Literally using this right now on a pentest looking for privesc in some Linux boxes - the great thing about this tool is it's a shell script that's portable and does a significant amount of enumeration - big time saver. Feel as if it's better then the most other privesc script/tools out there for Linux.

My next go-to tool after Linpeas is pspy which "allows you to see commands run by other users, cron jobs, etc. as they execute" [1]

[1] https://github.com/DominicBreuker/pspy

you're ruining this on live systems? there's a reason it's banned for OSCP

The reason its banned in OSCP is because the OSCP is in no way representative of a real world engagement.

The OSCP places a premium on hand jamming commands and doing everything manually, banning automation, because its trying to test if you understand the fundamentals.

Out in the real world, automation is encouraged. The goal is efficiency - getting the job done within the timeframe allowed by the client. Doing everything manually is horribly inefficient when you are on the clock.

It does annoy me that people take the wrong message from the OSCP, you should be automating away as much as possible so you can spend more time making novel discoveries and giving value to your customers.

I see what you are saying but engagements are not a matter of speed only either, you have restrictions and opsec requirements that prohibit you from automating certain things. If you have a decent EDR for example, even if you can evade the NGAV component,at least one of the commands LinPEAS runs will trigger an alert if the process execution alone is logged.

In the vast majority of pentests those concerns are largely irrelevant.

The goal with most pentests is to provide maximal coverage in a time window.

They may be relevant in red team engagements, which tend to happen over a longer timeframe anyway.

Really? Isn't coverage for vulnerability management and pentesting always has a specific goal like "get domain admin"? Honestly asking, I do offensive security but never been a pentester.

More mature clients these days want pretty broad coverage as well as "get DA" (or other "goal") out of their engagements, in my experience.

It's been kind of interesting seeing things change over the years - from strictly goal oriented, to the era of the Nessus Monkey (vuln scans sold as pen tests), and then back to goal oriented but now with additional coverage requirements.

Enumerating with it isn't banned, only auto-exploiting is.

This reminds me, I had hopelessly locked myself out of sudo access on a production box. This tool helped me get root again and fix a glaring docker socket privesc left there by some script that auto-configured docker among other stuff. I would have never looked at socket permissions I didn't configure,especially not after initial deployment of the server.

It's on a staging environment - but if it was a production machine it would not be an issue. I have until the end of the week to finish and need to work as fast and effectively as possible. Anything that assists in this goal is welcome.

As someone mentioned in another reply it's not banned in the OSCP. Automating enumeration is actually encouraged - after all enumeration is collecting information. It's up to you as the tester to interpret the results. On the other hand, tools like OpenVAS, Nessus etc. are not permitted as they go further then basic enumeration.

I'm pretty sure it's allowed these days

can you explain the reason, for the uninitiated like me

OSCP is a certification exam that bans automation in an attempt to test that you know the fundamentals.

It has the annoying side effect of creating pentesters with a phobia of automation.

They only ban automated exploitation, not enumeration. LinPEAS is encouraged to be used along with many other automated tools.

This is THE tool to run after you have access to a system. The Windows version called WinPEAS is also very good in finding vulnerabilities and assessing a client.

I use this script as part of a pipeline in pentesting. By running the script and returning the output to the C2-server I can discover vulnerabilities while I am doing something else.

LinPEAS was extremly helpful for me when I started out doing security related stuff and had no idea where to start. I simply looked at what the script is doing and checked these things manually to get an understanding for what can be misconfigured.

These days I always run it for privesc when I do hackthebox or something similar.

You’ve got to love a security tool nonchalantly instructing you to pipe curl to sh to run it.

Well, you're free to run it the way you want, ultimately, whether you curl or you download any other way, you're still running something from the Internet.

That's less the point and more that DNS can get hijacked, scripts changed without your control, etc. You run it fine today, begin to trust it, then it's changed and affects you differently, at best causing a headache and at worst stealing your files or wrecking your machine.

We're probably splitting hair but if your concern is DNS hijacking, then that still applies to pretty much anything else you do with Github, and by the way, most of your creds have already probably been stolen via fake logon portals in that case.

I agree, people should check what they are piping in to sh, but they should also read all of the source code they are pulling and compiling from Github.

If your point is "do nothing because everything is terrible" then you've missed my point entirely.

the page gives you a warning instructing you to not do exactly that

This is a good program to run if you are the type of person that likes to build their own scanners, especially if you write your own ssh pipelines. For most devs this is something that they should be running on their environments after setting them up with Ansible Galaxy or tools like Terraform and related automation setup tooling.

Along with Lynis

This is a great tool for TryHackMe boxes, especially container breakouts.