Chris Hatton

The post also covers what happened once it became public, how quickly things escalated, and why linpeas.sh didn’t stay up for long after that.

Remember the linpeas.sh saga from about a year ago? I’ve finally written it up. The findings include LinPEAS being run as root, during active pentests, on compromised web servers, and even on live production systems. hattonsec.com/a-linpeas-saga/

@yaelBro56836079 Very true, but those boxes don't have outbound Internet access so I never would have known if the script was ran on those.

@hattonsec Most are probably on htb and thm platforms

@MaddStep The hundreds of people a week that ran the script I hosted on the domain thinking it was the real script says different.

@MDGILHESPY @techspence You're late to the party, check the website

There’s a popular Linux privilege escalation script (linpeas) that’s had a copycat create nefarious linpeas[.]sh. Linpeas (a great tool) has 0 association with linpeas[.]sh (bad) To all pentesters and cybersecurity folks who run tools and scripts as part of their job, be careful Know your tools!

@ippsec @bravesalad1021 Correct, that was everything I was collecting. And you're right, it was a bit of research for a talk at a conference.

@bravesalad1021 @hattonsec Am I missing something? I don't see it sending environment variables. Random UUID, MachineUUID, isroot, hostname, current user, kernel is what I see.

When doing HackTheBox and searching for linpeas I used to type linpeas.sh into my browser intending to search google for it, however it would take me to an unregistered domain. I registered the domain in December and I am now getting 1.8k unique hits a month.

Looking forward to this! #FalCon #Crowdstrike

?????

@maccamudwood @Wrexham_AFC What are you on about, no one says that, he has been League Two player of the season and got the League Two golden boot before 😂

@Wrexham_AFC Get in mullin !! 1 season wonder an can only do it in the national league apparently 🙄

MULLIN YOU BEAUTYYYYYY 47’ | Wrexham AFC 2-2 Crewe Alexandra 🔴⚪️ #WxmAFC

Passed CSTL INF, happy days! Onwards and upwards 😁

inb4 it was DNS

@cyberethical_me @carlospolopm When typing linpeas.sh into your URL bar with the intent to search it on Google it goes straight to my site, so I believe 99% of them are accidental. That's why I registered the domain, because I used to do the same and get a 404.

@hattonsec @carlospolopm Oh my, didn't expect that xD

Hey, just come across suspicious site linpeas[dot]sh that supposedly contains #linpeas script.. @carlospolopm do you know something about it? I suggest staying away from such proxy sites for your own sake. diffchecker.com/4CZOZpTg #cybersecurity #enumeration

@cyberethical_me @carlospolopm A decent number of people in the last 30 days

@hattonsec @carlospolopm I hoped it is an awareness campaign and not some impersonation attack attempt, didn't see that popping out from search before. Seeing you collect statistics, how many people were trying to use that?

@cyberethical_me @carlospolopm I own the domain. If you try to copy and paste the script it will warn you that it's not the real site and display my twitter handle. Not malicious, more to make people aware that they're copying a random script.

@hattonsec @carlospolopm Are you the owner of linpeas[dot]sh? And if so, what is the reason behind this site? Why expose outdated linPEAS script? Is this for malicious intends? Is this honeypot? Why @carlospolopm is not aware of this when it pops up in top 5 google search results? So many questions.

@cyberethical_me @carlospolopm What do you mean?

@carlospolopm @hattonsec can you shine a light on that?

It's been a week now and I can confirm robot vacuum cleaners are 100% worth it. The place has never looked so consistently clean, it's insane. I welcome our cleaning robot overlords.

There is a conspiracy around dishwasher salt at the moment, 4 shops and all out of stock for weeks?? #SaltGate #BigSalt

@LunaLovebad12 @moving_target01 @uniquponym @Grettabeans @sunnymatteson Absolutely not how that works. You don't just fire up wireshark and start decrypting network packets.

WOW. Jaw dropping. FBI says Ned’s School Survival Guide was never formally declassified.