FlashGenius Logo FlashGenius
Login Sign Up

Offensive Security Prep Pack for eJPT, OSCP, PNPT, OSWE, and OSEP Practice Questions: Linux Privilege Escalation Domain

Published: December 13, 2025 | 20 min read

Test your Offensive Security Prep Pack for eJPT, OSCP, PNPT, OSWE, and OSEP knowledge with 10 practice questions from the Linux Privilege Escalation domain. Includes detailed explanations and answers.

OSPP Practice Questions — Linux Privilege Escalation
FlashGenius • Practice Set

OSPP Practice Questions

Master the Linux Privilege Escalation domain with 10 exam-style scenarios and detailed explanations.

Test your knowledge in the Linux Privilege Escalation domain with these 10 practice questions. Each question is designed to help you prepare for the OSPP certification exam with explanations that reinforce the technique—not just the final choice.

Question 1

Sudo + Command Injection

You have a shell as user analyst on a hardened Ubuntu 22.04 server. sudo -l returns: 

Matching Defaults entries for analyst on sec-srv:
    env_reset, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User analyst may run the following commands on sec-srv:
    (root) NOPASSWD: /usr/bin/python3 /opt/tools/logrotate.py

The contents of /opt/tools/logrotate.py are:

#!/usr/bin/python3
import os
import sys

LOG_DIR = "/var/log/app/"

if len(sys.argv) != 2:
    print("Usage: logrotate.py <logfile>")
    sys.exit(1)

logfile = sys.argv[1]
cmd = "tar -czf /var/backups/" + logfile + ".tar.gz " + LOG_DIR + logfile
os.system(cmd)

You confirm that analyst can write to /var/log/app/ but not to /var/backups/. Which of the following is the most reliable way to escalate to root?

A) Use a path traversal in the logfile argument to overwrite /etc/sudoers via the tar command.
B) Abuse command injection by setting logfile to test.log; /bin/bash and running the script with sudo.
C) Create a malicious tar binary in /var/log/app/ and rely on PATH hijacking when os.system runs.
D) Create a symlink in /var/log/app/ pointing to /root/.ssh/id_rsa and use logrotate.py to archive it.
Show Answer & Explanation

Correct Answer: B

The script concatenates untrusted input into a shell command and executes it with os.system(). Because the script is executed as root via sudo, shell metacharacters in logfile allow root-level command execution.

Reliable trigger pattern

sudo /usr/bin/python3 /opt/tools/logrotate.py 'test.log; /bin/bash -p'

Why the other options are weaker

  • A: tar -czf creates archives; it does not overwrite arbitrary files like /etc/sudoers as a direct effect.
  • C: secure_path excludes /var/log/app, so PATH hijacking is not reliable.
  • D: Archiving a sensitive file is data access, not deterministic privilege escalation to a root shell.

Question 2

Writable Script in Sudo Chain

On a hardened Ubuntu 22.04 server, you gain a shell as user report. While enumerating, you find: 

report@filesrv:~$ sudo -l
Matching Defaults entries for report on filesrv:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User report may run the following commands on filesrv:
    (root) NOPASSWD: /usr/bin/find /mnt/reports -type f -name '*.csv' -exec /usr/local/bin/process_report.sh {} \;

You inspect /usr/local/bin/process_report.sh:

#!/bin/bash

/usr/bin/python3 /opt/reporting/process.py "$1"

Permissions:

-rwxr-xr-x 1 root root  102 Jan  5 11:21 /usr/local/bin/process_report.sh
-rwxrwxr-x 1 root report 4096 Jan  5 11:20 /opt/reporting/process.py

Which is the MOST straightforward way to escalate to a root shell using this configuration?

A) Edit /opt/reporting/process.py to spawn a root shell, then run the allowed sudo find command.
B) Abuse find's -exec to run /bin/bash directly as root by changing the command in the sudoers entry.
C) Create a malicious .csv file containing Python code that will be executed by process.py.
D) Exploit a race condition by replacing /usr/local/bin/process_report.sh with a symlink to /bin/bash.
Show Answer & Explanation

Correct Answer: A

The sudo rule executes a root-owned wrapper script which calls /opt/reporting/process.py. That Python script is group-writable by report, which means you can modify code that will run as root.

Question 3

Cron + Group-Writable Root Script

You find the following cron entry in /etc/crontab:

*/5 * * * * root /usr/local/bin/cleanup.sh

Inspecting the script:

$ ls -l /usr/local/bin/cleanup.sh
-rwxrwxr-x 1 root dev 512 Mar  1  2024 /usr/local/bin/cleanup.sh

$ cat /usr/local/bin/cleanup.sh
#!/bin/bash

LOG_DIR=/var/log/myapp
TMP_DIR=/tmp/myapp

rm -rf "$TMP_DIR"/*
find "$LOG_DIR" -type f -mtime +7 -delete

What is the most reliable way to escalate to root using this misconfiguration?

