PRACTITIONER GUIDE | ENDPOINT SECURITY
Practitioner GuideUpdated 12 min read

Linux Privilege Escalation Audit: The 12-Point Checklist That Finds the Misconfigurations Attackers Exploit to Reach Root

SUID
Set User ID binaries run with the file owner's permissions (often root) regardless of who executes them -- non-standard SUID binaries are a common privilege escalation path
NOPASSWD
in a sudo rule allows a user to run the specified command as root without entering a password -- any NOPASSWD sudo rule on a command listed in GTFOBins is an immediate escalation path
CAP_SYS_ADMIN
is the most dangerous Linux capability -- it encompasses dozens of privileged operations and is nearly equivalent to root when granted to a process or binary
linPEAS
is the most widely used automated Linux privilege escalation enumeration script -- run it as the low-privilege user to surface most findings covered in this checklist

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Linux privilege escalation audits are most useful when run from the perspective of the lowest-privilege account that can access the system -- typically the application service account. The assumption is that an attacker has already compromised that account (via a web application vulnerability, for example) and is attempting to escalate to root. The following 12 checks cover the categories that consistently yield escalation paths on production systems.

Checks 1-4: SUID, SGID, and Capabilities

Check 1: Non-standard SUID binaries

# Find all SUID binaries (run as file owner's UID when executed)
find / -perm -u=s -type f 2>/dev/null | sort

# Compare against expected SUID binaries for this distro
# Expected on most systems: /usr/bin/sudo, /usr/bin/passwd, /usr/bin/su, /usr/bin/newgrp
# UNEXPECTED: /usr/local/bin/python3, /usr/bin/vim, /usr/bin/find, /usr/bin/nmap

Check every non-standard SUID binary at GTFOBins (https://gtfobins.github.io). Any binary listed there with an SUID entry can be used to read files as root or spawn a root shell.

Check 2: SGID binaries with group write access

find / -perm -g=s -type f 2>/dev/null | sort
# SGID binaries run with the group's GID -- less common escalation but check group memberships

Check 3: Binaries with dangerous capabilities

# List all files with Linux capabilities set
getcap -r / 2>/dev/null
# High-risk capabilities:
# cap_setuid+ep -- allows setting any UID (root access)
# cap_net_raw+ep -- allows raw socket access (packet capture, ARP spoofing)
# cap_sys_admin+ep -- near-root equivalent
# Example dangerous finding:
# /usr/bin/python3 = cap_setuid+ep  <-- python can setuid(0) and execute /bin/sh

Check 4: Writable SUID binary directory

# Find directories containing SUID binaries that are world-writable
for suid in $(find / -perm -u=s -type f 2>/dev/null); do
    dir=$(dirname $suid)
    ls -ld $dir | grep -E "^.......w"
done
# If a directory containing a SUID binary is world-writable, an attacker can
# replace the binary with a malicious version

Checks 5-7: Sudo Configuration

Check 5: Read the sudoers configuration

# List sudo rules for the current user
sudo -l

# Read full sudoers file (requires read access to /etc/sudoers)
cat /etc/sudoers 2>/dev/null
cat /etc/sudoers.d/* 2>/dev/null

High-risk sudo patterns:

  • (ALL) NOPASSWD: ALL -- full root access without a password
  • (ALL) NOPASSWD: /usr/bin/vi -- vi can escape to shell: :!sh
  • (ALL) NOPASSWD: /usr/bin/find -- GTFOBins: sudo find . -exec /bin/sh \;
  • (ALL) NOPASSWD: /usr/bin/python* -- sudo python3 -c 'import pty; pty.spawn("/bin/sh")'
  • (ALL) NOPASSWD: /usr/bin/tee -- can overwrite any file as root by piping content

Check 6: Sudo version vulnerability

sudo --version
# CVE-2021-3156 (Baron Samedit): sudo < 1.9.5p2 -- heap overflow leading to root
# CVE-2019-14287: sudo < 1.8.28 -- -1 UID bypass (sudo -u#-1 command)
# If vulnerable version found, check if the CVE applies to this distro's patched version

Check 7: LD_PRELOAD abuse via sudo (env_keep)

