Vulnerability Escalation
Research and analyze privilege escalation techniques and vulnerability chains for security assessment. Find where vulnerable software is deployed across your infrastructure.
Prerequisites
Install the assetquery CLI tool:
# Recommended — works on all platforms uv tool install "assetquery[all]" # Alternative pipx install "assetquery[all]"
Warning: Do not use bare
pip installon macOS or Linux — it will fail due to PEP 668 externally-managed environment restrictions. Useuv tool installorpipx installinstead.
Then check provider health and configure credentials:
assetquery providers
Configuration: ~/.mallory/assetquery/config.yaml
Provider credentials use ambient environment variables (AWS_PROFILE, GITHUB_TOKEN, CROWDSTRIKE_CLIENT_ID, etc.). See reference.md for details.
Tools
Use the escalation script to find where vulnerable software is deployed:
# Find where a specific package is deployed (by PURL)
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py find "pkg:pypi/requests@2.28.0"
# Find by CPE
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py find "cpe:2.3:a:apache:log4j:2.14.0:*:*:*:*:*:*:*"
# Find by vendor/product/version
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py find --vendor apache --product log4j --version 2.14.0
# List all assets and their vulnerabilities
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py list
# List vulnerability definitions only
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py list --type definitions
# Check provider health
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py providers
Output defaults to JSON. Use --output table for human-readable output.
When to Use
- •Research privilege escalation techniques for a platform
- •Analyze vulnerability chains (initial access to full compromise)
- •Find where vulnerable software is deployed across infrastructure
- •Document post-exploitation paths
- •Assess lateral movement opportunities
- •Evaluate defense-in-depth effectiveness
Analysis Workflow
- •Identify Entry Point: Get vulnerability details from Mallory API
- •Find Deployed Instances: Use
escalation.py findwith the CVE's CPE or PURL - •Map Local Escalation: Find privilege escalation paths on affected assets
- •Assess Lateral Movement: Identify network propagation vectors
- •Document Chain: Create full attack chain diagram
- •Recommend Mitigations: Suggest defensive controls prioritized by exposure
Common Escalation Categories
Linux/Unix
- •SUID/SGID binaries
- •Sudo misconfigurations
- •Kernel exploits
- •Cron job abuse
- •Writable service files
Windows
- •Token impersonation
- •Service misconfigurations
- •UAC bypass
- •Unquoted service paths
- •DLL hijacking
Cloud/Container
- •IAM policy abuse
- •Container escape
- •Metadata service access
- •Cross-account pivoting
Resources
- •GTFOBins - Unix binaries for escalation
- •LOLBAS - Windows living-off-the-land binaries
- •HackTricks - Escalation techniques reference
Data Access
Mallory API (vulnerability intelligence)
Use the mallory-api skill for vulnerability details, exploitation activity, and exploit data:
- •
client.vulnerabilities.get("identifier")— Vulnerability details - •
client.vulnerabilities.exploitations("identifier")— Exploitation activity - •
client.vulnerabilities.exploits("identifier")— Known exploits - •
client.vulnerabilities.export("identifier")— Full profile with relationships - •
client.search.query(q="...", types="vulnerability")— Search for vulnerabilities
assetquery (deployed asset discovery)
Use escalation.py to find where affected software is running:
- •
find <CPE|PURL>— Locate deployed instances of a vulnerable package - •
find --vendor V --product P --version V— Search by component - •
list— Inventory all assets from enabled providers - •
list --type definitions— List vulnerability definitions across providers - •
providers— Check which providers are configured and healthy
Combined workflow
- •Look up the CVE in Mallory to get affected products, CVSS score, and exploit availability
- •Use the CPE or PURL from the vulnerability to
finddeployed instances - •Assess exposure: which assets are affected, in which environments
- •Prioritize remediation based on exploitability and deployment scope