// Offense

Explore Privilege Escalation

Every serious breach has a hinge. This is it.

Privilege escalation is the moment a foothold becomes a catastrophe. You land as a low-privilege user — maybe through a phishing lure, maybe a misconfigured web app — and then you start asking the question that separates technique-memorizers from practitioners: what permissions does this identity *actually* hold, and which of those can I chain together? That question drives everything here, from a setuid binary on a Linux box to a Kerberos ticket sitting in LSASS memory to an IAM role that's three hops from Domain Admin.

The subject spreads across three terrains — OS-level escalation on Linux and Windows, Active Directory credential attacks, and cloud and container environments — and they look disconnected at first. They aren't. The logic is the same in every terrain: find the gap between what a principal is supposed to do and what its actual permissions allow. Sometimes that gap is an unpatched CVE like Dirty Pipe. More often it's a sudoers file that someone configured years ago just to make things work, or a Windows service path nobody ever put quotes around, or an NTLM handshake that doesn't care whether you know the password — only that you have the hash. Nugget works through all three terrains with you, teaching detection concepts alongside each attack rather than saving them for the end.

This isn't a platform that hands you a command to run. It's one that keeps asking *why* that command works — what the kernel race condition actually looks like, why Pass-the-Hash is entirely indifferent to password complexity, what event ID tells a defender that a golden ticket just slid through. You build the reasoning. Life will administer its own evaluations.

// What a session feels like

You bring the questions. Nugget asks the next one.

  • You're trying to understand why Dirty COW works at all. Nugget opens the whiteboard and sketches the two-step sequence — the permission check window versus the moment of memory write — walking you through the race condition until you can point to exactly where the kernel's assumption breaks and what "arbitrary write" actually means in physical terms.
  • You've heard Pass-the-Hash can't be stopped with a strong password and you want to see why. Nugget pulls up the browser terminal, walks you through what Mimikatz's `sekurlsa::logonpasswords` is actually extracting from LSASS, then asks you to reason through what Event ID 4624 logon type 3 would look like in the logs — and whether your SIEM would catch it or not.
  • You're enumerating a Windows box and WinPEAS flags an unquoted service path. Nugget asks you to trace the full chain before touching anything: which path does Windows try first, is that location writable, what happens on the next service restart? You work through it step by step in the Docker lab, planting the binary and watching SYSTEM-level execution follow — no CVE required.

Start exploring Privilege Escalation tonight — three topics free, no card.

Start a 30-day free trial