Privilege escalation is one of those topics in cyber security that never loses its relevance. Whether you’re working a red team engagement, handling incident response, or solving Capture the Flag (CTF) challenges, privilege escalation is often where the real fun — and risk — begins.
Cybersecurity expert Carlos Polop joined joined me in an interview to talk through everything from linPEAS and winPEAS to cloud pipelines, kernel exploits, and how defenders can flip the offensive tools to their advantage. Carlos, known for creating HackTricks, PEASS, and PurplePanda, shared the origin story of his tools and gave practical, real-world insight into privilege escalation across platforms.
Here’s what we learned.
From Manual Pain to Automated Power
Before linPEAS and winPEAS became staples in every pentester’s toolkit, Carlos was another frustrated OSCP student, copy-pasting commands from blog posts to enumerate privilege escalation paths on #HackTheBox and other boot-to-root machines.
“I hated that part,” he recalls. “It was always the same commands. I eventually just put them into a blog for myself — then thought, why not automate it?”
That personal frustration became the seed for linPEAS (for Linux) and winPEAS (for Windows). The goal? Automate the boring stuff, highlight the interesting parts in color (red for “check this now!”), and help others spend more time exploiting rather than enumerating.
And with that, a new open-source standard was born.
The Defender’s Blind Spot
While linPEAS and winPEAS are common tools in red teaming, Carlos was quick to point out a critical truth: defenders should be using them too.
“Just run linPEAS on your own machines. You’ll find misconfigurations, credentials, and exposures you didn’t know were there,” he said. “I’ve even used it to analyze firmware images — mount the image, chroot in, and run the script.”
These tools surface issues like:
- Files with world-readable credentials
- Misconfigured sudo or service permissions
- Hidden tokens and backups
- Privilege inheritance flaws
In Carlos’s view, defenders often get caught off guard simply because they don’t use the same tools as attackers. But using offensive tools for defensive assessments is one of the most powerful moves a blue team can make.
Windows vs Linux: Different Worlds, Same Mistakes
Privilege escalation techniques differ wildly between platforms. As Carlos explained:
“You’re not going to look for unquoted service paths in Linux. And you won’t go hunting for /etc/shadow in Windows.”
Yet, the most common mistake on both sides? Over-permissive access. Users or services having read/write access where they shouldn’t. That mistake fuels the most frequent privilege escalation scenarios across Linux and Windows:
- Linux: Credential leaks in history files, backups, or writable binaries
- Windows: Misconfigured services, registry keys, or writable folders leading to DLL hijacking or unquoted paths
And in both ecosystems, attackers love misplaced credentials — by far the most common and effective route to elevated access.
Cloud Privilege Escalation: The New Battleground
Privilege escalation doesn’t stop at operating systems. As organizations shift to the cloud, so do attackers. Carlos has recently been focusing on cloud privilege escalation, especially in CI/CD pipelines.
His tool, PurplePanda, is designed to map privilege relationships in cloud environments — much like BloodHound does for Active Directory. And it handles cross-platform complexity, too.
“Let’s say you have a GitHub user who can bypass branch protection. That repo is linked to a Google Cloud Function. That function runs with IAM permissions. Suddenly, you’ve pivoted from GitHub to Google Cloud access — and possibly to AWS if it’s connected through a Kubernetes deployment,” he explained.
PurplePanda tracks those relationships, visualizes access paths, and helps security teams understand how attackers might chain services across platforms for full takeover.
Kernel Exploits Still Matter
Despite better patching and security awareness, kernel exploits still pose a real threat — especially during high-impact periods. Exploits like Dirty Pipe and Dirty COW are prime examples of vulnerabilities that bypass privilege controls entirely.
Carlos originally downplayed kernel exploits in linPEAS and winPEAS, focusing more on misconfigurations. But recent months have shown a resurgence in viable kernel attacks.
“You can practically make a farm out of the exploit names — cows, potatoes, bees,” he joked.
A Word of Caution: Verify Before You Run
As linPEAS and winPEAS gained popularity, clones and forks started appearing online — some of them misleadingly branded as “PEASS” tools without Carlos’s knowledge or endorsement.
“If it doesn’t come from my GitHub, it’s not mine,” he warned.
The takeaway? Always audit and verify the tools you use. In cybersecurity, blindly trusting code — even popular tools — is a fast track to compromise.
Help Build the Future of PEASS
Carlos is now working toward releasing premium versions of HackTricks and PEASS tools through a subscription model, allowing him to dedicate more time to feature development, community support, and cloud research. But for those who want to contribute without paying, he’s open to collaborations:
- Submit pull requests to HackTricks
- Help research new techniques
- Test and improve PEASS scripts
- Add findings to his growing database of misconfiguration indicators
“This is how we win — together. I want to keep building tools for the community, with the community,” Carlos said.