root-shadow.sh is a modular, interactive and scriptable Linux enumeration framework built specifically for post-exploitation, CTFs, and real-world Red Team privilege escalation scenarios.
Built with bash and crafted from the trenches of offensive security, it covers all core areas of local enumeration—without requiring any external connectivity.
- System: Kernel, modules, boot params, runlevels.
- Environment: User info, variables, shells, Python paths, password policies.
- Users & Groups: Privileged users, sudo configs, group memberships, SSH keys.
- Services: Running processes, Docker/LXC detection, logrotate configs.
- Jobs/Tasks: Cron, anacron, systemd timers.
- Networking: Interfaces, routing, DNS, ARP, listening services.
- Software: Versions of sudo, MySQL, PostgreSQL, Apache, compilers, linked libs.
- Interesting Files: SUID/SGID, POSIX capabilities, .bash_history, AWS keys, .git-credentials.
All output is color-coded, neatly formatted, and designed for offline ops.
./root-shadow.sh [options] [arguments]| Flag | Description |
|---|---|
-o |
Interactive selection menu |
-s |
System enumeration |
-e |
Environment enumeration |
-u |
Users & Groups |
-v |
Services |
-j |
Jobs / Tasks (Cron, systemd) |
-n |
Networking (IPs, ports, ARP) |
-w |
Software |
-f |
Interesting Files |
./root-shadow.sh -s # System info
./root-shadow.sh -e # Environment info
./root-shadow.sh -u # Users & Groups
./root-shadow.sh -o # Interactive menu./root-shadow.sh -oDisplays an interactive panel:
- Red Team Post Exploitation
- CTF Privilege Escalation
- Lab Automation
- Offline Recon (No network required)
- Rooting misconfigured systems
- Fully offline — no external tools needed
- Interactive and scriptable
- Focused on privilege escalation
- Modular structure — extend as needed
- Bash
- Standard GNU/Linux tools (no dependencies)
Crafted by r4venn
Inspired by tools like linenum.sh, LinPEAS, and the grind of red teaming real boxes.