A) Append bash -p to /usr/local/bin/cleanup.sh as user dev and wait for cron to execute it.
B) Replace /usr/local/bin/cleanup.sh with a symlink to /bin/bash and wait for cron to execute it.
C) Modify LOG_DIR in your environment to point to /root and wait for cron to run the script.
D) Create a malicious script /tmp/myapp/rm that spawns a shell, relying on rm being called without a full path.
Show Answer & Explanation

Correct Answer: A

The cron job runs as root and executes a script that is group-writable by the dev group. If you can edit the script contents, you can add a command that executes with root privileges at the next cron run.

Question 4

SUID Script + PATH Hijack Claim

You find an unusual SUID entry:

/usr/local/bin/backup

Script contents:

#!/bin/bash

# Simple backup script

tar -czf /var/backups/home.tar.gz /home 2>/dev/null

echo "Backup completed"

Permissions:

-rwsr-xr-x 1 root root 1048 Jan  5 09:13 /usr/local/bin/backup

Your PATH:

/home/appuser/.local/bin:/home/appuser/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Which approach is the MOST reliable way to escalate privileges to root using this misconfiguration?

A) Create a malicious /home/appuser/bin/tar that spawns a shell, ensure it is executable, then run /usr/local/bin/backup.
B) Overwrite /usr/bin/tar with a malicious script using redirection, then run /usr/local/bin/backup.
C) Use tar's checkpoint action directly: tar --checkpoint=1 --checkpoint-action=exec=/bin/sh.
D) Exploit a race condition by repeatedly deleting /usr/bin/tar while running /usr/local/bin/backup.
Show Answer & Explanation

Correct Answer: A (with an important caveat)

Many training scenarios assume PATH is honored and the SUID wrapper is exploitable via PATH hijacking. In real systems, the kernel ignores SUID on scripts on most modern Linux distributions (for safety), and behavior can vary. For an exam-style question set, option A is the intended vector: the script calls tar without an absolute path, and your PATH places a writable directory first.

Question 5

Sudo find -exec tar + Option Injection

You have:

User www-data may run the following commands on web01:
    (root) NOPASSWD: /usr/bin/find /var/backups -type f -mtime -1 -exec /bin/tar -czf /var/backups/daily.tar.gz {} +

You cannot modify /usr/bin/find or /bin/tar, and /var/backups is writable by www-data. Which is the most reliable way to escalate to root?

A) Create a malicious file in /var/backups named --checkpoint-action=exec=/bin/sh so that when tar runs it triggers a root shell.
B) Replace /bin/tar with a symlink to /bin/bash in /var/backups, then run the sudo command.
C) Leverage tar option injection by creating filenames that start with --checkpoint and --checkpoint-action, causing tar (run as root) to execute /bin/sh.
D) Exploit a race condition to create a SUID-root copy of /bin/bash before find completes.
Show Answer & Explanation

Correct Answer: C (and A is incomplete)

This is tar option-injection via filenames. You typically need both --checkpoint=1 and --checkpoint-action=exec=... as separate arguments (filenames), which is why option C is the accurate description.

Question 6

Sudo find (Argument Escape Risk)

Sudoers shows:

User www-data may run the following commands on web01:
    (root) NOPASSWD: /usr/bin/find /tmp -name *

Which is the most reliable way to escalate to a root shell using this configuration?

A) Create a SUID copy of /bin/bash in /tmp and execute it via find.
B) Abuse find’s -exec to execute /bin/bash as root: sudo /usr/bin/find /tmp -name x -exec /bin/bash \;.
C) Use find to read /etc/shadow then crack offline.
D) Use find -delete to remove /etc/sudoers then re-add yourself.
Show Answer & Explanation

Correct Answer: B (depends on sudoers argument restrictions)

In many labs, this is intended as a GTFOBins-style escape: if sudo allows additional arguments beyond the displayed pattern, appending -exec yields root command execution. If sudoers is configured to strictly match arguments (or uses NOEXEC), this would fail; but for a practice set, B is the canonical expected answer.

Question 7

Wildcard Injection with Tar

Sudoers shows:

User webapp may run the following commands on app01:
    (root) NOPASSWD: /usr/bin/tar -czf *

Current directory is writable (/var/www/app/uploads). Which is MOST reliable?

A) Create a tar archive containing a SUID-root shell and run tar to trigger it.
B) Run tar with checkpoint flags directly by appending options after the wildcard.
C) Create files named --checkpoint=1 and --checkpoint-action=exec=/bin/sh, then run: sudo /usr/bin/tar -czf backup.tar *.
D) Overwrite /etc/sudoers by writing a tarball to that path.
Show Answer & Explanation

Correct Answer: C

This is classic wildcard/argument injection: the shell expands * into filenames you control. Filenames beginning with -- are interpreted by GNU tar as options.