# Check if sudo preserves LD_PRELOAD
sudo -l | grep LD_PRELOAD
# If env_keep includes LD_PRELOAD, a malicious shared library can be injected:
# cat evil.c: void _init() { setuid(0); system("/bin/bash"); }
# gcc -fPIC -shared -o /tmp/evil.so evil.c -nostartfiles
# sudo LD_PRELOAD=/tmp/evil.so [any allowed command]
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Checks 8-9: Cron Jobs and Scheduled Tasks

Check 8: World-writable scripts executed by root cron

# List all cron jobs (system-wide)
cat /etc/crontab
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.weekly/ /etc/cron.monthly/
crontab -l  # Current user's crontab

# For each script executed by root cron, check if it is writable by low-privilege users:
find /etc/cron* -type f 2>/dev/null | xargs ls -la

# Check if the script itself is writable
ls -la /path/to/cron-script.sh
# If writable by current user: append malicious command to escalate

# Also check if the directory containing the script is writable
# (allows replacing the script with a malicious version)
ls -ld $(dirname /path/to/cron-script.sh)

Check 9: Cron PATH manipulation

# Check the PATH in /etc/crontab
grep PATH /etc/crontab
# If PATH includes user-writable directories before system directories,
# creating a malicious binary with the same name as a cron-called command
# in the writable directory will execute it as root

Checks 10-11: File Permissions and PATH Hijacking

Check 10: World-writable files owned by root

# Find world-writable files owned by root (high risk: modifying them affects root operations)
find / -writable -user root -type f 2>/dev/null | grep -v '/proc\|/sys'

# Find world-writable directories in system paths
find /etc /usr /bin /sbin -writable -type d 2>/dev/null

Check 11: PATH hijacking opportunities

# Check the current user's PATH for writable directories
echo $PATH | tr ':' '\n' | while read dir; do
    if [ -w "$dir" ]; then
        echo "WRITABLE: $dir"
    fi
done

# Check root's PATH via sudo or SUID context
# If a script run as root uses relative command calls (e.g., 'curl' without full path /usr/bin/curl)
# and the script's working directory is writable, a malicious 'curl' binary
# in that directory will execute as root

# Find scripts in PATH that call binaries without full paths
grep -r '\bawk\b\|\bsed\b\|\bcut\b\|\bcurl\b\|\bwget\b' /usr/local/bin/ 2>/dev/null |
    grep -v '/usr/bin\|/bin\|/usr/local/bin'

Check 12: Sensitive files with weak permissions

# Check /etc/passwd and /etc/shadow permissions
ls -la /etc/passwd /etc/shadow /etc/group
# /etc/shadow should be: -r-------- (readable only by root)
# If /etc/shadow is world-readable: hashcat/john can crack the hashes offline

# Find SSH private keys that are world-readable
find / -name 'id_rsa' -o -name 'id_ecdsa' -o -name '*.pem' 2>/dev/null | 
    xargs ls -la 2>/dev/null | grep -v '\-r[\-][\-][\-][\-][\-][\-][\-][\-][\-]'

# Find .bash_history files containing passwords
find / -name '.bash_history' -readable 2>/dev/null | 
    xargs grep -l 'password\|passwd\|secret\|api_key' 2>/dev/null

Remediation Priority and Automated Tooling

Remediation priority order:

  1. NOPASSWD sudo on any GTFOBins-listed binary: Immediate -- remove or restrict the rule
  2. Non-standard SUID binaries: Remove SUID bit if not required: chmod u-s /path/to/binary
  3. Dangerous capabilities: Remove with: setcap -r /path/to/binary
  4. Writable root cron scripts: Fix permissions: chmod 750 /path/to/script; chown root:root /path/to/script
  5. World-readable /etc/shadow: Fix: chmod 640 /etc/shadow; chown root:shadow /etc/shadow

For automated discovery, run linPEAS as the low-privilege user:

# Download and run linPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash 2>/dev/null | tee /tmp/linpeas-output.txt

# Or run from memory without writing to disk
curl -sL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash

linPEAS colorizes findings by severity (red = highly likely PE vector, yellow = interesting). Review all red findings first. Add linPEAS scans to your vulnerability management program for production servers -- run it under the application service account to reflect the realistic attacker perspective.

