- One curated binary. 28 Linux LPE exploits from - 2016 → 2026. Detection rules in the box. - One command picks the safest one and runs it. +
+ One binary. 31 Linux LPE modules from + 2016 to 2026. SOC-ready detection rules in four SIEM formats. + MITRE ATT&CK + CWE + CISA KEV annotated. + --explain gives a one-page operator briefing per CVE.
$ curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \
- && skeletonkey --auto --i-know
+
+ $ ▋
⚠ Authorized testing only — see ETHICS.md
+--explain in action
+
+
+ Source on GitHub
+
Authorized testing only. See ETHICS.md.
- Most Linux privesc tooling is broken in one of three ways: -
-- SKELETONKEY is one binary, actively maintained, with detection - rules for every CVE it bundles — same project for red and blue - teams. -
+
+ skeletonkey --explain <module> renders the page every
+ team needs: CVE / CWE / MITRE ATT&CK / CISA KEV status, host
+ fingerprint, live detect() trace with verdict, OPSEC footprint, and
+ the detection-rule coverage matrix. Triage tickets and SOC handoffs
+ in one paste.
+
Structural exploits + page-cache writes. No per-kernel offsets needed.
+CWE class, MITRE ATT&CK technique, CISA KEV status with
+ date_added. Fed from tools/refresh-cve-metadata.py
+ which pulls fresh from federal data sources.
Cached once at startup by core/host.c. Every
+ module sees the same kernel / arch / distro / userns / apparmor
+ / selinux / lockdown picture.
The verbose stderr of the module's own probe — each gate + fires, each kernel_range entry checked, each verdict justified. + No more black-box "VULNERABLE" outputs.
+Per-exploit description of what the SOC would see if this + fired: file artifacts, dmesg signatures, syscall observables, + network activity, cleanup behavior.
+
+ --auto ranks vulnerable modules by stability
+ (structural escapes > page-cache writes > userspace races
+ > kernel races) and runs the safest one. Never crashes a
+ production box looking for root.
+
$ skeletonkey --auto --i-know +[*] 3 vulnerable; safest is 'pwnkit' (rank 100) +[*] launching --exploit pwnkit... +# id +uid=0(root) gid=0(root)+
+ auditd · sigma · yara · falco. One command emits the corpus for + your SIEM. Each rule grounded in the module's own syscalls. +
+
+ 10 of 26 CVEs in the corpus are in CISA's Known Exploited
+ Vulnerabilities catalog — actively exploited in the wild.
+ Refreshed on demand via tools/refresh-cve-metadata.py.
+
+ Each module ships a runtime-footprint paragraph: files, dmesg, + syscall observables, network, persistence. The inverse of the + detection rules — what an attacker would leave behind on + your host. +
+
+ core/host.c probes kernel / arch / distro / userns /
+ apparmor / selinux / lockdown / sudo version / polkit version
+ once at startup. Every detect() reads the
+ same cached snapshot, so verdicts stay coherent across the
+ corpus.
+
struct skeletonkey_host {
+ struct kernel_version kernel;
+ char arch[32], distro_id[64];
+ bool unprivileged_userns_allowed;
+ bool apparmor_restrict_userns;
+ bool kpti_enabled, selinux_enforcing;
+ char meltdown_mitigation[64];
+ char sudo_version[64], polkit_version[64];
+ ...
+};
+
+ --scan --json emits a stable schema (see
+ JSON_SCHEMA.md)
+ with triage metadata, opsec notes, and rule coverage embedded.
+ Ready for Splunk / Elastic / Sentinel ingest.
+
+ One static binary. No phone-home, no analytics, no cloud
+ accounts. Reads /proc + /sys, runs the
+ probe, exits. JSON or plain text — your pipeline owns the data.
+
+ tools/verify-vm/ ships a Vagrant + Parallels
+ scaffold that spins up known-vulnerable kernels and runs
+ --explain per module — verification records as
+ JSON, ready to feed the per-module verified_on
+ table.
+
--full-chainDefault returns EXPLOIT_FAIL honestly. With --full-chain + resolved offsets, runs the shared modprobe_path finisher.
--full-chain
+ honest EXPLOIT_FAIL default; --full-chain runs the shared modprobe_path finisher
+ + Full inventory with kernel ranges, mitigations, and detection + coverage: + CVES.md + · + KEV cross-reference + · + CVE_METADATA.json +
One tested binary. --auto ranks vulnerable modules by safety and runs the safest. Honest scope reporting — never claims root it didn't actually get. No more curating stale PoC repos.
+ --auto picks the safest exploit and runs it. Honest
+ scope reporting — never claims root it didn't actually get.
+ Per-exploit OPSEC notes tell you what telemetry you'll leave.
+ No more curating stale PoC repos.
+
Auditd + sigma + yara + falco rules for every CVE. One command ships SIEM coverage: --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules.
+ One command ships SIEM coverage for the entire corpus.
+ --explain renders a triage briefing per CVE with
+ CWE / ATT&CK / KEV / OPSEC — paste into the ticket.
+ KEV-prioritized so you fix what attackers are already using.
