Privilege escalation is the step in almost every real intrusion where an attacker turns a low-value foothold into full control of a machine. You land on a box as a low-privileged web user or a service account, and the actual objective, whether that's root on a Linux server or SYSTEM on a Windows host, sits behind a misconfiguration you still have to find and abuse. This guide covers how privilege escalation works on Linux and Windows, the specific techniques attackers use today, and how defenders close the gaps. Practice the whole chain yourself in HackerDNA's Network Penetration Testing course, which walks from initial foothold through post-exploitation privilege escalation on real vulnerable hosts.
This is written for people who already have a shell and want to know what to do next, not for a compliance audience that only needs a definition. Every technique below is something you can run today against an intentionally vulnerable target, and every prevention control is something a sysadmin can apply this afternoon.
TL;DR: Privilege escalation is the process of gaining higher-level access than an account or process was originally granted, moving from a low-privilege foothold to admin, root, or SYSTEM. Linux paths center on SUID binaries, sudo misconfigurations, cron jobs, and kernel exploits; Windows paths center on service misconfigurations, weak file permissions, and token impersonation. Attackers automate discovery with tools like LinPEAS and WinPEAS, then confirm exploitation by hand. Defenders close these paths with least privilege, patch cadence, and configuration review, not with one silver-bullet tool.
In this guide:
- What Is Privilege Escalation?
- Horizontal vs. Vertical Privilege Escalation
- How Privilege Escalation Attacks Work
- Linux Privilege Escalation Techniques
- Windows Privilege Escalation Techniques
- Linux vs. Windows: Quick Reference
- Real-World Privilege Escalation Vulnerabilities
- How to Prevent Privilege Escalation
- Legal and Ethical Considerations
- Frequently Asked Questions
What Is Privilege Escalation?
What is privilege escalation? Privilege escalation is gaining access to resources or capabilities that a user account, application, or process was not originally granted, typically moving from a restricted context to an administrative one. In an attack, it is the step between "I have some access" and "I have the access I actually want."
Almost no intrusion starts with root. An attacker gets in through a phished credential, a vulnerable web app, or an exposed service, and that initial access almost always comes with limited permissions: a low-privilege web server account, a standard domain user, a service account scoped to one task. Privilege escalation is what turns that narrow foothold into control of the box, and often into control of the whole network once that access enables lateral movement.
MITRE ATT&CK treats it as its own tactic, TA0004, with dozens of documented techniques mapped under it, which reflects how central this step is to nearly every real intrusion chain. In a professional engagement it typically lands during the post-exploitation phase of the penetration testing methodology, right after initial access and before lateral movement or objective completion.
Horizontal vs. Vertical Privilege Escalation
Privilege escalation splits into two directions, and the distinction matters because they exploit different classes of flaw.
Vertical Privilege Escalation
Vertical privilege escalation is moving up the privilege ladder, from a standard user to an administrator, from a web app account to root, or from a domain user to Domain Admin. This is what most people mean when they say "privesc," and it is the focus of this guide. A low-privileged user exploiting a SUID binary to get a root shell is a textbook vertical escalation.
Horizontal Privilege Escalation
Horizontal privilege escalation is gaining access to a different account at the same privilege level, not a higher one. A customer who edits the URL parameter on their own invoice page to view another customer's invoice has escalated horizontally, they still hold a regular user role, just someone else's. This overlaps heavily with broken access control and Insecure Direct Object Reference bugs on the web side, while vertical escalation lives more in the operating system, service configuration, and kernel.
How Privilege Escalation Attacks Work
Once an attacker has any shell, the process follows a predictable pattern regardless of operating system: enumerate the machine, look for a specific misconfiguration or vulnerability, exploit it, and confirm the new privilege level.
Attackers rarely enumerate an entire filesystem by hand anymore. They run an automated script such as LinPEAS on Linux or WinPEAS on Windows, which checks the machine against a long list of known misconfigurations in a couple of minutes and highlights whatever it finds in color-coded output. These scripts do not exploit anything themselves. They point at the door; you still have to open it.
