whirlpool -- privesc reasoning engine

Whirlpool

Privilege escalation reasoning engine
Parse enumeration output. Get ranked attack playbooks.

Get Started View on GitHub
// capabilities

From raw output to attack plan

Feed Whirlpool any LinPEAS, WinPEAS, or manual enumeration output and get back a prioritized exploitation playbook with exact commands, confidence ratings, and multi-step attack chains.

Auto-Detection

Identifies LinPEAS .sh, WinPEAS .exe/.bat/.beta, and manual command output automatically. No --type flag needed.

Offline Knowledge

329 GTFOBins, 86 LOLBAS, 42 kernel exploits, 9 potato attacks. Everything runs locally -- no API calls, no internet required.

Composite Scoring

Four-dimension weighted scoring: reliability (40%), safety (30%), simplicity (20%), stealth (10%). Five ranking profiles shift the weights.

Attack Chains

Detects 12 multi-step paths: cron PATH hijack, Docker escape, NFS SUID planting, wildcard injection, LD_PRELOAD, and more.

Noise Filtering

Purpose-built parsers reject grep artifacts, version patterns, and false-positive words. Tested against 22 real-world samples with zero failures.

Multiple Formats

Rich terminal output with Catppuccin Mocha theme, Markdown reports for documentation, and structured JSON for tool integration.

Quick Wins

Surface the top 5 highest-probability techniques instantly. One flag: --quick-wins

Python API

Import parsers, analyzer, ranker, and chain detector directly. Build Whirlpool into your own tooling and automation pipelines.

// in action

Raw output in. Attack plan out.

Whirlpool parses enumeration data, matches findings against knowledge bases, and ranks exploitation paths by probability of success.

whirlpool linpeas_output.txt --profile oscp

WHIRLPOOL - Privilege Escalation Analysis

Target Information
Hostname: jarvis
Kernel: 4.9.0
User: www-data
Quick Wins - Highest probability techniques
[1] 95 Sudo systemctl high low risk
User can run systemctl as root with NOPASSWD
sudo systemctl
!sh
[2] 82 SUID pkexec high low risk
Exploit SUID bit on pkexec (CVE-2021-4034)
python3 -c 'import os; os.execvp("pkexec",
  ["", "-c", "#!/bin/sh\nsh"])'

Whirlpool analyzing LinPEAS output -- ranked techniques with exact exploitation commands.

// architecture

Three-stage pipeline. Zero network calls.

Parse enumeration output into structured data, match findings against offline knowledge bases, and rank exploitation paths with composite scoring. Commands are output as text -- never executed.

system architecture
01

Parsers

Strip ANSI codes, detect format variants (LinPEAS .sh, WinPEAS .exe/.bat/beta), and extract structured data: SUID binaries, capabilities, sudo rights, services, privileges, and more.

02

Analyzer

Match parsed findings against gtfobins.json, kernel_exploits.json, potato_matrix.json, and lolbas.json. Analyze credentials, network services, writable files, groups, tokens, DLL hijacking, UAC, and AD/Kerberos.

03

Ranker

Composite scoring across reliability, safety, simplicity, and stealth. Five profiles (default, oscp, ctf, stealth, safe) shift dimension weights.

04

Chain Detector

Detect 12 multi-step attack paths that single-finding scanners miss: cron PATH hijack, Docker socket abuse, NFS SUID planting, wildcard injection, LD_PRELOAD, writable /etc/passwd.

Python 3.9+ Rich Dataclasses Pathlib Argparse JSON Minimal Dependencies
// knowledge bases

Offline. Comprehensive. Always current.

Four bundled knowledge bases covering Linux and Windows privilege escalation techniques. No internet connection required.

329
GTFOBins
Unix binaries with SUID, sudo, capabilities, file_read, file_write, and shell techniques
86
LOLBAS
Windows living-off-the-land binaries and scripts
42
Kernel Exploits
23 Linux + 19 Windows CVEs with affected version ranges and commands
9
Potato Attacks
Token impersonation variants with OS compatibility matrix
// ranking profiles

Scoring tuned to your scenario

Each exploitation path is scored across four dimensions. Profiles shift the weights to match OSCP exams, CTF speed runs, red team stealth, or safe testing.

Component Default OSCP CTF Stealth Safe
Reliability 40% 50% 50% 25% 30%
Safety 30% 25% 10% 25% 50%
Simplicity 20% 20% 35% 10% 15%
Stealth 10% 5% 5% 40% 5%
// quickstart

Running in 30 seconds

One command to install, one command to run. No Docker, no build step, no configuration files. Python 3.9+ is the only requirement.

bash
# Install with pipx (recommended)
$ pipx install git+https://github.com/Real-Fruit-Snacks/Whirlpool.git
# Or install with pip
$ pip install git+https://github.com/Real-Fruit-Snacks/Whirlpool.git
# Analyze enumeration output
$ whirlpool linpeas_output.txt
# Customize output:
$ whirlpool enum.txt --profile oscp   # OSCP mode
$ whirlpool enum.txt --quick-wins   # top 5 only
$ whirlpool enum.txt -f markdown -o report.md
$ whirlpool enum.txt --lhost 10.10.14.1 --lport 4444
$ cat linpeas.txt | whirlpool   # pipe input

pipx is the recommended install method -- it creates an isolated environment and keeps your system Python clean. Install pipx if you don't have it yet.

Point Whirlpool at any enumeration output file. It auto-detects the format, parses the findings, matches them against offline knowledge bases, and outputs a ranked exploitation playbook.

Use --profile oscp for exam scenarios, --profile ctf for speed, --profile stealth for red team ops, or --profile safe when system stability matters.

Export to Markdown for reports, JSON for tool integration, or use the default terminal output with Catppuccin Mocha theming.