Mental Model for Linux Privilege Escalation: Four Key Investigation Areas

The mental model for Linux privesc outlines four key areas to investigate for privilege escalation after gaining a low-privilege shell. The post suggests checking: (1) commands executable as root via sudo -l, (2) SUID binaries using find / -perm -4000, (3) cron jobs running as root by inspecting /etc/crontab and related directories, and (4) writable directories or files trusted by privileged processes. These steps are presented as a systematic approach for identifying common privilege escalation vectors. Tools like LinPEAS may automate detection, but understanding these methods aids in manual triage.