In practice, on a fresh CTF box or engagement target, running LinPEAS is one of the first three commands typed after landing a shell. It rarely hands over the answer outright, but it tells you exactly where to look next, whether that is a writable cron script, a SUID binary nobody should have left there, or a kernel version with a public exploit.
Manual enumeration still matters even with automation available. Checking sudo -l, reading world-readable configuration files for stored credentials, and reviewing running processes as different users catches paths that generic scripts miss because they are specific to how that one application was set up.
- Establish the starting point. Confirm the current user, groups, and any existing sudo or capability grants before touching anything else.
- Run automated enumeration. LinPEAS or WinPEAS surfaces the obvious misconfigurations in minutes and tells you where to spend manual effort.
- Investigate flagged findings manually. Confirm each candidate path actually works before committing to it, since automated tools flag possibilities, not guarantees.
- Exploit and verify. Run the escalation and confirm the new privilege level with
idorwhoami /privbefore moving on.
Linux Privilege Escalation Techniques
Linux privilege escalation almost always traces back to one of a handful of misconfiguration categories. Learn these five and you can work through most vulnerable Linux hosts you will meet in labs or on real engagements.
SUID and SGID Binaries
A binary with the SUID bit set runs with the permissions of its owner, not the user who executes it. Find every SUID binary on the box with find / -perm -4000 -type f 2>/dev/null. Most results are legitimate system binaries like passwd, but any unexpected entry, or a legitimate binary with dangerous capabilities, is worth checking.
Once you find a SUID binary you don't recognize, check it against GTFOBins, a curated project that documents how common Unix binaries can be abused to bypass local security restrictions. If a SUID binary you found appears there, GTFOBins gives you the exact command to spawn a root shell. A classic example: if find itself has the SUID bit set, find . -exec /bin/sh -p \; -quit hands you a root shell directly, because find executes the command with its own elevated privileges.
Sudo Misconfigurations
Run sudo -l to see what the current user can execute as root without a password. A line like (ALL) NOPASSWD: /usr/bin/vim looks harmless until you check GTFOBins for vim and find that vim -c ':!/bin/sh' escapes straight to a root shell, because vim itself inherits the sudo permission and can spawn arbitrary processes. Any sudo rule for an interpreter, editor, or file manager is worth checking this way before assuming it's safe.
Cron Job Hijacking
Cron jobs that run as root but call a script the current user can write to are a direct path to root. Check /etc/crontab and /etc/cron.d/ for jobs, then check the permissions on whatever script or binary each job invokes. If a root-owned cron job runs /opt/backup.sh and that file is world-writable, appending a reverse shell one-liner to it and waiting for the next scheduled run is enough. Practice this exact path in the Cronpocalypse lab, built around a vulnerable cron configuration.
PATH Hijacking
When a root-owned script or cron job calls a binary without its full path, such as tar instead of /bin/tar, the shell resolves it by searching directories listed in $PATH in order. If an attacker-writable directory sits earlier in that search order, or gets prepended to $PATH, a malicious binary with the same name executes instead of the real one, inheriting whatever privilege the calling script ran with.
Kernel Exploits
When enumeration turns up nothing else, the kernel version itself is the last resort. Dirty COW (CVE-2016-5195) is the best-known example, a race condition in the kernel's copy-on-write memory handling that let any local user overwrite read-only files, including binaries owned by root. Kernel exploits work reliably against unpatched systems but carry real risk of crashing the target, so they are a last option on engagements and something to avoid entirely without explicit authorization to cause instability.
Windows Privilege Escalation Techniques
Windows escalation relies less on a single permission bit and more on service configuration, file permissions, and how Windows resolves paths and tokens. The core techniques below cover most vulnerable Windows hosts.
Unquoted Service Paths
When a Windows service's executable path contains spaces and is not wrapped in quotes, such as C:\Program Files\My App\service.exe, Windows tries each space-delimited segment as a potential executable in order: C:\Program.exe, then C:\Program Files\My.exe, before finally trying the full intended path. If an attacker can write to any of those parent directories, dropping a malicious Program.exe gets executed with the service's privileges, often SYSTEM, the next time the service restarts.
