This room focuses on the first phase of Linux privilege escalation: enumeration. It explains why privilege escalation matters after initial access, what information to gather from a Linux target, which commands are most useful, and how kernel exploits fit into the escalation decision process.
Core idea: most Linux privilege escalation wins come from disciplined enumeration, not magic. You need to understand the host, the users, the services, the permissions, and only then choose the right escalation path.
Privilege escalation is the process of moving from a lower-privileged account to a higher-privileged one by abusing a vulnerability, design flaw, or configuration weakness.
In practice, this is important because it enables actions such as:
The room emphasizes that enumeration is just as important after compromise as it is before initial access.
Several commands give you immediate context about the Linux target:
hostname: may reveal the system role.uname -a: shows kernel and architecture details.cat /proc/version: gives kernel details and may hint at compiler availability.cat /etc/issue: may reveal operating system information.Practical use: kernel version and distro details are especially important when assessing whether local kernel exploits are even worth considering.
The room calls out several commands that help you understand your current position on the host:
ps -A, ps axjf, ps aux: show running processes, owners, and process trees.env: shows environment variables such as PATH.sudo -l: lists commands your current user can run with sudo.id: shows current user and group memberships.These are often enough to expose sudo abuse, PATH abuse, interesting services, or extra group privileges.
User and filesystem enumeration is a major part of Linux privilege escalation.
ls -la helps reveal hidden files and permission details.cat /etc/passwd reveals user accounts and shells.history may contain commands, paths, usernames, or even credentials.The room also highlights that filtering /etc/passwd output for home directories can help separate real users from service accounts.
A compromised Linux host may also be a pivot point, so local network visibility matters.
ifconfig shows interfaces and can reveal extra reachable networks.ip route reveals routing information.netstat -a, -l, -tp, -ano expose listening services and active connections.Why this matters: a low-priv shell on one host may be your route into internal services you could not previously reach.
find is one of the most useful Linux privilege escalation commands because it helps surface writable paths, unusual permissions, and development tooling.
find / -perm -u=s -type f 2>/dev/null.Using 2>/dev/null keeps the output readable by suppressing permission errors.
The room mentions several popular automation helpers:
Important limit: these tools save time, but they can miss paths. They should support manual enumeration, not replace it.
Kernel exploits are one possible privilege escalation path, but they come with real risk.
A failed kernel exploit can crash the target, so this should never be the first escalation technique you jump to without justification.
hostname, uname -a, /proc/version, ps, env, sudo -l, id, ifconfig, ip route, netstat, and find.ls -la during local enumeration to avoid missing hidden files.