Linpeas
LinPEAS (Linux Privilege Escalation Awesome Script) automates Linux system enumeration and privilege escalation vulnerability detection.
Installation
# Download latest version
curl -L https://github.com/carlospolop/PEASS-ng/releases/download/20250330/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh
# Or clone from GitHub
git clone https://github.com/carlospolop/PEASS-ng.git
cd PEASS-ng/linPEAS
chmod +x linpeas.sh
# Run directly from GitHub (no download)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bashBasic Usage
| Command | Description |
|---|---|
./linpeas.sh | Run full enumeration |
./linpeas.sh -h | Display help menu |
./linpeas.sh -t | Thorough scan (slower, comprehensive) |
./linpeas.sh -a | Run all checks without limitations |
./linpeas.sh 2>/dev/null | Suppress stderr output |
./linpeas.sh -p | Personalised search (specify search strings) |
Output Sections
LinPEAS color-codes findings:
- Red: Critical vulnerabilities requiring immediate attention
- Yellow: Important findings, potential issues
- Blue: Interesting information worth investigation
- Green: Non-critical or informational content
Key Enumeration Areas
System Information
# Kernel version and OS details
uname -a
cat /etc/os-release
# CPU and memory info
nproc
free -hUsers and Permissions
# Current user and groups
whoami
id
groups
# All users on system
cat /etc/passwd
getent passwd
# Sudo capabilities
sudo -l
sudo -l -U <user>SUID Binaries
# Find SUID/SGID binaries
find / -perm -4000 2>/dev/null
find / -perm -2000 2>/dev/null
# Check for GTFOBins candidates
find / -perm -4000 -type f 2>/dev/null | xargs ls -laWritable Directories and Files
# World-writable directories
find / -perm -0002 -type d 2>/dev/null
# User-writable system directories
find /usr/bin /usr/local/bin /usr/sbin -writable 2>/dev/null
# Writable files in /etc
find /etc -writable 2>/dev/nullCron Jobs
# View system cron jobs
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
# User cron jobs
crontab -lNetwork and Services
# Open ports and listening services
ss -tulpn
netstat -tulpn
lsof -i -P -n
# Running processes
ps aux
ps auxf
# Services
systemctl list-units --all
service --status-allFile and Directory Permissions
# Check home directory permissions
ls -la ~/
ls -la /root/
# Check for world-readable sensitive files
find / -name "*.pem" -o -name "*.key" -o -name "*.txt" 2>/dev/null
# Password files and sudoers
cat /etc/shadow 2>/dev/null
cat /etc/sudoers 2>/dev/null
cat /etc/sudoers.d/* 2>/dev/nullKernel Vulnerabilities
# Get kernel version
uname -r
cat /proc/version
# Check for known CVEs (linpeas detects these)
# Common: DirtyCOW, Overlayfs, CVE-2022-0847, etc.Capabilities
# List capabilities of binaries
getcap -r / 2>/dev/null
# Check specific binary capabilities
getcap /usr/bin/ping
getcap /usr/bin/python3Environment Variables
# Display all env vars
env
printenv
# Check for sensitive data in env
env | grep -i "pass\|token\|key\|secret"Advanced Options
Search Strings
# Personalised searches for specific strings
./linpeas.sh -p "password\|api\|key"
# Search in specific directories
./linpeas.sh -s "/home\|/opt\|/var"Write Output
# Save to file
./linpeas.sh > linpeas_output.txt
# Color-preserved HTML output
./linpeas.sh -w html > linpeas.html
# Line numbers
cat linpeas_output.txt | nlCommon Findings Interpretation
Critical Indicators
- SUID binaries - Run as root, check for exploits via GTFOBins
- Sudo without password - Direct privilege escalation
- Writable /etc/passwd - Create new root user
- Kernel CVE - Potential DoS or privilege escalation
- Capabilities (cap_setuid) - Escalate privileges programmatically
- Cron jobs running as root - Writable cron script = privilege escalation
Medium Findings
- Writable cron directories
- Interesting files in /tmp or /var/tmp
- Old installed software (outdated libraries)
- NFS shares with no_root_squash
- Docker group membership
Linux Privilege Escalation Checklist
# 1. Check sudo
sudo -l
# 2. Check SUID
find / -perm -4000 2>/dev/null
# 3. Check writable paths
find / -perm -0002 -type f 2>/dev/null | grep -E "bin|etc"
# 4. Check cron
cat /etc/crontab /etc/cron.d/*
# 5. Check capabilities
getcap -r / 2>/dev/null | grep -v "cap_net"
# 6. Check kernel version
uname -r
# 7. Check mounted filesystems
mount | grep -i "noexec\|nosuid"
# 8. Check services
ps aux | grep -E "root|mysql|postgres"
# 9. Check writable directories
find /etc -writable 2>/dev/nullTips and Tricks
- Run linpeas before and after any changes to compare findings
- Save output for documentation and proof of concept
- Pay attention to RED findings - highest priority
- Check GTFOBins for found SUID binaries: https://gtfobins.github.io/
- Use pspy64 to monitor running processes in real-time
- Cross-reference findings with SearchSploit for exploit availability
Related Tools
- winPEAS: Windows privilege escalation enumeration
- pspy: Monitor processes without root
- GTFOBins: Exploit database for Unix binaries
- SearchSploit: Offline exploit database
- PEASS-ng: Complete privilege escalation framework
Last updated: March 2025 | GitHub