Build fluency in the vocabulary of a low-privilege user exploiting a flaw to gain unearned elevated access.
0 / 5 completed
1 / 5
A teammate describes an attack where a user who only has limited, unprivileged access exploits a flaw to gain administrator-level control over a system, rather than being granted that access legitimately. What is this attack called?
Privilege escalation is exactly this: a user who only has limited, unprivileged access exploits a software or configuration flaw to gain administrator-level, or otherwise higher, access than they were legitimately granted. A hash collision is an unrelated hash-table concept about two keys sharing a bucket. This exploit-a-flaw-to-gain-unearned-access approach is exactly why privilege escalation is treated as a critical vulnerability class distinct from a legitimately provisioned admin account.
2 / 5
During a security review, the team discovers a low-privilege service account can exploit a misconfigured setuid binary to spawn a root shell, specifically without any legitimate grant of root access. Which risk does this represent?
This represents a privilege-escalation vulnerability, since the low-privilege account gains root-level control entirely through exploiting the flaw rather than through any legitimate grant. A service account intentionally configured with root access from the start would be a deliberate, auditable design decision, not an exploited flaw granting unearned control. This gain-unearned-root-via-flaw behavior is exactly why privilege escalation is flagged and patched as a critical vulnerability rather than accepted as normal access.
3 / 5
In a code review, a dev notices a setuid binary runs with root permissions and passes an unsanitized, attacker-controllable environment variable into a shell command it executes. What risk does this represent?
This is a privilege-escalation risk, since an attacker-controllable environment variable fed into a root-running shell command could let a low-privilege user execute arbitrary commands with root access. A cache eviction policy is an unrelated concept about discarded cache entries. This unsanitized-input-into-a-root-shell pattern is exactly the kind of vulnerability a reviewer flags once a binary runs with elevated permissions.
4 / 5
An incident report shows a low-privilege user gained a root shell by manipulating an unsanitized environment variable that a setuid root binary passed directly into a shell command it executed. What practice would prevent this?
Sanitizing or eliminating attacker-controllable input passed into any command executed by the setuid root binary closes off the privilege-escalation path through that input. Continuing to pass the unsanitized environment variable directly into the shell command the setuid root binary executes regardless of who can control it is exactly what let the low-privilege user gain root in this incident. This sanitize-privileged-input approach is the standard fix once an unsanitized-input escalation path is confirmed to exist.
5 / 5
During a PR review, a teammate asks why the team invests in hardening against privilege escalation instead of just trusting that low-privilege accounts will never be compromised in the first place. What is the reasoning?
Hardening against privilege escalation trades some extra validation and permission-scoping effort for containing the damage even after a low-privilege account is compromised, while trusting accounts to never be compromised ignores that any single account can eventually be breached through unrelated means such as phishing or leaked credentials. This is exactly why defense-in-depth against privilege escalation is standard practice, rather than relying solely on the hope that low-privilege accounts stay uncompromised.