Privilege escalation, reasoned

Reasoning engine parsing LinPEAS and WinPEAS output. Prioritized attack vectors with step-by-step playbooks. 329 GTFOBins entries, 42 kernel exploits, 86 LOLBAS binaries.

Download Latest View Source
whirlpool 
$ whirlpool linpeas_output.txt
auto-detected: LinPEAS .sh output
analyzing 329 GTFOBins, 42 kernel exploits...

1. sudo vim (GTFOBins)       [95% confidence]
2. CVE-2021-4034 PwnKit      [90% confidence]
3. Cron PATH hijack (chain)   [85% confidence]

$ whirlpool enum.txt --profile oscp --quick-wins
Top 5 quick wins exported
0
GTFOBins
0
Kernel CVEs
0
Tests
0
Profiles
FEATURES

Parse, reason, escalate

Feed raw enumeration output, get ranked exploitation playbooks. Offline knowledge bases, composite scoring, and attack chain detection.

Auto-Detection Parser

Feed any enumeration file and Whirlpool figures out the format. Handles LinPEAS .sh output, WinPEAS .exe output, .bat output, .exe beta format, and manual command output.

$ whirlpool linpeas_output.txt
auto-detected: LinPEAS .sh output
12 escalation paths found
329
GTFOBins Entries

Composite Scoring

Every technique scored across four dimensions — reliability, safety, simplicity, stealth. Five ranking profiles: default, OSCP, CTF, stealth, safe.

Attack Chains

Detects 12 multi-step privilege escalation paths that single-finding scanners miss — cron PATH hijack, Docker escape, NFS SUID, wildcard injection, LD_PRELOAD.

Noise Filtering

Purpose-built parsers with aggressive false-positive filtering. Tested against 22 HTB/Vulnhub samples with zero crashes and zero blank results.

42
Kernel CVEs

Offline Knowledge Bases

329 GTFOBins entries, 86 LOLBAS binaries, 42 kernel exploits with version ranges, and 9 potato attacks with OS compatibility matrices. All shipped as JSON — zero network calls.

$ whirlpool enum.txt --profile oscp
ranked by reliability + documentation
$ whirlpool enum.txt --format markdown -o report.md

Multiple Outputs

Rich terminal with Catppuccin Mocha theme, Markdown reports, structured JSON for tool integration, and quick-wins mode for the top 5 techniques.

CAPABILITIES

Technique coverage

Comprehensive offline knowledge bases covering Linux and Windows privilege escalation. Runs entirely offline — zero network calls.

GTFOBins (329)
LOLBAS (86)
Kernel Exploits
Potato Attacks
SUID Binaries
Attack Chains
Docker Escape
NFS Root Squash
Wildcard Inject
Multiple Outputs
Sudo Misconfig
Writable passwd
LinPEAS Parse
WinPEAS Parse
Manual Parse
Diff Scans
Python API
LXD Escape
Full   Partial   Not Supported
ARCHITECTURE

Three-stage pipeline

Parse enumeration output into structured data, analyze against knowledge bases, rank using composite scoring.

1

CLI & Detection

Argparse entry point with auto-detection of input format. Profile selection (--profile oscp), output routing, and --lhost/--lport substitution.

2

Parser Layer

LinPEAS, WinPEAS, and manual command parsers handling 3 format variants each. Aggressive noise filtering rejects grep artifacts and false patterns.

3

Analysis Engine

Core analyzer matches findings against offline knowledge bases. Chain detector identifies 12 multi-step attack paths. Composite scoring across 4 dimensions.

4

Ranker & Output

Five ranking profiles with weighted dimensions. Terminal output with Catppuccin Mocha theme, Markdown, and JSON renderers.

GETTING STARTED

Install and analyze

Install with pipx. Python 3.9+ required. Runs entirely offline with no external dependencies.

install.sh
$ git clone https://github.com/Real-Fruit-Snacks/Whirlpool.git
$ cd Whirlpool && pip install -e .

# Or use pipx for isolation
$ pipx install git+https://github.com/Real-Fruit-Snacks/Whirlpool.git

$ whirlpool --help
Usage: whirlpool [OPTIONS] FILE
usage.sh
# Analyze LinPEAS output
$ whirlpool linpeas_output.txt

# OSCP-optimized ranking
$ whirlpool enum.txt --profile oscp

# Quick wins only
$ whirlpool enum.txt --quick-wins

# Markdown report
$ whirlpool enum.txt --format markdown -o report.md
DETECTION AWARENESS

Know the boundaries

Safe By Design

  • No execution — outputs text for operator review
  • No scanning — analyzes existing enumeration output
  • Fully offline — zero network connections
  • No implants — no persistent access mechanisms
  • Read-only — only reads input files, writes reports

Visible To

  • Process list — Python process visible
  • File system — output reports if exported
  • Shell history — CLI invocation logged
  • Clipboard — if commands are copied
  • Screen capture — terminal output visible