Weak Service Permissions
Even with a correctly quoted path, if the current user has write access to the service's binary or to its registry configuration, replacing the executable or redirecting ImagePath to a malicious binary achieves the same result. Tools like accesschk or WinPEAS enumerate exactly which services a given user can modify.
AlwaysInstallElevated
When two registry keys, HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and its HKCU counterpart, are both set to 1, any user can install an MSI package with SYSTEM privileges regardless of their own permission level. An attacker builds a malicious MSI with msfvenom, runs msiexec /quiet /qn /i malicious.msi, and gets a SYSTEM shell. Our msfvenom cheat sheet covers building payloads like this one.
Token Impersonation
Service accounts frequently hold the SeImpersonatePrivilege right, which lets a process impersonate the security token of another user that connects to it. Tools built around this technique, commonly called Potato attacks, trick a SYSTEM-level service into authenticating to a listener the attacker controls, then reuse that captured token to spawn a SYSTEM process. It is one of the most reliable escalation paths against modern, well-patched Windows services precisely because it abuses an intended feature rather than a bug.
Linux vs. Windows: Quick Reference
The two operating systems fail in different ways. Linux escalation tends to hinge on file permissions and interpreted scripts; Windows escalation tends to hinge on service configuration and token handling. Use this table to jump straight to the vector most likely to apply on your target.
| Vector | Linux | Windows |
|---|---|---|
| Elevated execution | SUID / SGID binaries | Unquoted service paths, weak service ACLs |
| Trusted-command abuse | Sudo misconfigurations + GTFOBins | AlwaysInstallElevated + LOLBAS |
| Scheduled task abuse | Writable cron jobs | Writable scheduled tasks |
| Search-order abuse | PATH hijacking | DLL hijacking |
| Identity abuse | Reused SSH keys, stored credentials | Token impersonation (Potato attacks) |
| Last resort | Kernel exploits (e.g. Dirty COW) | Kernel exploits, unpatched drivers |
| Automated enumeration | LinPEAS | WinPEAS |
Real-World Privilege Escalation Vulnerabilities
These aren't lab-only techniques. Each of the following shipped in production software for years before discovery and was actively exploited once public.
PwnKit (CVE-2021-4034) sat undiscovered in Polkit's pkexec utility for more than twelve years before Qualys disclosed it in January 2022. It worked out of the box, no special configuration required, on default installs of Ubuntu, Debian, Fedora, and CentOS, letting any local user reach root with a single crafted binary.
Dirty COW (CVE-2016-5195) exploited a race condition in how the Linux kernel handled copy-on-write memory mappings, letting an unprivileged local user write to memory-mapped files marked read-only. It affected virtually every Linux kernel version in use at the time and had been present in the kernel for nine years before a fix shipped.
PrintNightmare (CVE-2021-34527) targeted the Windows Print Spooler service, which runs as SYSTEM and is enabled by default on most Windows installs. A flaw in how it validated driver installation requests let an authenticated user install a malicious printer driver and execute code as SYSTEM. The Cybersecurity and Infrastructure Security Agency issued an emergency directive over it, a rare step reserved for vulnerabilities under active, widespread exploitation; read the full advisory on CISA's site.
How to Prevent Privilege Escalation
How do you prevent privilege escalation? No single control stops it. Prevention is a stack of configuration hygiene and monitoring that removes the specific misconfigurations attackers rely on.
- Enforce least privilege. Service accounts and application users should hold only the permissions their job requires, nothing broader "in case it's needed later."
- Audit SUID binaries and sudoers rules regularly. Remove the SUID bit from anything that doesn't need it, and never grant NOPASSWD sudo access to an interpreter, editor, or shell-capable binary.
- Patch on a real cadence. PwnKit and Dirty COW were both fixable with an update. Most successful kernel-level escalations happen on systems that were already months behind on patches.
- Quote every service path that contains spaces, and lock down write access to service binaries and their parent directories.
- Disable AlwaysInstallElevated unless a specific, documented business reason requires it, and audit for it during any Windows hardening review.
