What Is Privilege Escalation?
TL;DR: Privilege escalation is when an attacker gains a level of access on a system that they weren't supposed to have — moving from a limited, low-privilege foothold to broader control. It's rarely the initial way in; it's what an attacker does after getting some access, turning a minor compromise (a low-level user account, a limited service) into control over sensitive data, other users, or the entire system.
What Privilege Escalation Actually Is
Most systems are designed around the principle that different users and processes should have different levels of access — a standard user shouldn't be able to do what an administrator can. Privilege escalation is the act of breaking that boundary: exploiting a misconfiguration, a software bug, or weak permissions to obtain rights beyond what was granted.
This is why privilege escalation is almost always a second stage of an attack rather than the entry point. An attacker typically starts with limited access — a phished low-level account, a foothold in one application, a vulnerable service — and then uses privilege escalation to expand that initial access into something far more damaging.
Horizontal vs. Vertical Privilege Escalation
Privilege escalation comes in two distinct directions:
- Horizontal privilege escalation means gaining access to another account or resource at the same privilege level, rather than a higher one — for example, one regular user accessing another regular user's data or account by manipulating an identifier the application fails to check properly. This overlaps closely with broken access control: the application isn't verifying that the requesting user actually owns the resource they're asking for.
- Vertical privilege escalation means moving to a genuinely higher privilege level — a standard user gaining administrator rights, or a web application process gaining root/system-level access on the underlying server. This is the more commonly cited category, since it's what turns a limited compromise into full system control.
Both matter for different reasons: horizontal escalation typically threatens the confidentiality of other users' data, while vertical escalation threatens control of the system itself.
How Privilege Escalation Attacks Work
Common techniques include:
- Exploiting unpatched vulnerabilities in the operating system or installed software that allow code to run with elevated permissions
- Misconfigured permissions, such as files, services, or scheduled tasks that run with higher privileges than necessary and can be modified by a lower-privileged user
- Credential exposure, where cached credentials, tokens, or stored passwords for a higher-privileged account are accessible to a lower-privileged one
- Exploiting SUID/SGID binaries on Linux — programs that run with the permissions of their owner rather than the user executing them, which can be abused if misconfigured
- Token manipulation or kernel exploits on Windows, where flaws in how the OS handles access tokens or kernel-level code allow a process to impersonate a higher-privileged account
The specific techniques differ meaningfully between Windows and Linux environments, which is why privilege escalation is often discussed separately for each platform rather than as one universal technique.
Detecting Privilege Escalation
Signs worth monitoring for include unexpected changes to user group membership or permissions, processes running with higher privileges than their normal baseline, unusual access to credential stores, and authentication events from an account acting outside its typical pattern. Because privilege escalation usually follows an initial, smaller compromise, detecting the earlier foothold — before it escalates — is often the more effective point of intervention.
Preventing Privilege Escalation
- Principle of least privilege. Grant accounts and processes only the access they need, not broad permissions "to be safe."
- Regular patching. Many privilege escalation techniques rely on known, already-patched vulnerabilities in the OS or software stack.
- Permission audits. Periodically review file, service, and scheduled task permissions for unintended over-privileging.
- Credential hygiene. Avoid storing higher-privileged credentials in locations accessible to lower-privileged accounts or processes.
- Monitoring and alerting on privilege or group membership changes, rather than only on failed login attempts.
Why It Matters for Bug Bounty and Penetration Testing
Privilege escalation is one of the most consistently reported vulnerability classes in bug bounty programs and penetration tests, precisely because initial access alone is rarely the full story — testers and researchers are specifically looking for the path from a limited foothold to broader control. A finding that stops at "I got a low-privilege shell" is incomplete without demonstrating (or at least assessing) what escalation paths exist from there, which is why privilege escalation testing is a standard part of any thorough security assessment rather than an edge case.
Conclusion
Privilege escalation is what turns a contained, minor compromise into a serious incident — the difference between an attacker having access to one low-value account and having control over the whole system. Understanding both the horizontal and vertical forms, and where the common escalation paths lie on your specific platform, is what separates a security posture that assumes initial access will happen from one that's unprepared for it.