/ Post-Exploitation, Uncategorized / By

LinPEAS: Automating Linux Privilege Escalation Enumeration

Once you’ve landed on a Linux machine during a penetration test, your goal is simple: escalate privileges. Whether you’re stuck in a restricted shell or sitting as a low-privileged user, your mission is to become root.

That’s where LinPEAS comes in.

What Is LinPEAS?

LinPEAS is part of the PEAS suite — a set of post-exploitation scripts that automate enumeration and help identify privilege escalation vectors.

It’s like having your own elite Linux red team assistant: scanning the system for vulnerabilities, misconfigurations, and escalation paths while you focus on strategy.

Why Use LinPEAS?

Use LinPEAS when:

  • You’ve gained a foothold on a Linux machine.
  • You want to uncover potential privilege escalation vectors fast.
  • You’re working under time pressure and can’t afford to miss critical issues.
  • You need help prioritizing findings (LinPEAS color-codes its output by severity).

It won’t escalate privileges for you, but it gives you the map. You bring the compass.

Downloading LinPEAS

Option 1: Direct download (latest release)

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh

Option 2: Clone full PEASS-ng repository

git clone https://github.com/carlospolop/PEASS-ng.git
cd PEASS-ng/linPEAS
chmod +x linpeas.sh

Running LinPEAS

Basic usage (comprehensive scan)

./linpeas.sh

Minimal output (less noise)

./linpeas.sh -a

Silent mode (ideal for noisy environments)

./linpeas.sh -s

Only show potential privesc vectors

./linpeas.sh -P

Redirect output to a file (for persistence)

./linpeas.sh | tee linpeas_output.txt

If using a slow shell or limited upload

scp linpeas.sh user@target:/tmp
ssh user@target
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh

Interpreting LinPEAS Output

LinPEAS uses color codes to visually separate results:

  • Red & Yellow → Immediate attention; likely vulnerable
  • Red → Worth investigating; potential misconfigurations
  • Green → Informational; general system insight

You can use less -R linpeas_output.txt to view the colored output in terminal after saving it.

Key LinPEAS Sections & What to Focus On

System Info

  • Kernel version
  • Distro & architecture
  • Potential kernel exploits (cross-check with searchsploit or linux-exploit-suggester)

User & Group Info

  • Users with UID 0 (root)
  • Users in sudo, docker, or lxd groups (often exploitable)
  • History files (.bash_history, .mysql_history, etc.)

Sudo Rights

  • Calls sudo -l to list commands the user can run as root.
  • Look for commands with NOPASSWD, especially dangerous ones like vim, less, tar, etc.
sudo -l

SUID/SGID Binaries

  • Looks for SUID/SGID binaries that may be exploited (especially custom or uncommon ones).
find / -perm -4000 -type f 2>/dev/null
  • Use GTFOBins to check if any are exploitable:
find . -exec /bin/sh -p \;  # If /usr/bin/find has SUID

Writable Files and Directories

  • Writable by root:
find / -writable -user root -type f 2>/dev/null
  • World-writable files (dangerous in crons, init scripts, etc.)
find / -perm -2 -type f 2>/dev/null

Cron Jobs

  • Finds scheduled tasks owned by root or with misconfigurations.
  • Especially focus on scripts in writable directories or called via wildcards.
cat /etc/crontab
ls -la /etc/cron* /var/spool/cron

Environment & PATH Hijacking

  • Checks for writable folders in $PATH.
  • If a root-level process calls cp, tar, etc. without full path, a malicious version could be planted.

Interesting Files

  • Searches for:
    • Configs with passwords (e.g., .env, .my.cnf)
    • .bash_history, .ssh/, .netrc, .aws/credentials
    • Database config files (e.g., wp-config.php)
grep -i 'pass\|pwd\|secret' * -R 2>/dev/null

Credentials in Memory or Files

  • Looks for:
    • Passwords stored in memory (check ps aux output)
    • Hardcoded creds in scripts
    • SSH keys (check /home/*/.ssh/, /root/.ssh/, etc.)

Interesting Capabilities

  • Detects binaries with Linux capabilities set (e.g., cap_setuid, cap_net_bind_service), which can sometimes be exploited for root access.
getcap -r / 2>/dev/null

Docker, LXD, and Other Dangerous Groups

  • Membership in groups like docker or lxd can be a privilege escalation vector — these groups allow interaction with containers that may map root privileges to the host.

LinPEAS Pro Tips

  • Use tmux or script to persist sessions when output is long or connection is unstable.
  • Pipe LinPEAS output into grep to quickly find key terms:
./linpeas.sh | tee output.txt
grep -iE "password|sudo|cap_|docker" output.txt
  • Cross-reference LinPEAS findings with:
    • GTFOBins (SUID/SGID)
    • Exploit-DB (kernel vulns)
    • PayloadsAllTheThings (manual privesc)

Final Thoughts

LinPEAS isn’t the end of your privilege escalation journey — it’s the GPS. It points out the roads, the potholes, and the shortcuts. The real work is in exploring and testing those paths.

As you get more comfortable, try pairing LinPEAS with:

  • Les.sh – for live enumeration
  • Linux Exploit Suggester 2
  • Manual enumeration – to catch edge cases or verify findings

Use LinPEAS early, save the output, and pivot smart. Root is closer than you think.

Related Posts

Scroll to Top