Overview Features Screenshots Architecture GitHub
Degree Visualization of Linux ASR

Map. Exploit.
Eliminate.

Graph based privilege escalation modeling for modern Linux environments. Visualize attack-paths to root before your adversary.

BloodPengu PyPengu Documentation
8+
Core Collectors
100%
Linux Based
Go+JS
Stack
BSD/MIT
License
Scroll
Sudo Escalation SUID Discovery Docker Escape LXD Group Abuse Kernel Exploits Writable Services Cron Hijacking Group Degree Mapping Attack Path Visualization PyPengu Collector Sudo Escalation SUID Discovery Docker Escape LXD Group Abuse Kernel Exploits Writable Services Cron Hijacking Group Degree Mapping Attack Path Visualization PyPengu Collector
What is BloodPengu

Attack path management
for Linux infrastructure

Identify Hundreds, even Thousands of Attack-paths. BloodPengu brings graph-based ASR to Linux/Unix environments.

Collects Data with PyPengu on target, enumerating privilege vectors, mapping group relationships, and surfacing escalation paths. BloodPengu ingests JSON's data and renders it as an interactive attack graph.

Security can identify the shortest path to root in seconds. Defenders can map and close attack paths before they are exploited.

pypengu-output.json
{"host": "vulnerable.corp",
"os": "Ubuntu 20.04 LTS",
"kernel": "5.4.0-42-generic",
"user": "tony",
"nodes": [
{"id": "tony", "type": "USER"},
{"id": "lxd", "type": "GROUP"},
{"id": "root", "type": "USER"}
],
"edges": [
{"from": "tony", "to": "lxd",
"type": "MemberOf", "risk": "HIGH"},
{"from": "lxd", "to": "root",
"type": "LXDGroupEscape", "risk": "CRITICAL"}
]
Core Capabilities

Multiplex vectors. One graph.

BloodPengu maps every privilege escalation path across your Linux attack surface into a unified, queryable graph.

01

Group Degree Mapping

Visualizes group membership depth and privileged inheritance. Surfaces dangerous groups like docker, lxd, disk, and sudo with full escalation impact.

Groups
02

Sudo Escalation Graph

Parses sudo/root access output and NOPASSWD rules. Maps direct and indirect escalation paths through sudoers misconfigurations and dangerous binary configurations.

Sudo
03

Service Exposure Modeling

Identifies writable systemd service unit files and scripts executed with elevated privileges that can be hijacked across user boundaries.

Services
04

Kernel Surface Awareness

Captures kernel version and cross-references known CVEs. Maps KernelExploit edges including DirtyPipe, DirtyCow, and overlayfs privilege chains.

Kernel
05

SUID Binary Discovery

Enumerates all SUID and SGID binaries across the filesystem. Cross-references against GTFOBins-style exploitable binaries to surface immediate escalation vectors.

SUID
06

Container Based Escape

Detects container group membership and maps container escape paths. Identifies LXDGroupEscape and DockerEscape vectors with full graph visualization.

Docker
Screenshots

BloodPengu in action.

Real attack paths. Real Linux environments. Every node clickable. Every edge labeled.

Attack path overview
Critical
Attack Path Overview
Full graph view showing all privilege escalation paths from low-privilege user to root. Edges colored by risk severity across the entire attack surface.
LXD group escape
Critical
Container Group Escape
Vuln-User is a member of the lxd group. BloodPengu maps the LXDGroupEscape edge directly to root, exposing the single-hop privilege escalation chain.
Dense attack graph
183 Critical
Dense Attack Surface
Hundreds nodes, hundreds edges, hundreds of critical paths rendered in one graph. SUID binaries fanning out from a single user, each one a direct path to root privilege.
SudoNoPasswd path
Critical
SudoNoPasswd Path
Shortest path query result from Vuln-User to root via SudoNoPasswd. The curved edge shows a single-step escalation requiring no password. Remediation is immediate.
Kernel exploit path
Critical
Kernel Exploit Path
KernelExploit edge from Vuln-User to root. PyPengu detected a vulnerable kernel version and BloodPengu surfaces the CVE-based escalation as a critical attack path.
Multi-edge connections
11 Paths
Multi-Edge Connections
All paths from Vuln-User to root rendered simultaneously. KernelExploit and ten SudoNoPasswd edges shown as a fan between two nodes with risk labels on each arc.
Architecture

Collect. Transform.
Visualize.

A two-component pipeline. PyPengu runs locally on the target and enumerates the attack surface. BloodPengu ingests that JSON and renders an interactive attack graph.

01

Deploy PyPengu

Run the static Go binary on target. No dependencies. Supports x86_64, ARM64, x86. Outputs pypengu-output.json.

02

Enumerate Attack Surface

8 core collectors run in parallel across sudo, SUID, docker, services, cron, kernel, groups, and users. All findings serialized to JSON.

03

Import to BloodPengu

Drop the JSON into BloodPengu via the Import JSON interface. The graph auto-populates with nodes, edges, and risk levels.

04

Query Attack Paths

Run pre-built queries: Shortest to Root, All Paths to Root, Sudo Misconfigs, SUID Binaries, Kernel Exploits, and more.

PyPengu Collectors Examples
Sudo
sudo -l
NOPASSWD rules and dangerous binaries
Critical
SUID
find / -perm -4000
GTFOBins cross-reference
Critical
Docker
id / groups
Container group membership
High
Services
systemctl list-units
Writable unit file detection
High
Cron
/etc/cron*
Hijackable cron scripts
High
Kernel
uname -r
CVE version matching
Critical
Groups
/etc/group
Privileged group enumeration
Medium
Users
/etc/passwd
User privilege mapping
Medium

Stop being the last
to know.

Run PyPengu. Import the Digested Data. See every path to root before your adversary does.

Get BloodPengu Get PyPengu
BSD-3-Clause and MIT Licensed -- Open Source -- Built by AdverXarial