Privilege escalation
⏱ ~3-min readAceMark GuideWhat this topic is really about
python -c 'import pty; pty.spawn("/bin/bash")' spawns a pseudo-terminal, the first step to a stable interactive shell (often combined with stty raw -echo). python -m http.server hosts files for transfer, and the other commands do nothing useful for shell upgrading.
WinPEAS enumerates Windows hosts for privilege-escalation paths (misconfigurations, weak permissions, stored credentials). Wireshark sniffs traffic, Burp tests web apps, and msfvenom generates payloads — none are dedicated privesc enumeration scripts.
See the mechanism
find -exec runs a command for each match. A diagram for this topic isn't available yet — the worked example below walks the same reasoning step by step.
An exam-style question, fully explained
On a Linux box the SUID bit is set on /usr/bin/find. How can an attacker exploit this for privilege escalation?
- Identify what the question tests: On a Linux box the SUID bit is set on /usr/bin/find..
- find -exec runs a command for each match.
- With SUID set and -p preserving effective UID, /bin/sh runs as root.
- The other options enumerate but do not escalate.
- GTFOBins documents this technique for find.
Traps the examiner sets
- The other options enumerate but do not escalate.
Test your recall
Answer each from memory — you'll see instantly whether you're right and why.
Run a focused 10-question mini-mock on Privilege escalation and see it stick.
Practice more of this topic →