LearnPEAS

A comprehensive Linux privilege escalation enumeration script designed for learning and understanding, not just finding vulnerabilities. Every finding includes educational context explaining WHAT it is, WHY it matters, and HOW to exploit it.

⚠️ Important Notice

This project is not affiliated with or endorsed by the PEASS-ng project. LearnPEAS is an independent educational tool inspired by LinPEAS. All credit for the original PEAS enumeration framework and the exceptional work on LinPEAS goes to the PEASS-ng team. I deeply respect their contributions to the security community.

LearnPEAS is currently in active development and should be considered beta software. While functional and useful for educational purposes, features are being actively refined and expanded. The tool will continue to improve with enhanced detection capabilities, additional educational content, and performance optimizations. Feedback and contributions are welcome as I work to make this the most comprehensive educational privilege escalation tool available.

⚠️ Legal Disclaimer

This tool is provided for educational and authorized testing purposes only.

LearnPEAS is designed exclusively for:

• Capture The Flag (CTF) competitions - HackTheBox, TryHackMe, and similar platforms
• Authorized penetration testing - With explicit written permission from system owners
• Educational environments - Academic courses, training labs, and personal learning
• Personal systems - Systems you own or have legal authority to test

You must not use this tool for:

• Unauthorized access to computer systems
• Testing systems without explicit written permission
• Any illegal activities or malicious purposes
• Circumventing security measures on systems you do not own or have permission to test

By using LearnPEAS, you agree that:

• You have authorization to test the target system
• You understand applicable laws in your jurisdiction
• You accept full responsibility for your actions
• The author and contributors are not liable for any misuse

Unauthorized access to computer systems is illegal in most jurisdictions and may result in criminal prosecution.

🎯 Who Is This For?

LearnPEAS is built for penetration testing students, CTF players, and red teamers who want to:

• Learn privilege escalation concepts deeply, not just run commands
• Understand the "why" behind each vulnerability
• Recognize patterns across different systems
• Build mental models for privilege escalation, not just checklists

Perfect for HackTheBox, TryHackMe, and OSCP preparation.

🔥 What Makes LearnPEAS Different?

Unlike other enumeration tools, LearnPEAS doesn't just list vulnerabilities—it teaches you about them:

[INFO] Sudo version: 1.9.13p3
[INFO] Checking against known sudo CVEs...

[!!! CRITICAL !!!] Sudo vulnerable to CVE-2025-32463 - Privilege escalation
[VULNERABLE] sudo < 1.9.16p1 vulnerable

[INFO] Performing quick verification check...

[LEARN] ╔════════════════════════════════════════════════════════════╗
[LEARN] ║  CVE-2025-32463 - Recent Sudo Vulnerability
[LEARN] ╚════════════════════════════════════════════════════════════╝
[LEARN] 
[LEARN] WHAT IT IS:
[LEARN]   A vulnerability in sudo versions before 1.9.16p1 that allows
[LEARN]   privilege escalation to root.
[LEARN] 
[LEARN] WHY IT EXISTS:
[LEARN]   Sudo contains a flaw in how it processes certain commands or
[LEARN]   environment variables, allowing attackers to bypass security
[LEARN]   checks and execute commands as root.
[LEARN] 
[LEARN] HOW TO EXPLOIT:
[LEARN]   1. Check exploit availability:
[LEARN]      searchsploit sudo 2025
[LEARN]   2. Download exploit:
[LEARN]      https://www.exploit-db.com/exploits/52352
[LEARN]   3. Compile and run (follow exploit instructions)
[LEARN] 
[LEARN] IMPACT: Instant root access from any user account

[OK] Sudo version checked against known CVEs

[LEARN] ═══════════════════════════════════════════════════════════════
[LEARN] GENERAL SUDO SECURITY TIPS:
[LEARN] ═══════════════════════════════════════════════════════════════
[LEARN] 
[LEARN] Why sudo is a common target:
[LEARN]   • Runs with root privileges by design
[LEARN]   • Complex codebase (150,000+ lines of C)
[LEARN]   • Handles authentication, parsing, environment variables
[LEARN]   • Backward compatibility = old code paths still exist
[LEARN]   • Written in C = memory safety issues possible
[LEARN] 
[LEARN] How to find sudo exploits:
[LEARN]   1. Check version: sudo -V | head -1
[LEARN]   2. Search exploit-db: searchsploit sudo [version]
[LEARN]   3. GitHub: Search 'sudo CVE-[year]'
[LEARN]   4. Check sudo permissions: sudo -l
[LEARN] 
[LEARN] Defense (as admin):
[LEARN]   • Keep sudo updated (sudo --version)
[LEARN]   • Principle of least privilege (specific commands, not ALL)
[LEARN]   • Avoid NOPASSWD where possible
[LEARN]   • Monitor sudo logs: /var/log/auth.log

Every vulnerability type includes:

