A foothold is rarely the goal — attackers escalate to full control. Understand how privilege escalation works so you can demonstrate impact and, more importantly, prevent it.
Why: initial access is usually a low-privilege account, and the real risk is escalation to root/administrator, so post-exploitation enumerates the system for weaknesses that grant higher privileges. When: after a foothold in scope, systematically enumerate the host. Where: this is the phase defenders most want to break — stopping escalation contains an incident to a single low-value account.
FOOTHOLD (low-priv user) ─► ENUMERATE ─► ESCALATE ─► root/admin
what's misconfigured that grants more power?
Common escalation paths (all are DEFENSIVE checklists too):
- misconfigured sudo / SUID binaries
- weak file permissions on sensitive files/services
- stored credentials, kernel/software vulns, scheduled jobs you can editWhy: privilege escalation is found by enumeration — checking sudo rights, SUID binaries, writable files, and running services for a misconfiguration to abuse — the same misconfigurations a hardened system removes. When: run enumeration helpers on the compromised lab host. Where: GTFOBins catalogs how common binaries can be misused when misconfigured — which is precisely what hardening guides tell you to lock down.
# On the compromised LAB host, enumerate escalation opportunities:
sudo -l # what can this user run as root?
find / -perm -4000 -type f 2>/dev/null # SUID binaries
# Automated helpers summarize misconfigurations:
# linpeas.sh (Linux), winPEAS (Windows)
# GTFOBins shows how a misconfigured SUID/sudo binary can be abused —
# so hardening = remove needless SUID, restrict sudo. (System Hardening course.)Why: every escalation technique maps directly to a hardening control, so the offensive knowledge is most valuable as a defensive checklist — least privilege, minimal SUID, tight sudo, patching, and credential hygiene close these paths. When: turn each finding into a remediation the client can apply. Where: this is the bridge from offense to defense, and to the System Hardening and DFIR courses.
ESCALATION PATH DEFENSIVE FIX
misconfigured sudo least-privilege sudoers, no NOPASSWD wildcards
needless SUID binaries remove SUID bit where not required
world-writable services correct file/service permissions
stored plaintext creds secrets manager, no creds on disk
unpatched kernel/software patch management
Offense informs defense: every path above is a hardening control.