LinPEAS (Linux Privilege Escalation Awesome Script) is a shell script from Carlos Polop's PEASS-ng (Privilege Escalation Awesome Scripts SUITE - next gen) project. After you land on a Linux/Unix box as an unprivileged user, its job is to automatically enumerate, all at once, the "leads" you might use to escalate to root. The key point: LinPEAS exploits nothing itself. It is an enumeration tool that simply gathers and neatly lays out information — kernel version, sudo rights, SUID binaries, capabilities, cron, writable PATH entries, plaintext passwords in files — and its greatest value is that it color-codes the output to prioritize "this is likely usable for privesc." It is the counterpart of the Windows-side WinPEAS.
What LinPEAS is — PEASS-ng and "prioritizing by color" #
In privilege escalation (privesc), the starting point is always the enumeration work of thoroughly investigating "what can I do from the user I currently am." Instead of doing that by hand, endlessly running find and sudo -l, LinPEAS runs the standard set of checks in one go and collects the results for you. It is part of the PEASS-ng project: LinPEAS for Linux/Unix, WinPEAS for Windows.
What sets LinPEAS apart from other enumeration scripts is that it triages its huge output by "color." Hunting through a mountain of information for "which of these is likely usable for escalation" is hard, but LinPEAS highlights the suspicious items in RED / YELLOW.
| Color | Meaning |
|---|---|
| RED + YELLOW | High probability of being a privesc vector (the docs say ~95% likely). Check these first |
| RED alone | Important / special information. Settings or findings worth attention |
| Other colors | Classification, headers, reference info. Decoration to grasp context |
LinPEAS only goes as far as finding leads and pointing at them. It will tell you "this SUID binary is in GTFOBins" or "this sudo version matches a known vulnerability," but the steps to actually get root (the exploit) are for the human to judge and run. So read LinPEAS output not as "the answer" but as "a map telling you where to dig." The basic flow is to verify the colored items first, in priority order.
Legal and ethical considerations #
Even though LinPEAS exploits nothing, it is a powerful reconnaissance tool that harvests a system's internal information wholesale (settings, credentials, keys, user lists, and so on). And if you then use a discovered vector to actually escalate privileges, that is a clear act of intrusion. Running LinPEAS on someone else's machine without permission — let alone using a lead found there to seize root — can be an illegal act under Japan's Unauthorised Computer Access Act, and the equivalents elsewhere.
- Machines you own or administer — your own test environment, a VPS you pay for, an isolated learning lab.
- Targets you have explicit written permission for — a pentest contract where the target hosts, period, and privesc testing are documented as scope.
- Legitimate learning platforms — Hack The Box, TryHackMe, and various CTFs, where the operator permits privilege-escalation exercises.
Because privesc enumeration is something you do "after you've already gotten in," whether you are legitimately allowed to access that machine is decisive. The moment you sneak into someone else's server and rummage through its internals with LinPEAS, you are over the line — and seizing root with a found vector only makes the harm worse. Always confirm the target and your authorization first.
What it checks — the big picture of enumeration targets #
LinPEAS sweeps through the routes commonly used in Linux privilege escalation. The representative checks are below.
| Category | What LinPEAS mainly inspects |
|---|---|
| kernel | The kernel version and candidate known exploits matching it |
| sudo | What sudo -l permits, and the sudo version (whether it matches a vulnerable release) |
| SUID / SGID | Binaries with the SUID/SGID bit set, and exploitable GTFOBins matches |
| capabilities | Capabilities granted to files (e.g. cap_setuid) |
| cron | Cron jobs — especially a root-run schedule executing a writable script |
| PATH | Whether a writable directory sneaks into $PATH |
| writable | World-writable files and directories |
| secrets | Plaintext passwords and secrets left in files, SSH private keys |
| env / software | Environment variables, installed software and its versions |
| network | Listening ports/services, ports open to internal access |
| container | Presence of docker / lxc and breakout hints |
| other | NFS no_root_squash, a readable /etc/shadow, and so on |
It confirms all of these with a single script and presents the suspicious spots in color. The value is in automating, without omissions, the work of running sudo -l, find / -perm -4000, getcap -r /, cat /etc/crontab … one after another by hand.
LinPEAS gathers not only escalation vectors but also "loot" usable for lateral movement or taking over another account — a DB password left in a config file, history files, SSH keys, credentials from browsers and various apps. Even when it doesn't directly help with escalation, it collects, in one pass, information that becomes a foothold for moving sideways to another user or for the next step.
How to run it — curl one-liner / file transfer / saving #
There are broadly two ways to run LinPEAS: execute it in memory without writing to disk, or transfer the file first, then run it.
