linux-privilege-escalation

github.com/yaklang/hack-skills

Verdict: Proceed with caution

0 critical13 high4 medium

SCORE 55 / 100

$skillox install linux-privilege-escalationSoon

Why grade C?

score · 55 / 100

The current grade reflects 13 high-severity findings (3+ HIGHs → C).

0 CRIT13 HIGH4 MED0 LOW

To reach a higher grade

B
Reach Btarget score 75
Resolve 11 of 13 HIGH (cap is 2).
A
Reach Atarget score 95
Resolve all 13 HIGH + 2 of 4 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-wf85hv660rzn647cshpijt00 · Thu, 28 May 2026 17:29:08 GMT · 2ms

high

Dangerous shell pattern: curl | shell

The skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.

rule: dangerous-shellline: 292CWE-78

▾

290| Tool | Purpose | Command |

291|---|---|---|

293| **linux-exploit-suggester** | Kernel exploit suggestions | `./linux-exploit-suggester.sh` |

294| **pspy** | Monitor processes (no root needed) | `./pspy64` |

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 69CWE-552

▾

67```bash

68find / -writable -type f 2>/dev/null | grep -v proc

69ls -la /etc/passwd /etc/shadow # Check permissions← sensitive path — credential-exfiltration vector

70find / -perm -o+w -type d 2>/dev/null # World-writable dirs

71```

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 112CWE-552

▾

110| `nmap` (old) | `nmap --interactive` → `!sh` |

111| `awk` | `awk 'BEGIN {system("/bin/sh -p")}'` |

112| `less` | `less /etc/passwd` → `!/bin/sh` |← sensitive path — credential-exfiltration vector

113| `cp` | Copy `/etc/passwd`, add root user, copy back |

114

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 113CWE-552

▾

111| `awk` | `awk 'BEGIN {system("/bin/sh -p")}'` |

112| `less` | `less /etc/passwd` → `!/bin/sh` |

113| `cp` | Copy `/etc/passwd`, add root user, copy back |← sensitive path — credential-exfiltration vector

114

115### Shared Library Hijacking (SUID Binary)

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/shadow`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 134CWE-552

▾

132| `cap_setuid` | **Critical** | `python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'` |

133| `cap_dac_override` | **Critical** | Read/write any file regardless of permissions |

134| `cap_dac_read_search` | **High** | Read any file — dump `/etc/shadow` |← sensitive path — credential-exfiltration vector

135| `cap_sys_admin` | **Critical** | Mount filesystems, BPF, namespace manipulation |

136| `cap_sys_ptrace` | **High** | Inject into root processes via ptrace |

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 216CWE-552

▾

214---

215

216## 6. WRITABLE /etc/passwd OR /etc/shadow← sensitive path — credential-exfiltration vector

217

218### Writable /etc/passwd

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 218CWE-552

▾

216## 6. WRITABLE /etc/passwd OR /etc/shadow

217

218### Writable /etc/passwd← sensitive path — credential-exfiltration vector

219

220```bash

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 226CWE-552

▾

224

225# Append root-equivalent user

226echo 'hacker:$1$xyz$hash:0:0::/root:/bin/bash' >> /etc/passwd← sensitive path — credential-exfiltration vector

227

228# Or replace root's 'x' with generated hash (if no shadow file)

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/shadow`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 231CWE-552

▾

229```

230

231### Writable /etc/shadow← sensitive path — credential-exfiltration vector

232

233```bash

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/shadow`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 237CWE-552

▾

235mkpasswd -m sha-512 password123

236

237# Replace root's hash in /etc/shadow← sensitive path — credential-exfiltration vector

238```

239

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 318CWE-552

▾

316├── Capabilities on binaries?

317│ ├── cap_setuid? → instant root (§3)

318│ ├── cap_dac_override? → write /etc/passwd (§6)← sensitive path — credential-exfiltration vector

319│ ├── cap_sys_admin? → mount / namespace tricks

320│ └── cap_sys_ptrace? → process injection

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 328CWE-552

▾

326│

327├── Writable sensitive files?

328│ ├── /etc/passwd writable? → add root user (§6)← sensitive path — credential-exfiltration vector

329│ ├── /etc/shadow writable? → replace root hash (§6)

330│ └── systemd unit files writable? → add ExecStartPre

high

Sensitive filesystem path referenced

The skill references a path (`\/etc\/shadow`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.

rule: filesystem-overreachline: 329CWE-552

▾

327├── Writable sensitive files?

328│ ├── /etc/passwd writable? → add root user (§6)

329│ ├── /etc/shadow writable? → replace root hash (§6)← sensitive path — credential-exfiltration vector

330│ └── systemd unit files writable? → add ExecStartPre

331│

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 132CWE-78

▾

130| Capability | Risk | Exploitation |

131|---|---|---|

132| `cap_setuid` | **Critical** | `python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'` |← spawns a subprocess outside declared capabilities

133| `cap_dac_override` | **Critical** | Read/write any file regardless of permissions |

134| `cap_dac_read_search` | **High** | Read any file — dump `/etc/shadow` |

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 147CWE-78

▾

145# Example: python3 with cap_setuid

146# /usr/bin/python3 = cap_setuid+ep

147python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'← spawns a subprocess outside declared capabilities

148```

149

med

Arbitrary subprocess execution detected

The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.

rule: subprocess-executionline: 279CWE-78

▾

277cat > /writable/path/somelib.py << 'EOF'

278import os

279os.system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash")← spawns a subprocess outside declared capabilities

280EOF

281

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

View latest scan →

skillox.io/c/linux-privilege-escalation

Skill facts

Latest grade: C · 55
Total scans: 1
Latest version: —
Last scanned: 2026-05-28
Source: yaklang/hack-skills

AIBOM

What this skill accesses

No manifest

Declared (from capabilities)

No capabilities block in frontmatter — the skill doesn't state what it should access.

Observed (from scan findings)

Subprocess invocations

os.system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash")
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
| **LinPEAS** | Comprehensive enumeration | `curl -L https://github.com/peass-ng
| `cap_setuid` | **Critical** | `python3 -c 'import os;os.setuid(0);os.system("/

Filesystem paths

/etc/passwd
/etc/passwd`
/etc/passwd`,
/etc/shadow
/etc/shadow`
/root:/bin/bash

AIBOM (Application Skills Bill of Materials) — see /docs/concepts/aibom for the format.

Version history

Only this scan

No other scans on record for this skill name. New scans appear here as the catalog re-crawls or creators request a re-scan.

Embed badge

Show this grade in your README.

Tracks the latest grade automatically. Updates within five minutes of every re-scan.

Markdown

[![SkillOx grade](https://api.skillox.io/badge/linux-privilege-escalation.svg)](https://skillox.io/c/linux-privilege-escalation)

Markdown · score

[![SkillOx score](https://api.skillox.io/badge/score/linux-privilege-escalation.svg)](https://skillox.io/c/linux-privilege-escalation)

HTML

<a href="https://skillox.io/c/linux-privilege-escalation"><img src="https://api.skillox.io/badge/linux-privilege-escalation.svg" alt="SkillOx grade"/></a>

reST

.. image:: https://api.skillox.io/badge/linux-privilege-escalation.svg
   :target: https://skillox.io/c/linux-privilege-escalation
   :alt: SkillOx grade

Coming soon

Creator verification badge, expert-review status, and Cosign-signed release attestation appear here as those layers ship. AIBOM + version history are live; the others follow once the creator portal completes its identity-proof + signing surface.