Attack Path: Local Privilege Escalation Chain

[samugit83]

Description

Implement a dedicated classified attack path for local privilege escalation — systematic enumeration of privesc vectors followed by targeted exploitation to escalate from low-privilege shell to root/SYSTEM.

Why the unclassified fallback isn't enough

Privilege escalation is the most methodical and OS-dependent phase of a pentest. The agent fails without structured guidance because:

1. Enumeration must be exhaustive and OS-specific: on Linux, check SUID binaries, cron jobs, writable /etc/passwd, kernel version, sudo -l, capabilities, NFS shares, Docker group membership. On Windows, check SeImpersonatePrivilege, unquoted service paths, AlwaysInstallElevated, scheduled tasks, stored credentials, UAC bypass vectors. The unclassified fallback doesn't know any of these — the agent runs whoami and stops.
2. The right exploit depends on enumeration results: a SUID find binary → GTFOBins one-liner. A writable cron job → inject reverse shell. SeImpersonatePrivilege → PrintSpoofer/JuicyPotato. Kernel 4.x → DirtyCow. Each finding maps to a specific exploit technique. Without a lookup table in the workflow prompts, the agent doesn't connect "SUID nmap" to "nmap --interactive → !sh."
3. Post-exploitation modules require session context: Metasploit post/linux/gather/enum_system and post/multi/recon/local_exploit_suggester require an active Meterpreter session. The agent must know to run local_exploit_suggester first, parse its output for viable exploits, then run the specific exploit module. This 3-step Metasploit-internal chain needs explicit prompting.
4. Privilege escalation is recursive: escaping to a higher-privilege user may reveal new escalation vectors (e.g., user → www-data → root via different paths). The agent needs to re-enumerate after each escalation, not declare victory at the first privilege bump.
5. GTFOBins/LOLBAS knowledge: pentesters use GTFOBins (Linux) and LOLBAS (Windows) databases to find privesc one-liners for common binaries. The agent needs either embedded knowledge of common SUID/sudo bypasses or web_search guidance to look them up.

What already exists

• Metasploit post/ modules for privilege escalation
• local_exploit_suggester module
• kali_shell with access to standard Linux enumeration tools
• Post-exploitation phase with Meterpreter session management
• execute_code tool for running custom scripts

What needs to be built

• New attack path classification: local_privilege_escalation
• OS-detection step (Linux vs Windows) with OS-specific enumeration checklists
• Linux privesc enumeration prompts (SUID, cron, sudo, capabilities, kernel, docker, NFS)
• Windows privesc enumeration prompts (SeImpersonate, services, scheduled tasks, UAC, stored creds)
• GTFOBins/LOLBAS common bypass reference embedded in workflow prompts
• Metasploit local_exploit_suggester integration and result parsing
• Recursive re-enumeration after each privilege level change
• Kernel exploit guidance with version-to-CVE mapping