Linux Privilege Escalation
Map an outdated Linux kernel version to known privilege-escalation exploits and compilation options during authorized penetration tests or lab hardening reviews.
Overview
Linux Privilege Escalation is an agent skill for the Ship phase that maps outdated Linux kernel versions to known CVE-backed local privilege-escalation exploits with stability and compilation guidance for authorized secu
Install
npx skills add https://github.com/yaklang/hack-skills --skill linux-privilege-escalationWhat is this skill?
- Kernel version → exploit mapping table spanning DirtyCow, DirtyPipe, OverlayFS, nf_tables, io_uring, Netfilter, and rela
- Per-exploit stability notes (e.g., DirtyPipe reliable vs DirtyCow crash risk on write variants)
- Compilation tips including cross-compilation and static linking guidance
- Designed as extended checklist when main hack-skills SKILL.md is already loaded
- Assumes authorized testing context on targets you own or have explicit permission to assess
- Critical kernel exploits mapping table (2016–2024) with named CVEs and stability columns
Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have shell on a Linux box with an old kernel but no quick way to match the version to reliable, documented escalation paths and build constraints.
Who is it for?
Security researchers, pentesters, and infra-aware solo builders running permitted assessments or hardened lab VMs who need kernel-specific escalation references.
Skip if: Routine SaaS shipping, compliance-only checklist users, or anyone operating on systems without clear written authorization.
When should I use this skill?
Target has an outdated kernel and you need to map kernel version to known exploits after the main hack-skills SKILL.md is loaded.
What do I get? / Deliverables
You get a prioritized exploit shortlist with CVE identifiers, kernel ranges, stability warnings, and build notes aligned to your authorized test target.
- Prioritized exploit candidate list keyed to kernel version
- Stability and compilation notes per CVE/exploit
Recommended Skills
Journey fit
Ship/security is the canonical shelf because the skill supports pre-release and staging security assessment where kernel exposure is evaluated before production trust boundaries are finalized. Security subphase matches offensive checklist work—CVE mapping, exploit stability notes, and build guidance—not routine app feature development.
How it compares
Offensive kernel exploit checklist for manual escalation research—not a passive CVE scanner or production patch-automation skill.
Common Questions / FAQ
Who is linux-privilege-escalation for?
Practitioners doing authorized penetration testing, red-team labs, or defensive hardening reviews who already use the parent hack-skills workflow.
When should I use linux-privilege-escalation?
During Ship security work when kernel version enumeration suggests local privilege escalation is in scope on a permitted target.
Is linux-privilege-escalation safe to install?
The skill describes exploit techniques for authorized security testing—review the Security Audits panel on this page and only use on systems you own or are contracted to test.
SKILL.md
READMESKILL.md - Linux Privilege Escalation