Question 8

Python subprocess + PATH Resolution

Sudoers shows:

User report may run the following commands on srv01:
    (root) NOPASSWD: /usr/bin/python3 /opt/tools/manage.py *

Script:

#!/usr/bin/python3
import sys
import subprocess

if len(sys.argv) < 2:
    print("Usage: manage.py <command>")
    sys.exit(1)

cmd = sys.argv[1]

if cmd == 'backup':
    subprocess.call(['tar', 'czf', '/backups/app.tar.gz', '/var/www/app'])
elif cmd == 'status':
    subprocess.call(['systemctl', 'status', 'apache2'])
else:
    print('Unknown command')

/opt/tools/manage.py is not writable. report can write to /home/report/bin, and PATH starts with that directory. What is the most straightforward way to escalate?

A) Create a malicious tar in /home/report/bin, then run sudo ... manage.py backup.
B) Create a malicious systemctl in /home/report/bin, then run sudo ... manage.py status.
C) Pass backup; /bin/bash to exploit shell injection.
D) Use PYTHONPATH to override subprocess behavior under sudo.
Show Answer & Explanation

Correct Answer: A (with environment caveat)

Because subprocess is invoked with a list (no shell), command injection (C) does not apply. The intended vector is PATH-based command resolution for tar. In hardened sudo configs, PATH may be reset via secure_path; for this practice scenario, the provided PATH detail indicates the exam-intended answer is A.

Question 9

Cron + Wildcard Injection with Tar

Root cron runs:

* *   * * *   root    /usr/local/bin/backup.sh

Script:

#!/bin/bash
SRC_DIR="/home/dev/app"
DEST="/backups/app-$(date +%F).tar.gz"

cd "$SRC_DIR" || exit 1

tar -czf "$DEST" *

You control /home/dev/app. Which approach is MOST reliable?

A) Create a SUID-root bash in /home/dev/app then wait for it to be archived.
B) Create files named --checkpoint=1 and --checkpoint-action=exec=/bin/bash in /home/dev/app.
C) Replace /usr/bin/tar with a malicious script.
D) Create a symlink so the cron job overwrites /etc/shadow.
Show Answer & Explanation

Correct Answer: B

The script runs as root and uses * in a user-controlled directory, enabling wildcard/argument injection. Tar checkpoint options are the canonical execution primitive in this pattern.

Question 10

Writable /usr/local/bin + Root Cron

You find:

/etc/crontab:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

* * * * * root backup.sh

/usr/local/bin is writable by appuser:
drwxrwxrwx 2 root root 4096 Jan 10 08:59 /usr/local/bin/

backup.sh:

#!/bin/sh
tar -czf /var/backups/home.tar.gz /home/*

What is the most straightforward way to escalate to root on this host?

A) Overwrite /usr/local/bin/backup.sh with a malicious script and wait for cron to run it as root.
B) Create a SUID copy of /bin/tar in /usr/local/bin.
C) Modify /etc/crontab to add a new root cron job.
D) Use a race condition with symlinks in /home.
Show Answer & Explanation

Correct Answer: A

If a root cron job executes a script from a directory you can write to, the simplest path is to replace the script with your payload and wait for cron to execute it as root.

Ready to Accelerate Your Offensive Security Prep?

Join learners who use FlashGenius to practice domain-by-domain, identify weak areas quickly, and build exam-day confidence.

  • • Domain-focused practice questions for OSPP
  • • Exam-style explanations that teach the underlying technique
  • • Performance tracking to identify weak areas
  • • Mobile-friendly practice for quick sessions
  • • Fast iteration: new questions added regularly
Start Free Practice Now

About Offensive Security Prep Pack for eJPT, OSCP, PNPT, OSWE, and OSEP Certifications

Offensive Security Prep Pack for eJPT, OSCP, PNPT, OSWE, and OSEP validates practical skills in Linux privilege escalation and related exploitation workflows. Use these practice questions to validate reasoning patterns, not just memorized commands.

FlashGenius Premium

Offensive Security Prep Pack: EJPT, OSCP, PNPT, OSWE & OSEP

Train for multiple offensive security certifications in one place. Get domain-based drills, mixed-mode practice tests, and realistic red-team scenarios that mirror how EJPT, OSCP, PNPT, OSWE & OSEP actually feel on exam day.

  • 10+ focused domains covering networking, web, AD, privilege escalation & more
  • Exam-style MCQs, methodology drills, and chained attack paths
  • Mixed practice sets to simulate end-to-end engagements
  • Detailed explanations to turn every miss into a lesson
Be exam-ready faster

Ideal if you're targeting 2–3 OffSec-style certifications and want one unified prep pack.

Try the Offensive Security Prep Pack