One command. Real Linux privilege escalation paths. Exploits explained. Fixes included.
sudocheck scans Linux systems for privilege escalation vectors in sudo rules, SUID/SGID files and Linux capabilities, then maps findings to GTFOBins-style exploitation notes and defensive remediation.
It never runs exploit commands. It only explains what an attacker could do and what should be fixed.
curl -sSL https://raw.githubusercontent.com/balyakin/sudocheck/main/install.sh | shFrom source:
go install github.com/balyakin/sudocheck@latestsudocheck
sudocheck scan --json
sudocheck scan --format sarif --report sudocheck.sarif
sudocheck scan --severity info
sudocheck scan --defensive
sudocheck lookup tcpdump
sudocheck demoDefault scan output shows medium severity and higher. Use --severity info for the full inventory.
| Feature | linPEAS | suid3num | sudocheck |
|---|---|---|---|
| Sudo rules | yes | no | yes |
| SUID/SGID binaries | yes | yes | yes |
| Capabilities | yes | no | yes |
| GTFOBins mapping | partial | partial | yes |
| Exploit commands | noisy | partial | focused |
| Fix commands | no | no | yes |
| JSON output | no | no | yes |
| SARIF output | no | no | yes |
| Baseline / ignore | no | no | yes |
- name: Privilege escalation audit
run: |
curl -sSL https://raw.githubusercontent.com/balyakin/sudocheck/main/install.sh | sh
sudocheck scan --quiet --fail-on highFor legacy hosts, create a baseline first:
sudocheck baseline init --output sudocheck.baseline.json
sudocheck scan --baseline sudocheck.baseline.json --fail-on highsudocheck scan --format sarif --report sudocheck.sarifSARIF output redacts host and user metadata by default.
sudocheck demoDemo mode uses deterministic fixture data and does not read the real system.
sudocheck is intended for systems you own or are explicitly authorized to test. See DISCLAIMER.md.
MIT License. Copyright (c) 2026 Evgeny Balyakin.