# Kernel Exploits Checklist > **AI LOAD INSTRUCTION**: Load this when the target has an outdated kernel and you need to map kernel version to known exploits. Covers DirtyPipe, DirtyCow, OverlayFS, nf_tables, io_uring, Netfilter, and more. Includes compilation tips, cross-compilation, static linking, and stability notes. Assumes the main [SKILL.md](./SKILL.md) is already loaded. --- ## 1. KERNEL VERSION → EXPLOIT MAPPING TABLE ### 1.1 Critical Kernel Exploits (2016–2024) | Exploit Name | CVE | Kernel Range | Impact | Stability | |---|---|---|---|---| | **DirtyCow** | CVE-2016-5195 | 2.6.22 – 4.8.3 | Write to read-only memory → overwrite `/etc/passwd` | ⚠️ May crash if using `write()` variant; prefer `madvise()` variant | | **DirtyPipe** | CVE-2022-0847 | 5.8 – 5.16.10 | Overwrite any readable file (even read-only) | ✅ Very stable — splice-based, no race condition | | **OverlayFS (Ubuntu)** | CVE-2021-3493 | 4.x – 5.11 (Ubuntu-specific) | User namespace + overlayfs unvalidated capabilities | ✅ Stable on affected Ubuntu versions | | **OverlayFS (2023)** | CVE-2023-0386 | 5.11 – 6.2 | SUID copy via overlayfs | ✅ Reliable | | **nf_tables** | CVE-2023-32233 | 5.x – 6.3.1 | UAF in nf_tables → root | ⚠️ May need tuning; depends on netfilter config | | **nf_tables (batch)** | CVE-2024-1086 | 5.14 – 6.6.14 | Netfilter nf_tables double-free | ✅ Public exploit, high reliability | | **io_uring** | CVE-2023-2598 | 5.7 – 6.3.1 | io_uring fixed buffer UAF | ⚠️ Complex; requires io_uring enabled | | **io_uring** | CVE-2024-0582 | 6.4 – 6.7.1 | io_uring PBUF ring UAF | ✅ Reliable on affected versions | | **Netfilter (nft)** | CVE-2022-34918 | 5.8 – 5.18.9 | Heap overflow in nft_set | ⚠️ Heap-dependent | | **pkexec (PwnKit)** | CVE-2021-4034 | Any with polkit ≤ 0.120 | Polkit pkexec SUID local root | ✅ Extremely stable — works on almost all distros | | **sudo Baron Samedit** | CVE-2021-3156 | sudo 1.8.2 – 1.8.31p2, 1.9.0 – 1.9.5p1 | Heap overflow in sudo | ✅ Reliable — multiple public exploits | | **Looney Tunables** | CVE-2023-4911 | glibc 2.34 – 2.38 | Buffer overflow in ld.so GLIBC_TUNABLES | ✅ Reliable on Fedora/Ubuntu | | **GameOver(lay)** | CVE-2023-2640 + CVE-2023-32629 | Ubuntu 5.15 – 6.2 (Ubuntu-specific) | OverlayFS + capabilities | ✅ Single command exploit on Ubuntu | ### 1.2 Older Kernel Exploits (Pre-2016) | Exploit Name | CVE | Kernel Range | Notes | |---|---|---|---| | **Full Nelson** | CVE-2010-4258 | 2.6.31 – 2.6.36 | econet + proto_ops | | **Mempodipper** | CVE-2012-0056 | 3.0.0 – 3.0.18 | proc mem write | | **perf_swevent** | CVE-2013-2094 | 2.6.37 – 3.8.8 | Perf subsystem | | **Dirty COW (original)** | CVE-2016-5195 | 2.6.22+ | See above | | **AF_PACKET** | CVE-2017-7308 | 4.x – 4.10.6 | TPACKET_V3 ring buffer | | **KASLR bypass + ptrace** | CVE-2017-1000112 | 4.x – 4.13 | UDP fragmentation | ### 1.3 Container-Relevant Kernel Exploits | Exploit | CVE | Container Escape? | Notes | |---|---|---|---| | DirtyPipe | CVE-2022-0847 | ✅ | Overwrite `/etc/passwd` on host via `/proc/1/root` if PID namespace shared | | OverlayFS | CVE-2023-0386 | ✅ | With overlayfs in user namespace | | nf_tables | CVE-2024-1086 | ⚠️ | Only if CAP_NET_ADMIN available in container | | runc | CVE-2019-5736 | ✅ | Overwrite runc binary on host | | cgroups | CVE-2022-0492 | ✅ | cgroup v1 release_agent | --- ## 2. EXPLOIT COMPILATION TIPS ### 2.1 On-Target Compilation ```bash # Check if gcc/cc is available which gcc cc # Simple compilation gcc exploit.c -o exploit -static # -static: include all libraries — avoids version mismatch # If no gcc, check for alternatives: which musl-gcc # Alpine/minimal systems which clang which tcc # Tiny C Compiler ``` ### 2.2 Cross-Compilation (on Attacker Box) ```bash # For x86_64 target: gcc -static -o exploit_x64 exploit.c # For x86 (32-bit) target: gcc -m32 -static -o exploit_x86 exploit.c # For ARM (Raspberry Pi, embedded): arm-linux-gnueabihf-gcc -static -o exploit_arm exploit.c # For AARCH64