This project inspired was by my recent spare time efforts working through retired HackTheBox machines and grew increasingly frustrated with linPEAS — not with its coverage, which is excellent, but with how it operates: a 35,000-line Bash script that spawns a process for nearly every check, generates significant noise, and flags immediately on most modern EDR solutions.
I grew curious how a compiled binary that didn’t need any dependencies to run might work as an alternative option. Crystal was the right choice — crystal build --static targeting musl libc produces a single self-contained executable with no runtime dependencies. Drop it in /dev/shm, run it, delete it.
sysrift covers the 14 highest-signal linPEAS vectors: SUID/SGID with GTFOBins cross-referencing, sudo CVEs (Baron Samedit, CVE-2019-14287, CVE-2019-18634), kernel CVEs (DirtyCow, Dirty Pipe, eBPF), credential hunting, container escape detection, NFS no_root_squash, file capabilities, and more. Output is severity-tagged with a post-run summary that surfaces only critical and medium findings.
On the Crystal side, the interesting design decisions were around nil safety for parsing unreliable system output, replacing ~70 process spawns with native filesystem reads and /proc parsing, and a data layer modeled after linPEAS’s variable pre-computation pattern.
An ARCHITECTURE.md is included with the full design rationale if anyone wants to dig into the Crystal-specific decisions.
Would welcome any feedback on Crystal idioms, design choices, or coverage gaps.
Sidenote: You can run this on your own Linux system just to see how it functions although it will be more prone to noise and false positive findings that are both expected and normal for a personal Linux environment setup.