- Monitor for known abuse patterns. EDR products can flag GTFOBins-style binary abuse and Potato-style token impersonation attempts, but only if they're tuned to watch for them specifically.
When testing real applications and hosts, the fastest way to find these gaps before an attacker does is to run the same enumeration an attacker would: LinPEAS or WinPEAS, a sudoers audit, and a service permissions check, on a schedule, not just once at deployment.
Legal and Ethical Considerations
Critical reminder: Attempting privilege escalation on any system you do not own or lack explicit written authorization to test is a criminal offense. In the United States the Computer Fraud and Abuse Act (CFAA, 18 USC 1030) carries penalties of up to 10 years in federal prison per violation. The United Kingdom enforces the Computer Misuse Act 1990, and the European Union applies Directive 2013/40/EU. A misconfiguration being easy to find is not a defense for having exploited it without permission.
Every technique in this guide is exactly what a real attacker uses to turn a foothold into full compromise. The only difference between a penetration tester and a criminal running the same commands is authorization, documented in writing before the first command runs.
Practice legally in three places: bug bounty programs with published scope on platforms like HackerOne and Bugcrowd, paid engagements under a signed statement of work, and sandboxed lab platforms or CTF events built specifically to be broken. Everything above is written for those three venues only.
Frequently Asked Questions
What is privilege escalation in cyber security?
Privilege escalation is the technique attackers use to gain higher-level access than an account or process was originally granted, moving from a limited foothold to administrator, root, or SYSTEM privileges. It is a distinct tactic in the MITRE ATT&CK framework and a step in nearly every serious intrusion, since initial access rarely arrives with full control already attached.
What is the difference between horizontal and vertical privilege escalation?
Vertical privilege escalation moves a user up to a higher permission level, such as a standard account gaining root or administrator access. Horizontal privilege escalation gains access to a different account at the same permission level, such as viewing another customer's data while remaining a regular user. Vertical escalation typically exploits operating system and configuration flaws, while horizontal escalation typically exploits broken access control on the application layer.
What tools do attackers use for privilege escalation?
LinPEAS and WinPEAS automate enumeration on Linux and Windows, scanning for known misconfigurations and flagging likely escalation paths. GTFOBins and LOLBAS catalog specific binaries that can be abused for escalation once found. Attackers then confirm and exploit the flagged path manually, since these tools identify candidates rather than executing the exploit themselves.
Is privilege escalation illegal?
Performing privilege escalation on a system you do not own, or without explicit written authorization from its owner, is illegal in most jurisdictions, including under the US Computer Fraud and Abuse Act and the UK Computer Misuse Act. It is legal only within authorized bug bounty scope, a signed penetration testing engagement, or a sandboxed lab environment built for practice.
How can I practice privilege escalation legally?
Use intentionally vulnerable lab platforms and CTF challenges built for this purpose, participate in bug bounty programs within their published scope, or work under a signed authorization during a paid penetration testing engagement. HackerDNA's browser-based labs, including SUID Privilege Hunter, provide real vulnerable targets without any legal risk or local setup.
What is the most common privilege escalation vulnerability?
On Linux, misconfigured sudo rules and exploitable SUID binaries are the most frequently encountered paths in real assessments and CTFs alike, largely because they require no memory corruption skill, just careful enumeration. On Windows, unquoted service paths and weak service permissions are the most common beginner-accessible vectors, while token impersonation dominates against more hardened, well-patched targets.
Your Next Steps
Reading about SUID binaries and unquoted service paths gets you the vocabulary. Recognizing a vulnerable sudo rule or a writable cron script on a live box, under time pressure, with a scope document on the other monitor, takes repetition against real targets.
Start with the SUID Privilege Hunter lab to practice the most common Linux escalation path hands-on, then work through the full attack chain, foothold to root, in HackerDNA's Network Penetration Testing course. If you want the automated enumeration step first, our LinPEAS guide covers running and reading it in detail.
HackerDNA's free tier gives you browser-based labs with no credit card and no local setup. Get a shell, then go find the path up.
Last reviewed: July 2026.