**LinPEAS is a script that searh for possible paths to escalate privileges on Linux/Unix\* hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/privilege-escalation)**
Check the **Local Linux Privilege Escalation checklist** from **[book.hacktricks.xyz](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist)**.
The goal of this script is to search for possible **Privilege Escalation Paths** (tested in Debian, CentOS, FreeBSD and OpenBSD).
This script doesn't have any dependency.
It uses **/bin/sh** sintax, so can run in anything supporting `sh` (and the binaries and parameters used).
It could take from **2 to 3 minutes** to execute the whole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside all the accesible files of the system and 1 min to monitor the processes in order to find very frequent cron jobs).
You can **decrease this** time use the parameters:
- **-f** (fast) - This will bypass checking processes during 1 min
- **-s** (superfast) - This will bypass the previous check and other time consuming checks.
This script has **several lists** included inside of it to be able to **color the results** in order to highlight PE vector.
LinPEAS also **exports a new PATH** variable if common folders aren't present in the original PATH variable. It also **exports** unset and export several environmental commands so no command executed during the session will be saved in the history file (you can avoid this actions using the parameter **-n**).
With LinPEAS you can also **discover hosts automatically** using `fping`, `ping` and/or `nc`, and **scan ports** using `nc`.
LinPEAS will **automatically search for this binaries** in `$PATH` and let you know if any of them is available. In that case you can use LinPEAS to hosts dicovery and/or port scanning.
LinPEAS uses colors to indicate where does each section begin. But **it also uses them the identify potencial misconfigurations**.
The  **Red/Yellow**  color is used for identifing configurations that lead to PE (99% sure).
The  **Red** color is used for identifing suspicious configurations that could lead to PE:
- Possible exploitable kernel versions
- Vulnerable sudo versions
- Identify processes running as root
- Not mounted devices
- Dangerous fstab permissions
- Writable files in interesting directories
- SUID/SGID binaries that have some vulnerable version (it also specifies the vulnerable version)
- SUDO binaries that can be used to escalate privileges in sudo -l (without passwd) (https://gtfobins.github.io/)
- Check /etc/doas.conf
- 127.0.0.1 in netstat
- Known files that could contain passwords
- Capabilities in interesting binaries
- Interesting capabilities of a binary
- Writable folders and wilcards inside info about cron jobs
- Writables folders in PATH
- Groups that could lead to root
- Files that could contains passwords
The  **Green** color is used for:
- Common processes run by root
- Common not interesting devices to mount
- Not dangerous fstab permissions
- SUID/SGID common binaries (the bin was already found in other machines and searchsploit doesn't identify any vulnerable version)
- Common .sh files in path
- Common names of users executing processes
The  **Blue** color is used for:
- Users without shell
- Mounted devices
The  **Light Cyan** color is used for:
- Users with shell
The  **Light Magenta** color is used for:
- Current username
</details>
## One liner
Here you have an old linpe version script in one line, **just copy and paste it**;)
**The color filtering is not available in the one-liner** (the lists are too big)
This one-liner is deprecated (I am not going to update it more), but it could be useful in some cases so it will remain here:
The default file where all the data is recorded is: */tmp/linPE* (you can change it at the beginning of the script)
- [x] Try to login using `su` as other users (using null pass and the username)
- [x] List of superusers
- [x] List of users with console
- [x] Login info
- [x] List of all users
- [x] Clipboard and highlighted text
- **Software Information**
- [x] MySQl (Version, user being configured, loging as "root:root","root:toor","root:", user hashes extraction via DB and file, possible backup user configured)
- [x] PostgreSQL (Version, try login in "template0" and "template1" as: "postgres:", "psql:")
- [x] Apache (Version)
- [x] PHP cookies
- [x] Wordpress (Database credentials)
- [x] Tomcat (Credentials)
- [x] Mongo (Version)
- [x] Supervisor (Credentials)
- [x] Cesi (Credentials)
- [x] Rsyncd (Credentials)
- [x] Hostapd (Credentials)
- [x] Wifi (Credentials)
- [x] Anaconda-ks (Credentials)
- [x] VNC (Credentials)
- [x] LDAP database (Credentials)
- [x] Open VPN files (Credentials)
- [x] SSH (private keys, known_hosts, authorized_hosts, authorized_keys, main config parameters in sshd_config, certificates, agents)
If you want to **add something** and have **any cool idea** related to this project, please let me know it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-script-suite/issues)** and we will update the master version.
If you want to help with any of this, you can do it using **[github issues](https://github.com/carlospolop/privilege-escalation-awesome-script-suite/issues) or you can submit a pull request**.
