Privilege Escalation · intermediate · ~12 min
Abuse (in labs) over-broad sudo rules and SUID binaries, and state the fixes.
Over-broad sudo rules (tools like vim/less/find that can spawn shells — GTFOBins) and SUID binaries (run as owner/root) are the top Linux escalation routes. Fixes: least-privilege sudo (specific commands, env reset, no editable NOPASSWD scripts) and minimising/auditing SUID binaries.
sudo and SUID misconfigurations are the most frequently exploited Linux privesc paths, and the GTFOBins pattern (a 'normal' tool that can run commands) recurs constantly. The fixes are concrete least-privilege measures.
sudo -l. Lists allowed commands; wildcards/extra binaries are dangerous. GTFOBins. Common tools that spawn shells/read files. SUID. Runs as owner (root); enumerate with find -perm -4000. env leaks. Preserved LD_PRELOAD. Fix. Specific sudo grants, env reset, minimal/audited SUID.
Two of the most common Linux escalation routes, both rooted in programs that run as root on a normal user's behalf.
sudo -l lists what you may run as another user. Dangerous cases:
(ALL) NOPASSWD: /usr/bin/vim — vim can spawn a root shell (:!/bin/sh). Many "harmless" tools (less, awk, find, tar, python) can run commands or read any file; the GTFOBins project catalogs these.sudo env-var leaks (LD_PRELOAD/LD_LIBRARY_PATH preserved) → load a malicious library.A SUID binary runs as its owner (often root) regardless of who launches it. find / -perm -4000 2>/dev/null lists them. Risk:
secure_path set, env reset (default), no NOPASSWD on editable scripts.system()/relative paths (exactly the platform's secure-coding C exercises).Linux escalation via sudo and SUID exploits programs running with root authority on a user's behalf — often through GTFOBins-style tools. Defend with least-privilege sudo, environment resets, and minimising/auditing SUID binaries.