Run straight from memory (no disk write) #
Fetch the latest release with curl and pipe it directly into sh. Since the script is never left on the target's disk, you minimize forensic traces (outbound traffic required).
$ curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# -L follow redirects to fetch the latest release's linpeas.sh
# pipe straight into sh, executing in memory without writing a fileTransfer the file, then run it #
In environments without outbound traffic, copy a locally downloaded linpeas.sh to the target via SCP or similar, give it execute permission, and launch it.
$ chmod +x linpeas.sh
$ ./linpeas.sh
# running from a writable, low-profile dir (e.g. /dev/shm) is saferSave the output to a file #
Because the output is huge, you often save it to read back later. tee shows it on screen while saving. If you'd rather not touch disk, redirect into the in-memory /dev/shm.
$ ./linpeas.sh | tee linpeas.txt
# print to screen while also saving to linpeas.txt
$ ./linpeas.sh > /dev/shm/out.txt
# writing to in-memory /dev/shm leaves fewer traces on diskLinPEAS's lifeblood is color-based triage, but a plain redirect to a file drops the ANSI color information, turning it black and white. Without the RED/YELLOW highlights, the value of prioritization is lost. To read it while keeping the colors, pipe it through less -r as shown below, or save it in a color-preserving way.
Main options — -a / -s / -e / -o and operational tips #
LinPEAS lets you choose, via options, "how deep, and how quietly, to investigate." Go all-out on a CTF; stay quiet on a real assessment.
| Option | Effect |
|---|---|
-a |
All checks. The most thorough, but correspondingly noisy and slow. Good for CTFs |
-s |
superfast & stealth. Fewer checks, less noise. Skips some time-consuming/noisy enumeration |
-e |
Extra enumeration. Goes more in-depth on some checks |
-o <checks> |
Run only the specified check groups (comma-separated, e.g. -o SysI,Devs,Net) |
-h |
Show help |
$ ./linpeas.sh -a
# CTF: all checks, no omissions (slow, noisy)
$ ./linpeas.sh -s
# Real engagement: quiet and fast, to keep the footprint down
$ ./linpeas.sh -o SysI,Devs,Net
# only the given groups (system info, devices, network)To read it slowly in a pager while keeping the colors, the standard move is to pipe into less -r (raw control chars).
$ ./linpeas.sh -a | less -r
# -r passes ANSI colors through raw, so RED/YELLOW stay visible- Run from a writable, low-profile directory — under
/dev/shmor/tmp. Placing it in an odd location becomes a hint for detection and investigation. -afor CTFs,-sfor real engagements — prioritize coverage in exercises, footprint reduction in real assessments.- Clear the RED+YELLOW from the top first — before reading everything, verify the colored "candidate escalation vectors" first for efficiency.
- Don't throw away the colors — if you save, keep a form where you can check the colors, such as
tee+less -r.
Related tools and the defender's angle — the output is a hardening checklist #
LinPEAS isn't the only Linux privesc enumeration tool. Each has a different character, so pick by situation.
| Tool | Where it sits |
|---|---|
LinPEAS | The Linux side of PEASS-ng. The most comprehensive, with color-based auto-triage as its strength. The flip side of all that info is more noise |
WinPEAS | The Windows side of the same PEASS-ng project. LinPEAS's sibling, sharing the same philosophy |
LinEnum | A veteran enumeration script. Lighter and simpler than LinPEAS |
lse.sh (linux-smart-enumeration) | An enumeration script whose verbosity you can dial up in stages. Easy-to-read output |
pspy | Watches processes and cron in real time without root. Complements LinPEAS by catching the cron it sees statically "in the moment it runs" |
linux-exploit-suggester | Specializes in suggesting matching known exploits from the kernel version |
Being the most comprehensive and self-triaging, LinPEAS tends to be the "fire one shot first" choice among these. The practical approach is to cross-check with other tools — observing cron behavior with pspy, or pinning down the kernel angle with linux-exploit-suggester.
The items LinPEAS lights up red are, flipped around, exactly the misconfigurations a defender should close. An attacker's recon tool, turned inside out, becomes a tool for auditing your own environment. Concretely: trim unnecessary SUID binaries, audit sudoers and remove excessive grants, drop unneeded capabilities, tighten the owner and write permissions of cron scripts, purge plaintext secrets from config files, keep the kernel patched — work through these in turn and you steadily reduce the surface LinPEAS judges "usable for escalation." Running LinPEAS against your own server and tightening until no more RED/YELLOW appears is a realistic, high-impact hardening procedure.
