuse cases

Module 6 — Capabilities Abuse

getcap -r / 2>/dev/null
# Example: cap_setuid on python/perl/node binaries

Understand ambient/permitted/effective sets and realistic cap-to-root chains.

Module 7 — Cron, Timers, and Scheduled Tasks

• System cron and user cron ownership mistakes
• Writable scripts/binaries executed by root
• PATH abuse in cron scripts
• systemd timers + service file weaknesses

Module 8 — Kernel Privilege Escalation

• Kernel version triage and exploit viability
• Dirty COW, Dirty Pipe class understanding
• Preconditions: namespaces, seccomp, SELinux/AppArmor
• Operational safety and crash-risk management

Module 9 — NFS, Mounts, and Filesystem Tricks

• no_root_squash abuse
• Writable mounts and sensitive bind mounts
• /etc/fstab weaknesses
• Container volume escape opportunities

Module 10 — Environment & Path Hijacking

• PATH manipulation in privileged scripts
• Unsafe relative command execution
• Editor/pager variables
• Python module path hijack

Module 11 — Services and Daemon Weaknesses

• Misconfigured web/app daemons as root
• Writable service files and restart permissions
• Insecure IPC sockets and local APIs
• Backup/maintenance services

Module 12 — Containers & Escapes

• Docker group == root implications
• Privileged containers, host mounts, /var/run/docker.sock
• Kubernetes node-level escalation basics
• LXC/LXD breakout patterns

Module 13 — AD/Linux Hybrid Context

• SSSD, keytabs, and domain trust artifacts
• Kerberos ticket handling on Linux hosts
• Credential material reuse for vertical escalation

Module 14 — Evasion, OPSEC, and Cleanup

• Minimal footprint privilege checks
• Transient shells and avoiding noisy artifacts
• Restoring modified files and logs policy awareness

Module 15 — Reporting and Proof Quality

• Evidence-driven writeups
• Root cause + impact + fix recommendations
• Reproducibility checklist for defenders

Practical Labs (Mandatory)

• 10 beginner boxes (sudo/SUID basics)
• 10 intermediate boxes (cron/caps/kernel candidates)
• 10 advanced boxes (custom binaries/containers/AD hybrid)

Final Exam Blueprint

1. Initial local enum in 5 minutes
2. Privilege hypotheses in 10 minutes
3. Exploit chain execution with backups
4. Evidence capture and mitigation notes

Conclusion

If you master this flow, you can reliably move from low-privileged Linux foothold to root with a methodical and report-ready approach.