Privilege Escalation
A foothold usually lands with limited privileges, and the attacker's next move is to become root — because a low-privilege shell can look around, but root can do anything. Privilege escalation exploits misconfiguration and vulnerable software already on the host: an overly broad sudo rule, a writable service file, a SUID binary, a kernel bug.
This topic shows the common Linux escalation paths against a Meridian host so you can find and close them before the intruder walks them — running the attacker's own enumeration first, as a defensive audit.
Why Escalation Matters
The gap between a user shell and root is the difference between a nuisance and a full compromise. But it should not be game over either way: limiting what root-level access can even reach — through least privilege and segmentation (Chapters 3 and 4) — is why a single escalation on one host does not have to mean the network. Escalation matters, and so does bounding what it wins.
Misconfiguration Paths
Most escalation is misconfiguration, not a novel exploit. An overly broad sudo rule — sudo to an editor or an interpreter is sudo to root, since both can spawn a shell — a writable service file or PATH directory, weak permissions on a sensitive file, a cron job running as root over an attacker-writable script. Each is a configuration mistake that hands root to anyone who finds it.
SUID/SGID and Capability Abuse
SUID binaries run as their owner, often root, so a SUID program with a shell-escape hands root to whoever runs it — the well-known list of such binaries is a standard escalation reference. Linux capabilities on the wrong binary do the same at finer grain. Auditing and minimizing SUID/SGID binaries and file capabilities is core hardening, because each one is a potential direct path to its owner's privileges.
# what can this user run as root, and how? (an editor or interpreter = root) sudo -l # every SUID/SGID binary — cross-check against known shell-escapes find / \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null # Linux capabilities granted to binaries (cap_setuid on the wrong one = root) getcap -r / 2>/dev/null # writable files owned by root that a service or cron runs find / -writable -type f 2>/dev/null | grep -vE '^/proc|^/sys'
This is exactly what an attacker runs on a fresh foothold, and running it first is how Priya closes the paths before they do. The findings are actionable: narrow a too-broad sudo rule, remove the SUID bit from a binary that does not need it, drop a stray capability, and fix the permissions on a root-run script a low-privilege user could edit.
Kernel and Software Exploits
An unpatched local kernel bug or a vulnerable privileged service escalates directly, with no misconfiguration required — which is why local patching (the next topic) is a security control, not just maintenance. "It is not internet-facing" is not a reason to skip a kernel patch, because local privilege-escalation bugs are exactly how a foothold becomes root.
- Broad
sudogrants, especially to interpreters, editors, or wildcards, which are trivial root escalations. - SUID/SGID on binaries that do not need it, or with known shell escapes, leaving a direct path to their owner's privileges.
- Writable service files, cron scripts, or
PATHentries that a low-privilege user can edit to run code as root. - Skipping local kernel and service patches because "it is not internet-facing," when local privilege-escalation bugs are exactly how a foothold becomes root.
- Assuming an escalation on one host is contained, without least privilege and segmentation to bound it.
- Grant
sudonarrowly to specific commands, never to interpreters or editors or with wildcards, and audit sudoers regularly. - Inventory and minimize SUID/SGID binaries and file capabilities; remove what is not required.
- Lock down permissions on service files, cron jobs, and
PATHdirectories so low-privilege users cannot influence root-run code. - Patch the kernel and privileged software promptly, treating local escalation bugs as security issues.
- Apply least privilege and segmentation so even a root foothold on one host reaches little else.
Knowledge Check
Why is a sudo rule allowing a user to run a text editor as root effectively root access?
- Editors can spawn a shell, so one run as root gives a root shell
- Editors automatically disable the sudo password prompt for the user
- Text editors always run with kernel privileges by default
- Editing any file as root silently deletes the sudoers restrictions
Why are SUID binaries a classic privilege-escalation surface?
- They run as their owner, so a shell-escape hands over root
- They automatically run every single time the host boots up
- They are always left world-writable by any user on the host
- They quietly disable the host's kernel protections when run
Why treat a local kernel privilege-escalation bug as urgent even on an internal host?
- Any foothold can use it to become root, internet-facing or not
- Internal hosts are essentially never compromised in the first place
- Kernel privilege bugs only ever affect internet-facing services
- Local bugs simply cannot be exploited without a public exploit
You got correct