Local privesc: SUID, sudo, capabilities
The misconfigurations attackers find first.
Privilege escalation is the attacker’s pivot from "some access" to "total control," and on Linux the most common paths are not kernel exploits — they are misconfigurations. As a defender you learn these exactly so you can find and fix them on your own hosts before an attacker does. The first family is SUID abuse: a SUID-root binary runs as root regardless of who calls it, so any SUID binary that can be made to read, write, or execute arbitrary things is a road to root.
# find every SUID-root binary — the attacker’s first escalation hunt, and yours$ find / -perm -4000 -type f 2>/dev/null/usr/bin/passwd # expected/usr/bin/find # RED FLAG: find is SUID? → find . -exec /bin/sh \; = root shell# GTFOBins catalogs which binaries become root when SUID — baseline yours against it
sudo misconfigurations
The second family is sudo, and it echoes the hardening course from the attacker’s side. sudo -l reveals what the current user may run as root, and any entry that is shell-capable (an editor, an interpreter, a pager) or uses a wildcard is an escalation. A rule letting a user run a script as root that they can also edit is instant root; NOPASSWD on a program that spawns a shell is instant root. The attacker reads sudo -l the way you read the sudoers file — looking for the one over-broad grant.
$ sudo -l(root) NOPASSWD: /usr/bin/vim # vim can spawn a shell: sudo vim -c ':!/bin/sh' = root(root) NOPASSWD: /opt/app/backup.sh # if the user can EDIT backup.sh, that is root too# your job: audit sudo -l for every user and remove shell-capable / wildcard / editable-target grants
Linux capabilities
The third family is file capabilities — the fine-grained root powers from the container course, applied to binaries on a host. A binary with cap_setuid permitted can change its UID to root; cap_dac_read_search bypasses file-read permissions; cap_sys_admin is near-total. Attackers hunt for binaries carrying dangerous capabilities the same way they hunt SUID, because the effect is the same escalation with less visibility (a capability does not show up in a SUID search). Enumerate them with getcap -r.
# find binaries with dangerous capabilities (invisible to a SUID search)$ getcap -r / 2>/dev/null/usr/bin/python3.11 = cap_setuid+ep # RED FLAG: python with setuid → os.setuid(0) = root# baseline capabilities across your fleet; a new/unexpected one is an escalation path or a plant