Privilege Escalation Explained: Vertical & Horizontal Privileges in Linux & Windows

🧠 What Is Privilege Escalation?

Privilege escalation is the process by which a user gains elevated access to resources that are normally restricted. In cybersecurity, it refers to attackers exploiting weaknesses to go from limited access (e.g., a low-level user) to higher-level control, such as a system administrator or root.

There are two primary types:

• Vertical Privilege Escalation: Moving from a lower privilege level to a higher one (e.g., user → admin)

• Horizontal Privilege Escalation: Accessing resources or accounts at the same privilege level (e.g., user1 → user2)

Privilege escalation is often the second phase of an attack — it doesn’t get the attacker in the door, but it gives them the keys to everything inside.

---

🚨 Why It Matters

Once inside a system, attackers need more power to:

• Disable security tools

• Harvest credentials

• Access sensitive files

• Install persistent malware

• Pivot across networks

Even the most sophisticated attacks (like SolarWinds, NotPetya, LAPSUS$) involved privilege escalation to move from one machine or role to another.

Understanding privilege escalation helps:

• Red teamers know where to probe

• Blue teamers know what to patch and detect

• SOC analysts detect lateral movement and exploitation

• Students build better CTF strategies

---

🛠️ Common Privilege Escalation Techniques

Let’s break it down into two major environments: Windows and Linux.

---

💻 Windows Privilege Escalation Techniques

1. Unquoted Service Paths

If Windows services use paths with spaces and aren't quoted, attackers can place a malicious binary earlier in the path.

Tool to check: accesschk.exe

2. AlwaysInstallElevated

When this registry key is set, attackers can install malicious .msi files with SYSTEM privileges.

Registry Keys to check:

HKCU\Software\Policies\Microsoft\Windows\Installer
HKLM\Software\Policies\Microsoft\Windows\Installer

3. Weak Permissions on Services

Services with writable binaries or configs can be hijacked.

Tool to check: sc qc [service_name], accesschk.exe

4. DLL Hijacking

Windows searches for DLLs in predictable paths. If an attacker places a malicious DLL in a writable directory, it may be loaded by a privileged process.

5. Token Impersonation (SeImpersonatePrivilege)

Used by tools like RottenPotato, JuicyPotato, and PrintSpoofer to impersonate SYSTEM tokens.

6. Abusing Scheduled Tasks

Misconfigured tasks running as SYSTEM with writable paths can be replaced.

---

🐧 Linux Privilege Escalation Techniques

1. SUID Binaries

Files with the SUID bit run with the owner’s privileges (often root). Attackers search for insecure ones.

find / -perm -4000 2>/dev/null

2. Misconfigured Cron Jobs

If cron executes scripts from writable locations or with weak permissions, they can be abused.

ls -la /etc/cron* 

3. Writable /etc/passwd or /etc/shadow

Allows adding new users with elevated permissions.

4. Kernel Exploits

If the kernel is outdated, local privilege escalation (LPE) exploits like DirtyCow, DirtyPipe, or OverlayFS may work.

5. Environment Variables Abuse

Some binaries rely on LD_PRELOAD, PATH, or other environment variables that can be hijacked.

6. Password Reuse

Once one user is compromised, password reuse can allow horizontal escalation across other user accounts or services.

---

🔍 Tools for Privilege Escalation Discovery

🔧 Windows:

• WinPEAS – Enumerates common privilege escalation paths

• PowerUp.ps1 – PowerShell tool for escalation enumeration

• Seatbelt – Gathers system information for red teamers

🔧 Linux:

• LinPEAS – Like WinPEAS, but for Linux

• Linux Exploit Suggester

• GTFOBins – Lists ways to abuse common binaries (e.g., using vim, less, tar to escalate)

---

🧪 Practical Example: Linux SUID Abuse

Let’s say we find this:

-rwsr-xr-x 1 root root 10352 Jan 1 10:00 /usr/bin/find

You can escalate with:

/usr/bin/find . -exec /bin/sh \; -quit

Why? Because find is running as root and allows execution of arbitrary commands.

---

🛡️ How to Defend Against Privilege Escalation

1. Patch and update regularly — kernel exploits often rely on old versions

2. Harden service configurations

3. Audit SUID/SGID files and startup scripts

4. Use endpoint detection (EDR/XDR) to monitor abnormal process behavior

5. Least privilege — users should never run as admin/root unless needed

6. Monitor logs for unusual user or service activity

---

📚 Learn More

• 🔍 GTFOBins

• 🧰 PEASS-ng Toolkit

• 🧱 MITRE ATT&CK – Privilege Escalation Techniques

---

📊 Final Thoughts

Privilege escalation is not about luck — it’s about knowledge, enumeration, and creativity. Whether you’re:

• Breaking into a system in a red team simulation

• Defending a real network as blue team

• Practicing CTFs or hack labs

You must learn to think like an attacker — and defend like one too!