Elevation - Rising from the Mud

Getting in is not enough. You have to rise. You have to take control.

Accessing a system doesn't mean you've won. You're inside, yes, but chained. The real game begins when you need more. More permissions. More control. More power.

That's what privilege escalation is. And this lesson is a map to find the cracks in a structure built by hands that make mistakes.

What is Privilege Escalation?

Privilege escalation happens when a user with limited access manages to perform actions reserved for higher authority accounts, like root.

Types:

• Vertical Escalation: From an unprivileged user to a privileged user (root).
• Horizontal Escalation (or lateral movement): Moving from one user to another with the same permissions. Useful if the other user has access to files, credentials, or vulnerable configurations.

Why it happens

Because systems are configured by humans.
And humans make mistakes.

Common mistakes that allow escalation:

• Poorly defined permissions on binaries or files.
• Files with the SUID bit set unnecessarily.
• Unrestricted or passwordless sudo access.
• Poorly implemented scripts or services.
• Weak, predictable, or reused passwords.

SUID: The Razor's Edge

The SUID (Set User ID) bit, when set on an executable file, allows any user to run the file with the owner's permissions.

For example:

1ls -l /usr/bin/passwd
2-rwsr-xr-x 1 root root 54256 Jan  1 00:00 /usr/bin/passwd

That s instead of x means it has SUID.
The passwd binary needs to modify /etc/shadow, but normal users don't have that permission. SUID allows this action in a controlled way.

But when custom or insecure binaries have this bit... unexpected paths open up.

How to identify SUID binaries

1find / -perm -4000 -type f 2>/dev/null

If you find a binary owned by root, with SUID, and you can execute it… you know what to do.

What about sudo?

sudo allows users to run commands with elevated privileges, usually as root. Depending on the configuration in /etc/sudoers, there may be escalation opportunities.

Example of a bad configuration:

1carla ALL=(ALL) NOPASSWD: /usr/bin/less

This allows the user carla to run less as root, without authentication. And from there, you can launch an interactive shell:

1sudo less /etc/shadow
2!bash

Lateral movement

If you can't go up, move sideways.

With access to multiple users, you can:

• Check .bash_history, .ssh/, Documents/, Downloads/.
• Look for passwords in forgotten files.
• Find access tokens, configuration files, or internal services.

A different user may have weaker configurations or access to sensitive tools.

Corporate environments: noise and empty structures

It's common to find folder hierarchies like:

• Accounting
• Financial
• Team
• Human Resources
• Support

Their purpose may be purely aesthetic or to distract. The goal is to throw you off.
The real information—if it exists—is not there.
Look for files with users, passwords, or strange binaries.

Quick diagnosis: Privilege escalation checklist

• Look for SUID binaries.
• Check sudo configurations.
• Enumerate all users.
• Review each user's personal files.
• Run linpeas.sh or linenum.sh to automate reconnaissance.
• Analyze processes running as root.
• Look for scripts or services with write permissions.

Privilege escalation is one of the most critical phases of ethical hacking. It means taking control, seeing the system as the administrator does, and removing limitations.

The system let you in. Now you show it that was a mistake.