RootCraft: The Ultimate Linux Privilege Escalation Playbook (Red–Blue Edition)

Description

1200+ Pages • 12 Hands-on Labs • Scripts, Enumeration Flows & Hardening Framework

RootCraft: The Ultimate Linux Privilege Escalation Playbook (Red–Blue Edition) is a hands-on guide that shows how attackers escalate from limited access to full system control and, importantly, how defenders stop them. It’s practical, safety-first, and built for real labs and real environments.

The book covers focused enumeration (the LAYERS approach), risk scoring, safe validation, and lab-only proof-of-concepts, plus a large catalog of vectors like SUID/SUDO misconfigs, cron weaknesses, container escapes, and cloud metadata abuse. Every offensive technique is paired with clear defensive controls, monitoring recipes, and remediation steps.

What You’ll Learn

• Modern Scenarios – Containers, Cloud, CI/CD pipelines, IoT, and emerging AI-assisted exploitation.
• Privilege Escalation Fundamentals – Understand why privilege escalation is at the heart of every real attack chain.
• Enumeration Mastery (LAYERS Framework) – Learn professional-grade discovery techniques used by elite red teams.
• Risk Analysis & Prioritization – Transform raw findings into actionable intelligence with quantitative risk models.
• Safe Validation Techniques – Confirm vulnerabilities without crashing systems or corrupting data.
• Proof-of-Concept Development (Lab-Only) – Build, test, and document exploits ethically in isolated environments.
• Defense Strategies & Blue Team Countermeasures – Harden systems, audit privilege vectors, and close the gaps attackers exploit.

Note: page allocations are approximate to help readers navigate a 1,200+ page reference.

1. Introduction & Legal / Ethical Guidance (pp. 1–40)

Why privilege escalation matters, legal rules of engagement, lab setup, authorization boundaries, and safety-first practices. Essential for every reader — mandatory reading before you run a single command.

2. Methodology: The 5-Step PrivEsc Workflow (pp. 41–110)

A reproducible, professional workflow: Enumeration → Risk analysis → Safe validation → Lab PoC → Remediation & documentation. Includes templates and flow diagrams.

3. Foundational Enumeration Techniques (pp. 111–240)

Deep, practical coverage of user/group analysis, filesystem discovery, processes/services, network, package inventories, kernel info, and Linux capabilities — with 100+ command examples.

4. SUID/SGID & File Permission Escalation (pp. 241–320)

Mechanics, discovery patterns, common vulnerable binaries, world-writable risks, and inheritance pitfalls — plus exploit/defense case studies.

5. Cron, systemd timers & Scheduled Tasks (pp. 321–380)

Where scheduled jobs go wrong, detection techniques, path manipulation, exploit templates, and secure configuration patterns.

6. Weak Sudoers & Sudo Misconfiguration (pp. 381–460)

Sudoers anatomy, discovery, NOPASSWD and dangerous rules, safe verification, and hardened sudo policies.

7. Credential Exposure & Secrets Management (pp. 461–540)

Environment variables, history files, config files, in-memory secrets, private keys — plus secret rotation and secure storage best practices.

8. Service Misconfiguration & Sensitive Binaries (pp. 541–620)

Service permission models, web app privilege contexts, backup tools, package managers, and service dependency escalation.

9. Kernel & Exploitability Assessment (pp. 621–700)

Kernel version mapping, CVE research workflow, exploit selection criteria, and safe testing of kernel-level issues. Patch strategies and kernel hardening.

10. Privilege Escalation Hardening Framework (pp. 701–820)

Actionable hardening: users & ACLs, permission audits, service/process security, scheduled task monitoring, network service hardening, update and patch practices.

11. Hands-on Lab Exercises (pp. 821–1200+)

Fully guided labs from basic to advanced: SUID/Sudo/Cron/Secrets/Kernel/Container escape, combined attack chains, full end-to-end scenarios, and defensive monitoring/hardening labs. Each exercise includes lab setup, expected outputs, PoC code (lab-only), rollback steps, and instructor notes.