• WHAT: Clear definition of the vulnerability
• WHY: Why it exists and why it matters
• HOW: Step-by-step exploitation guidance
• Real Examples: Actual commands you can run immediately

🚨 Alert System

• [!!! CRITICAL !!!] (Red background) - Instant privilege escalation paths
• [🚩 CTF FLAG 🚩] (Purple background) - CTF flag locations discovered (opt-in only)
• [REQUIRES WORK] (Blue background) - Exploitable but requires additional steps (e.g., password cracking)
• [VULNERABLE] - Exploitable misconfigurations
• [WARNING] - Potential security issues
• [INFO] - General system information
• [LEARN] - Educational explanations (can be disabled with --no-explain)
• [OK] - Confirmations that security controls are working

⚡ Core Privilege Escalation Vectors

Instant Root Access

• NOPASSWD sudo entries with GTFOBins exploitation guides
• Writable /etc/passwd, /etc/shadow, or /etc/sudoers
• SUID interpreters (Python, Perl, Ruby with SUID bit)
• Docker/LXD/Disk group membership with container escape techniques
• Writable systemd service files or directories
• Writable cron jobs and systemd timers
• Dangerous Linux capabilities (CAP_SETUID, CAP_DAC_OVERRIDE, CAP_SYS_ADMIN)
• Writable ExecStart scripts in systemd services
• Privileged containers with escape paths
• Known exploitable SUID/SGID binaries with GTFOBins integration
• Wildcard injection opportunities in scripts
• PATH hijacking opportunities

Requires Compilation/Download

• Sudo version CVEs (Baron Samedit, sudoedit bypass, runas bypass) with verification checks
• Kernel vulnerabilities (DirtyCOW, Dirty Pipe, PwnKit, nf_tables) with backport detection
• Custom SUID binaries requiring analysis and exploitation

📋 Comprehensive Enumeration Modules

Core Checks

• System fingerprinting with exploitation context

• Enhanced network configuration with localhost service identification

  • Identifies MySQL, PostgreSQL, Redis, MongoDB, Elasticsearch, Memcached, RabbitMQ
  • Detects internal networks for pivot opportunities
  • Firewall detection (iptables, nftables, ufw, firewalld) with bypass techniques
  • ARP cache analysis for lateral movement targets

• User enumeration with anomaly detection

  • Non-root UID 0 accounts
  • Empty passwords
  • System accounts with shells

• Running processes with credential detection

  • Passwords in command-line arguments
  • Session hijacking (tmux/screen)

• Comprehensive SUDO analysis with version-specific CVE detection

  • CVE-2025-32463, CVE-2023-22809, CVE-2021-3156 (Baron Samedit)
  • CVE-2019-14287 (Runas bypass), CVE-2019-18634 (pwfeedback overflow)
  • Quick verification checks for each CVE
  • Backport detection warnings

• SUID/SGID binaries with GTFOBins integration and custom binary analysis

• Linux capabilities with detailed exploitation guides

  • Whitelisted safe capabilities (reduced false positives)
  • Binary-specific exploitation for each capability type

• Cron jobs and systemd timers with wildcard injection detection

• Systemd service analysis with comprehensive attack vectors

  • Writable service directories and files
  • Writable ExecStart scripts
  • Writable EnvironmentFile detection
  • Writable timer files
  • Services with Restart=always (persistence)
  • Relative path detection with safe binary filtering

• Kernel exploit detection with verification checks and backport warnings

• Container detection & escape techniques

  • Intelligent internet detection for LXD/LXC (online vs offline methods)
  • Complete offline exploitation with Alpine image building
  • Multiple transfer methods (wget, base64, SCP)

• Special group membership (docker, lxd, disk, video, sudo)

• Writable sensitive files (/etc/passwd, /etc/shadow, /etc/sudoers)

• PATH hijacking opportunities

• Wildcard injection in scripts (NEW - tar, rsync, chown, chmod with exploitation)

• Cloud metadata services (AWS EC2, Azure, GCP) with IAM role detection

• Language-specific credential discovery

  • .env files (Laravel, Node.js, Rails)
  • package.json, composer.json, Gemfile
  • Python virtual environments
  • ASP.NET configurations

• Enhanced database enumeration

  • MySQL, PostgreSQL, MongoDB, Redis with authentication testing
  • Database configuration files with credential extraction
  • Database dump file discovery

• Web application analysis

  • Writable web roots and upload directories
  • Configuration files with credentials (.env, wp-config.php, database.yml)
  • WordPress extended enumeration (plugins, themes, xmlrpc.php, REST API)
  • Framework detection (Laravel, Django, Node.js, Rails, Spring Boot)
  • Exposed .git directories with commit history analysis
  • Apache Tomcat manager detection
  • Spring Boot actuators
  • Web server logs with credentials
  • Existing web shell detection

• CI/CD secret exposure

  • Git configuration with embedded tokens