Privilege Escalation is a cybersecurity threat where an attacker gains higher access levels in a system than they are authorized to have. This could mean gaining administrator (root) access or elevating privileges from a regular user to a system-level user.
Attackers often use vulnerabilities, misconfigurations, or stolen credentials to perform privilege escalation. Ethical hackers and penetration testers simulate these attacks to find and fix security weaknesses before malicious hackers exploit them.
1. Types of Privilege Escalation
Privilege escalation attacks fall into two main categories:
A. Vertical Privilege Escalation (Privilege Elevation)
The attacker gains higher-level access than intended.
Example: A normal user becomes an admin or a guest user gains root access.
Example Attack Scenario:
- A hacker exploits a Windows Local Privilege Escalation (LPE) vulnerability to gain SYSTEM privileges.
Mitigation:
- Use least privilege access (only allow necessary permissions).
- Apply security patches and updates regularly.
B. Horizontal Privilege Escalation
The attacker gains access to another user’s account without increasing privilege levels.
Example: A hacker hijacks another user’s account with similar privileges.
Example Attack Scenario:
- A hacker uses session hijacking to access another user’s online banking account.
Mitigation:
- Implement multi-factor authentication (MFA).
- Use session expiration and re-authentication policies.
2. Common Privilege Escalation Techniques
A. Exploiting Software Vulnerabilities
1. Kernel Exploits
Attackers exploit unpatched vulnerabilities in the operating system’s kernel to gain root access.
Example Exploit:
- Linux privilege escalation via Dirty COW (CVE-2016-5195) – A kernel bug allowed users to gain write access to read-only files.
Mitigation:
- Regularly update the OS and kernel patches.
2. Buffer Overflow Attacks
Attackers overwrite memory addresses to execute arbitrary code and escalate privileges.
Example Exploit:
- Sudo vulnerability (CVE-2019-18634) – Allowed a low-privilege user to execute commands as root.
Mitigation:
- Enable Address Space Layout Randomization (ASLR).
3. DLL Injection and Hijacking (Windows)
Attackers inject malicious Dynamic Link Libraries (DLLs) into processes to execute code with higher privileges.
Example Exploit:
- A fake system DLL replaces a legitimate one to execute malware with admin rights.
Mitigation:
- Use signed binaries and process monitoring.
B. Misconfigured System Permissions
1. Weak File Permissions
Attackers modify critical system files to gain higher privileges.
Example Exploit:
- A misconfigured /etc/passwd file in Linux allows attackers to add a new root user.
Mitigation:
- Use file integrity monitoring (FIM) tools.
2. Scheduled Tasks and Services Abuse
Attackers modify scheduled tasks or background services to execute malicious scripts as an admin.
Example Exploit:
- Windows schtasks.exe can be abused to execute malware at system startup.
Mitigation:
- Restrict modification rights to critical services.
3. Hardcoded Credentials
Some applications store admin usernames and passwords in plaintext within code or config files.
Example Exploit:
- Extracting admin passwords from web application source code.
Mitigation:
- Use secure credential storage like AWS Secrets Manager or Vault.
C. Credential Exploitation
1. Password Cracking & Hash Dumping
Attackers retrieve hashed passwords from memory or disk and crack them using tools like Hashcat or John the Ripper.
Example Exploit:
- Extracting password hashes from SAM (Security Account Manager) database in Windows.
Mitigation:
- Enforce strong password policies and use bcrypt or PBKDF2 hashing.
2. Pass-the-Hash (PtH) Attacks
Attackers use hashed passwords (instead of plaintext passwords) to authenticate as another user.
Example Exploit:
- Extracting NTLM hashes and reusing them for Windows authentication.
Mitigation:
- Disable NTLM authentication and enforce Kerberos authentication.
3. Token Impersonation
Attackers steal security tokens to impersonate privileged users.
Example Exploit:
- Using Mimikatz to steal authentication tokens in Windows.
Mitigation:
- Enable credential guard and endpoint detection solutions.
3. Exploitation Tools
Common Privilege Escalation Tools:
Metasploit Framework – Automates privilege escalation exploits.
Mimikatz – Extracts Windows credentials from memory.
WinPEAS / LinPEAS – Privilege escalation enumeration tools.
PowerUp – Powershell script for Windows privilege escalation.
GTFOBins – Exploits misconfigured Linux binaries for privilege escalation.
Countermeasures:
🔹 Use endpoint protection tools (EDR) like CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint.
🔹 Perform privilege audits to remove unnecessary admin access.
4. Ethical Hacking & Privilege Escalation
Ethical hackers use controlled privilege escalation techniques to test security defenses. The process follows these steps:
Step 1: Identify misconfigurations, unpatched software, or weak credentials.
Step 2: Exploit vulnerabilities to simulate a real-world attack.
Step 3: Document findings in a penetration test report.
Step 4: Apply security patches and hardening measures.
Ethical hacking must follow legal and compliance standards (GDPR, ISO 27001, NIST 800-53).
5. How to Prevent Privilege Escalation Attacks
🔹 Use Least Privilege Principle – Limit user access to only what is necessary.
🔹 Enable Multi-Factor Authentication (MFA) – Protect against password-based attacks.
🔹 Apply Security Patches Regularly – Fix OS and application vulnerabilities.
🔹 Monitor Privileged Accounts – Detect suspicious activity using SIEM tools.
🔹 Enforce Network Segmentation – Prevent attackers from moving laterally.
🔹 Implement Endpoint Protection (EDR) – Block exploitation techniques in real-time.