Enux - Enhanced Unix Privilege Escalation Script
enux.sh (Enhanced Unix Privilege Escalation Script) is an advanced Bash tool designed for automated enumeration of potential privilege escalation vectors on Unix and Linux systems. Inspired by the best features of classic scripts like LinEnum, LinPEAS, and LES, enux.sh provides structured, actionable insights for attackers, defenders, and administrators alike.
Key Features
Comprehensive Checks:
Scans for weak permissions, SUID binaries, writable scripts/configs, sudo misconfigurations, sensitive credentials, cloud keys, suspicious processes, cron jobs, kernel exploits, and more.
Structured Output:
Results are clearly organised into sections with coloured headers, summaries, and actionable tips, making large results sets easy to assess.
Lightweight & Portable:
A single Bash script—no dependencies, safe to run on nearly any Linux or Unix system.
Actionable Remediation:
Not only finds issues, but offers real-world tips and next steps for each finding.
Suitable for All Skill Levels:
Beginner-friendly hints, but thorough enough for seasoned penetration testers and red teamers.
How Does It Work?
Host & Environment Detection:
Quickly identifies virtualisation/container environments, host details, and basic system info.
Kernel & Exploit Checks:
Extracts kernel version and matches it against public CVEs and exploit databases for quick win escalation vectors.
Network Assessment:
Enumerates network interfaces, routing, listening services/daemons, and highlights potentially accessible public ports.
Sudo Privilege Audit:
Examines sudo permissions, highlights dangerous configurations, and suggests one-liner exploits for known vulnerable binaries.
User & Credential Scrutiny:
Enumerates all users, their login status, suspicious shells, readable home directories, and checks for leftover SSH keys or secrets.
Sensitive File & Permission Review:
Locates writable critical files and scripts, SUID/SGID binaries, world-writable directories, and environment variables leaking secrets.
Persistence & Backdoor Opportunities:
Checks for exploitable cron jobs, writable startup scripts, authorized_keys vulnerabilities, and leftover scripts in temp locations.
Cloud & DevOps Artefacts:
Searches for AWS, GCP, Azure, and DigitalOcean credentials, as well as suspicious developer tools, logs, and tokens.
Suspicious Processes & Capabilities:
Flags custom or unexpected root-owned background processes, binary capabilities (getcap), and local sockets/IPC that may be abusable.
Clear Section Summaries:
At the end of each section, and in a final high-level summary, enux.sh distills the most important findings for fast, targeted review.
Why Use It?
Faster Triage:
Get the “big picture” on a target system in seconds, not hours. No more scrolling through massive, unsorted logs.
Spot Misconfigurations Instantly:
Clearly highlights dangerous SUIDs, writable files, open network services, and persistence footholds.
Better Remediation:
Use the actionable tips to not only find but also fix weak points.
CTF & Real World Ready:
From CTF boxes to corporate environments, enux.sh gives you a head start on both attack and defense.
Easy to Extend:
Being pure Bash, you can quickly adapt or extend it for custom checks in your own environment.
Minimal Impact:
Read-only scanning; safe for blue teams to run for self-assessment, or for red teams on engagements.
Usage
Quick Start
Download the script:
(Or upload it from your own source.)
Make it executable:
chmod +x enux.sh
Run the script:
./enux.sh
For most checks, no special privileges are needed.
For maximum results (e.g., more readable files), run as the lowest-privileged shell you have after gaining access.
Review the output:
All results are saved to enux.log in the current directory.
Tip: For fast review, use:
less enux.log
or search for sections:
grep "====" enux.log
Options and Tips
Run as root:
You’ll see even more findings (e.g., root-only files), but the script is designed for low-privilege use—perfect for post-exploitation enumeration.
Non-interactive use:
Pipe the output directly to a file or over the network: ./enux.sh > myreport.txt
Stealth/minimal output:
For a quieter run, you can comment out or adjust the log function to suppress terminal output and only write to the log file.
Customising checks:
The script is pure Bash—edit it to skip slow sections, add your own logic, or adjust what’s displayed in summaries.
Sample Command
From a shell (as any user): ./enux.sh
Or, for rapid review after the run: less enux.log
Note
-
No dependencies required.
enux.sh is pure Bash and uses only standard Unix utilities found on most Linux systems. -
Read-only.
The script does not modify system files or leave traces, unless you manually exploit something based on the findings. -
For educational & security auditing use only.
Always have authorisation before running enumeration tools on production systems.
