How to Download gxc-BloodPengu.py on Kali Linux 2025.4 with pipx
Tools Overviews
Ever since creating BloodPengu, my only attack-paths collector are PyPengu, which very different from SharpHound, BloodPengu collectors map attack-paths based of relation-ships on file/access ownerships and kernel mechanism.
But then PyPengu gain several concern.
I believe as Pentester my-self bunch of you guys hate Tools that requires custom binary each deploy, etc, making PyPengu is not very flexible as swiss-army knife, FKA "I'm to lazy for it".
That's why I develop gxc-BloodPengu.py, it's a based logon SSH collectors, enabling faster interaction on collecting data accross Linux system (as long the target have bash/shell).
It's logon sessions over paramiko, optionally chaining through a jump host, and systematically enumerates the target through a modular collector architecture covering SUID binaries, writable services, cron misconfigurations, sudo policy weaknesses, Docker group membership, kernel version fingerprinting against a curated CVE registry spanning 2.4.x through 6.x and loaded kernel module inspection, enabling potential escalation much easier!!
How to Install gxc-BloodPengu.py with pipx
pipx is the most easiest method for the installation, further more look at this page if you want the more details.
Open-up your CLI and make sure you have pipx ready:
pipx install bloodpengu-pythonPost-installation:
┌──(byt3n33dl3㉿kali)-[~]
└─$ bloodpengu-python -h
_ __ ___ __ _____
___ _| |/_/_______/ _ )/ /__ ___ ___/ / _ \___ ___ ___ ___ __ ___ __ __
/ _ `/\ // __/___/ _ / / _ \/ _ \/ _ / ___/ -_) _ \/ _ `/ // / / _ \/ // /
\_, /_/|_|\__/ /____/_/\___/\___/\_,_/_/ \__/_//_/\_, /\_,_(_) .__/\_, /
/___/ /___/ /_/ /___/
v1.5.3 [SuSHi Rav3n]
gxc-BloodPengu.py v1.5.3 | by <@byt3n33dl3>
Data collector in Python for BloodPengu APM
Usage:
bloodpengu-python [options]
----------------------------------------------------------------------
Authentication: (required one of -p or -k)
-u USERNAME SSH username
-p PASSWORD Authenticate with password
-k KEY_FILE Authenticate with RSA/PEM private key (e.g. id_rsa, key.pem)
Target Options:
-d DOMAIN Domain or hostname (stored in output for BloodPengu context)
--port PORT SSH port (default: 22)
--old-ssh Enable legacy SSH algorithms (for old OpenSSH targets)
--jumphost HOST Pivot via jump host (format: user:pass@host:port)
--jumphost-key FILE Key file for jump host auth
Modules: (all collectors run by default, use -M to run one only)
-M MODULE Run a specific module only
Available modules:
sacspengu Compiler and Binary Analysis suggestor
avrisk Anti-Virus Discovery!!
brace Container and Cloud Assessor
kernel Kernel and LPE CVE's checklists!!
Output:
-o OUTPUT_FILE Write JSON to file (default: pypengu-output.json)
-v Verbosity as each collector result as it arrives
--no-color Disable color output
----------------------------------------------------------------------
Examples:
bloodpengu-python -u kraken -p kr@ken
bloodpengu-python -u kraken -k ~/.ssh/id_rsa
bloodpengu-python -u kraken -k ~/.ssh/id_rsa --port 2222
bloodpengu-python -u kraken -p kr@ken -d kraken.htb -v
bloodpengu-python -u kraken -p kr@ken -M sacspengu
bloodpengu-python -u kraken -p kr@ken -M avrisk
bloodpengu-python -u kraken -p kr@ken -M brace
bloodpengu-python -u kraken -p kr@ken -M kernel
bloodpengu-python -u kraken -k id_rsa -o ./results/kraken.json
----------------------------------------------------------------------
Collectors: (all run by default unless -M is specified)
Collector Role Description
------------- --------- ----------------------------------------------------
users COLLECT Local users, UID 0 accounts, /etc/passwd, /etc/group
sudo COLLECT NOPASSWD rules, dangerous sudo binaries, misconfigs
suid COLLECT SUID and SGID binaries with GTFOBins cross-reference
groups COLLECT Privileged groups - docker, lxd, disk, shadow, adm
services COLLECT Writable systemd units, hijackable service scripts
cron COLLECT Writable cron scripts, scheduled task privilege paths
kernel COLLECT Kernel version matched against known CVE list
containers ESCAPE Docker socket, LXD membership, cloud credentials, K8s
network RECON Listening ports, interfaces, internal network range
env DISCOVER Env vars, history files, interesting files in home/opt
sacspengu COMPILE Compilers, writable PATH/lib dirs, capabilities, build files
avrisk RECON Anti-Virus Discovery!!
brace ESCAPE Container and Cloud Assessor
kernel RECON Kernel and LPE CVE's checklists!!
----------------------------------------------------------------------
Output lands on attacker machine as pypengu-output.json
Import directly into BloodPengu!!
gxc-BloodPengu.py v1.5.3 by <@byt3n33dl3> github.com/byt3n33dl3/gxc-BloodPengu.py At the time creating this gxc-BloodPengu.py are in version 1.5.3 The SuSHi Rav3n:
Moreover, Proton me if you have further question and suggestion.