The bottom line

Linux privilege escalation paths cluster around four misconfiguration categories: SUID/capability binaries that are on GTFOBins, NOPASSWD sudo rules on exploitable commands, cron scripts that are writable or call binaries without full paths, and world-writable sensitive files. Run these 12 checks from the application service account's perspective on every production server. Automated tools like linPEAS accelerate discovery but do not replace understanding of why each finding is exploitable.

Frequently asked questions

Which Linux privilege escalation technique is most commonly found in real production environments?

In production server audits, the most common finding is overly permissive sudo rules -- specifically NOPASSWD rules on commands like vim, find, python, or custom scripts that were added for operational convenience and never reviewed. The second most common is non-standard SUID binaries (such as a development tool that was installed with SUID for local testing and never removed). GTFOBins exploitation of these findings is well-documented and exploitable without any exploit code.

How do I monitor for privilege escalation attempts on production Linux servers?

Enable auditd and configure rules to monitor: `sudo` command execution (all executions, not just failures), SUID binary execution attempts, and `/etc/passwd` and `/etc/shadow` access. Key auditd rules: `-a always,exit -F arch=b64 -S execve -F uid!=0 -k exec_as_user` and `-w /etc/passwd -p wa -k passwd_changes`. Forward auditd logs to your SIEM and alert on: non-root users executing commands as root via sudo, modifications to /etc/sudoers, and any process setting UID to 0.

How do I safely remove a SUID bit that may be needed by a legitimate application?

Before removing a SUID bit, verify which applications use the binary: `lsof | grep binary-name`, check package manager documentation for the binary's purpose, and if possible test in a staging environment. For critical binaries like `passwd` (requires SUID to modify /etc/shadow), removing SUID breaks the application. Use `chmod u-s` to remove and monitor for application errors. If application breaks occur, restore with `chmod u+s` and document the business justification for the SUID bit in your exception register.

Is running linPEAS safe to run on production servers?

linPEAS is a read-only enumeration script -- it does not exploit vulnerabilities or modify system state. It reads configuration files, checks permissions, and queries running processes. The risks of running it on production are: it may trigger security monitoring alerts (the file reads and process queries are distinctive), it writes its output to /tmp by default (which may be monitored), and on very resource-constrained servers the scanning activity may briefly increase CPU usage. Run it during a maintenance window or low-traffic period, and notify your security monitoring team in advance to avoid incident response triggers.

What is the most common Linux privilege escalation path found in enterprise environments?

Misconfigured sudo rules are the most common enterprise Linux privilege escalation path. The pattern: a service account or developer account has a sudo entry allowing execution of a specific command (e.g., `someuser ALL=(ALL) NOPASSWD: /usr/bin/vim`), and an attacker or auditor discovers that the allowed command can spawn a shell (vim can run `:!bash`, python can run `os.system('/bin/sh')`, find can use `-exec`). GTFOBins (gtfobins.github.io) catalogs which commands can be abused for privilege escalation when run with elevated privileges. Audit your sudoers configuration quarterly using `sudo -l` for each non-root account and cross-reference against GTFOBins.

How do SUID/SGID binaries create privilege escalation risk and how do I audit for them?

SUID (Set User ID) binaries run with the file owner's permissions rather than the calling user's permissions. If a binary owned by root has the SUID bit set, any user who can execute it runs it as root. Many legitimate SUID binaries exist on Linux systems (passwd, ping, sudo itself). The risk arises when custom or third-party binaries have SUID set unnecessarily, or when a SUID binary has a vulnerability that allows the calling user to influence its execution in unintended ways. Audit SUID binaries with: `find / -perm -4000 -type f 2>/dev/null` for SUID and `find / -perm -2000 -type f 2>/dev/null` for SGID. Compare the results against a known-good baseline from a clean system installation. Any SUID binary not on the baseline is a finding. Remove SUID bits from any binary that does not require it: `chmod u-s /path/to/binary`. Custom application binaries should never have SUID set -- use sudo rules or capability-based privilege (setcap) instead.

Sources & references

  1. GTFOBins: Unix binaries that can bypass local security restrictions
  2. PayloadsAllTheThings: Linux Privilege Escalation
  3. CIS: CIS Distribution Independent Linux Benchmark

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.