+
skeletonkey --scan (no sudo needed) tells you which boxes still need patching. JSON output for CI gates. Fleet-scan tool included. No SaaS, no telemetry.
+ --scan works without sudo. JSON output for CI
+ gates. Fleet-scan helper bundled. Compatible with everything
+ back to glibc 2.17 via the static-musl binary. No SaaS,
+ no analytics, no cloud accounts.
+
Reproducible LPE environment with public CVEs across a 10-year timeline. Each module documents the bug, the trigger, and the fix. Detection rules let you practice both sides.
+
+ 26 CVEs, 10-year span, each with the original PoC author
+ credited and the kernel-range citation auditable.
+ --explain shows the reasoning chain; detection
+ rules let you practice both sides. Source is the documentation.
+
--auto on a vulnerable Ubuntu 22.04 box:
$ id -uid=1000(kara) gid=1000(kara) groups=1000(kara) - -$ skeletonkey --auto --i-know -[*] auto: host=demo kernel=5.15.0-56-generic arch=x86_64 -[*] auto: scanning 31 modules for vulnerabilities... -[+] auto: dirty_pipe VULNERABLE (safety rank 90) -[+] auto: cgroup_release_agent VULNERABLE (safety rank 98) -[+] auto: pwnkit VULNERABLE (safety rank 100) - -[*] auto: 3 vulnerable modules found. Safest is 'pwnkit' (rank 100). -[*] auto: launching --exploit pwnkit... - -[+] pwnkit: writing gconv-modules cache + payload.so... -[+] pwnkit: execve(pkexec) with NULL argv + crafted envp... -# id -uid=0(root) gid=0(root) groups=0(root)- -
- Safety ranking goes structural escapes → - page-cache writes → - userspace cred-races → - kernel primitives → - kernel races. The goal is to never crash a - production box looking for root. -
+
+ Most public PoC repos hardcode offsets for one kernel build and
+ silently break elsewhere. SKELETONKEY refuses to ship
+ fabricated offsets. The shared --full-chain
+ finisher returns EXPLOIT_OK only when a setuid
+ bash sentinel file actually appears. Modules with a
+ primitive but no portable cred-overwrite chain default to
+ firing the primitive + grooming the slab + recording a witness,
+ then return EXPLOIT_FAIL with diagnostic.
+ Operators populate the offset table once per kernel via
+ --dump-offsets and upstream the entry via PR.
+
- Most public PoC repos hardcode offsets for one kernel build and - silently break elsewhere. SKELETONKEY refuses to ship fabricated - offsets. -
---full-chain finisher returns EXPLOIT_OK only when a setuid bash sentinel file actually appearsEXPLOIT_FAIL with diagnosticskeletonkey --dump-offsets (parses /proc/kallsyms or /boot/System.map) and upstream the entry via PR — see CONTRIBUTING.md# Install (x86_64 / arm64; checksum-verified) +++# install (x86_64 / arm64; checksum-verified) $ curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh - -# What's this box vulnerable to? (no sudo) +# default is the musl-static x86_64 binary — works back to glibc 2.17+++# inventory — no sudo needed $ skeletonkey --scan - -# Pick the safest LPE and run it +# or machine-readable for a SIEM +$ skeletonkey --scan --json | jq '.findings[] | select(.verdict == "VULNERABLE")'+++# one-page operator briefing for a single CVE +$ skeletonkey --explain nf_tables +# shows CVE/CWE/ATT&CK/KEV header, host fingerprint, live trace, +# verdict, OPSEC footprint, detection coverage. Paste into your ticket.+++# pick the safest exploit and run it $ skeletonkey --auto --i-know +# --dry-run for "what would it do?" without launching +$ skeletonkey --auto --dry-run++# deploy SIEM coverage (needs sudo to write to /etc/audit/rules.d/) +$ skeletonkey --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-skeletonkey.rules +$ sudo augenrules --load -# Deploy detection rules (needs sudo to write into /etc/audit/rules.d/) -$ skeletonkey --detect-rules --format=auditd \ - | sudo tee /etc/audit/rules.d/99-skeletonkey.rules - -# Fleet scan — many hosts via SSH, aggregated JSON for SIEM -$ ./tools/skeletonkey-fleet-scan.sh --binary skeletonkey \ - --ssh-key ~/.ssh/id_rsa hosts.txt+# or in YAML for falco / sigma / yara +$ skeletonkey --detect-rules --format=falco > /etc/falco/skeletonkey_rules.yaml +
- v0.5.0 cut 2026-05-17. 28 verified modules build - clean on Debian 13 (kernel 6.12) and refuse cleanly on patched - hosts; 3 further modules (dirtydecrypt, fragnesia, pack2theroot) - are ported from public PoCs but not yet VM-verified. - Empirical end-to-end validation on a vulnerable-kernel VM matrix - is the next roadmap item; until then, the corpus is best - understood as "compiles + detects + structurally correct + - honest on failure." -
-- Read the roadmap - How to contribute +
core/host.c shared host-fingerprint refactorverified_on[] table fed by verifier records--scan --json+ Full roadmap and contribution guide: + ROADMAP.md + · + CONTRIBUTING.md