Privilege Escalation · Learn

What is privilege escalation?

Privilege escalation is how an attacker turns a small foothold into full control of a system, going from a normal user to root on Linux or SYSTEM on Windows. Here is the plain-language version: the two types, why it matters, and how attackers actually do it.

Privilege Escalation · LearnAll services
TL;DR

Privilege escalation is the step where an attacker who has gained limited access to a system raises their privileges to do more than they should, typically from a standard user to root (Linux) or SYSTEM/Administrator (Windows). There are two kinds: vertical (gaining higher privileges) and horizontal (taking over another account at the same level). It usually exploits a misconfiguration, a weak permission, a vulnerable program, or an unpatched kernel, rather than a single dramatic bug, which is why thorough host enumeration is the core skill.

By John Dill, Red Team Lead, SecureLayer7Updated

What privilege escalation is

Privilege escalation is moving from the access you have to the access you want. An attacker rarely lands as an administrator. They get a foothold as a low-privileged user (through a web shell, stolen password, or phished session) and then look for a way to become root or SYSTEM, the account that controls the whole machine.

Once a host is fully owned, the attacker can read every file, dump credentials, install persistence, and pivot to other machines. Privilege escalation is the hinge between "I am on the box" and "I own the box."

Vertical vs horizontal

There are two directions:

  • Vertical privilege escalation: gaining higher privileges than you started with, for example a normal user becoming root. This is the classic meaning and the more dangerous one.
  • Horizontal privilege escalation: taking over another account at the same privilege level, for example reading another user’s files or acting as a different standard user. It often sets up a later vertical jump.

Most real attacks chain both: move sideways to an account with more useful access, then escalate vertically to root.

How attackers actually do it

Privilege escalation is mostly about enumeration: methodically listing everything about the host until a weak spot appears. Common categories:

  • Misconfigured permissions: SUID binaries, writable files owned by root, weak service permissions.
  • Excessive rights: overly broad sudo rules, dangerous Windows privileges like SeImpersonate.
  • Vulnerable software: an unpatched kernel or a privileged program with a known exploit.
  • Predictable behaviour: scheduled jobs (cron) or services that run as root and trust attacker-controlled input.

Tools like the PEAS scripts automate the enumeration, but the judgement of which finding actually leads to root is the human skill.

How a pentest tests for it

A penetration test starts from a realistic low-privileged position and tries to reach root or SYSTEM the way an intruder would, then maps every viable path. The deliverable is not a list of theoretical risks. It is the exact chain from "limited user" to "full control," with the specific misconfiguration or vulnerability behind each step and a fix for each one.

References

  1. [1]MITRE ATT&CK: Privilege Escalation (TA0004)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Microsoft: Privilege Constants (Windows)(Microsoft)
Related terms

Common questions

Privilege escalation, asked often

Want your systems tested for these paths?

Scope an engagement

Find the privilege-escalation paths before an attacker does.

We run internal and host penetration tests that walk the real route from a low-privileged foothold to root or SYSTEM, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.