Privilege Escalation · beginner · ~10 min

Privilege escalation: the enumeration-first mindset

Explain what privesc is, why it's enumeration-driven, and the vertical vs horizontal distinction.

Overview

Privilege escalation turns limited access into root/SYSTEM. Vertical = higher privilege (the goal); horizontal = sideways. It's enumeration-driven (find a misconfig), not usually an exploit. The universal pattern: a low-priv user controls something a high-priv context trusts.

Why it matters

Privesc is the near-universal post-foothold step, and it's overwhelmingly about configuration, not exploits — so systematic enumeration is the core skill. The unifying "trust of attacker-controlled input" lens makes the many techniques coherent.

Core concepts

Vertical vs horizontal. Higher privilege vs same-level pivot. Enumeration-first. Find misconfigs (id, whoami /priv, writable paths, stored creds). Universal pattern. Low-priv control of high-priv-trusted resource. Defense. Least privilege; don't trust writable/low-integrity inputs.

Lesson

Privilege escalation turns a limited foothold (a low-privileged user) into a powerful one (root on Linux, SYSTEM/admin on Windows). It's almost always the step right after gaining initial access.

Vertical vs horizontal

  • Vertical: gain higher privileges (user → root/SYSTEM). The main goal.
  • Horizontal: move to another account at the same level (often to reach data or set up vertical escalation).

Enumeration, not exploits

Most privesc isn't a memory-corruption exploit — it's finding a misconfiguration: a writable file a root process trusts, a sudo rule that's too broad, a stored credential. So the dominant skill is systematic enumeration:

  • Who am I, what groups, what privileges? (id / whoami /priv)
  • What can I write that something privileged reads/executes?
  • What runs as root/SYSTEM, and can I influence it?
  • What credentials are lying around?

Automated helpers (LinPEAS/WinPEAS, conceptually) sweep these checks, but understanding why each is dangerous is what lets you act on the output.

The recurring pattern

Every technique in this track is one shape of the same idea: a low-privileged user controls something a high-privileged context trusts. Find that, and you escalate. The defenses are the inverse: least privilege, and never trusting writable/low-integrity inputs in a high-privilege process.

Summary

Privilege escalation converts a foothold into root/SYSTEM, mostly by enumerating misconfigurations rather than exploiting bugs. Every technique is the same pattern — high-privilege code trusting something a low-privilege user controls — and least privilege is the inverse defense.

Practice with these exercises