git404hub

what is roothawk fr?

roadbicycle-c/roothawk — explained in plain English

Analysis updated 2026-05-18

31CAudience · ops devopsComplexity · 4/5Setup · moderate

tl;dr

Go command line tool that bundles known Linux local privilege escalation exploits like PwnKit and Dirty Pipe into one binary for authorized lab testing.

vibe map

mindmap
  root((RootHawk))
    Inputs
      CVE module name
      Target Linux VM
      CLI flags
    Outputs
      Root shell
      Verbose log
      Backup of su
    Use Cases
      Patch verification
      Lab privilege escalation
      CVE walk through
    Tech Stack
      Go
      C PoCs
      Linux

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Confirm in a lab VM whether a Linux distro is patched against PwnKit, Dirty Pipe, and newer CVEs.

VIBE 2

Walk through every supported CVE module in order with the -any flag on a practice target.

VIBE 3

Study packaged proof of concept code for kernel and Polkit privilege escalation bugs.

VIBE 4

Run a post escalation command with -exec instead of dropping into a su shell.

what's the stack?

GoCLinux

how it stacks up fr

roadbicycle-c/roothawk0xazanul/fuzz-skilljakobfriedl/logon-monitor-bof
Stars313131
LanguageCCC
Setup difficultymoderatemoderatemoderate
Complexity4/53/54/5
Audienceops devopsresearcherops devops

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · moderate time til it works · 30min

Run only against authorized practice targets and lab VMs. Copy Fail modifies the su binary unless -backup is set.

in plain english

RootHawk is a Linux command line tool that bundles a handful of well known local privilege escalation exploits into a single binary. The README is clear about the intended audience: people running authorized practice targets, virtual machines, and lab environments, where they have permission to test whether a system is patched against a given kernel or Polkit bug. The project is written in Go, even though GitHub tags the repo as C because the C language proof of concept files sit alongside the Go code. Each exploit is exposed as a module identified by its CVE number. The README lists CVE-2021-4034 (the Polkit bug commonly called PwnKit), CVE-2021-3560 (a Polkit D-Bus authentication bypass), CVE-2022-0847 (Dirty Pipe), CVE-2026-31431 (called Copy Fail, in the kernel's crypto and AF_ALG code paths), and CVE-2026-43284 (Dirty Frag, in the kernel's xfrm and ESP network packet handling). A results table in the README reports successful test runs on AnolisOS, openEuler, UOS, openKylin, Ubuntu, and CentOS 7. Usage is centered on a few flags. The -list flag prints the available modules. The -e flag runs a single CVE, for example ./RootHawk-amd64 -e CVE-2021-4034. The -any flag walks through every module in order. Two flags shape how Copy Fail behaves: -backup keeps a copy of the original su binary before the exploit modifies it, and -exec runs a chosen program after escalation rather than dropping into a su shell. A -v flag turns on verbose logging. Prebuilt binaries for amd64, arm64, and 386 ship in the bin folder, so a tester can mark one executable and run it directly inside a target VM.

prompts (copy fr)

prompt 1
Read RootHawk and explain how the -e CVE-2021-4034 module invokes the PwnKit Polkit exploit step by step.
prompt 2
Write a checklist to harden a fresh Ubuntu VM against every CVE listed in RootHawk. One mitigation per CVE.
prompt 3
Add a new module to RootHawk for a hypothetical CVE. Show the Go module interface and where the CVE registry lives.
prompt 4
Build RootHawk for arm64 from source in a Docker container, then test it inside a Multipass VM.
prompt 5
Detect RootHawk activity from auditd logs. Write the audit rules and a journalctl filter that catches each CVE module.

Frequently asked questions

what is roothawk fr?

Go command line tool that bundles known Linux local privilege escalation exploits like PwnKit and Dirty Pipe into one binary for authorized lab testing.

What language is roothawk written in?

Mainly C. The stack also includes Go, C, Linux.

How hard is roothawk to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is roothawk for?

Mainly ops devops.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.