explaingit

roadbicycle-c/roothawk

Analysis updated 2026-06-24

31CAudience · ops devopsComplexity · 4/5Setup · moderate

TLDR

Go command line tool that bundles known Linux local privilege escalation exploits like PwnKit and Dirty Pipe into one binary for authorized lab testing.

Mindmap

mindmap
  root((RootHawk))
    Inputs
      CVE module name
      Target Linux VM
      CLI flags
    Outputs
      Root shell
      Verbose log
      Backup of su
    Use Cases
      Patch verification
      Lab privilege escalation
      CVE walk through
    Tech Stack
      Go
      C PoCs
      Linux
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Confirm in a lab VM whether a Linux distro is patched against PwnKit, Dirty Pipe, and newer CVEs.

USE CASE 2

Walk through every supported CVE module in order with the -any flag on a practice target.

USE CASE 3

Study packaged proof of concept code for kernel and Polkit privilege escalation bugs.

USE CASE 4

Run a post escalation command with -exec instead of dropping into a su shell.

What is it built with?

GoCLinux

How does it compare?

roadbicycle-c/roothawkdreamfekk/andriod-autouedump-guidivision-36/z-jail
Stars313525
LanguageCCC
Setup difficultymoderatehardmoderate
Complexity4/55/53/5
Audienceops devopsresearcherops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Run only against authorized practice targets and lab VMs. Copy Fail modifies the su binary unless -backup is set.

In plain English

RootHawk is a Linux command line tool that bundles a handful of well known local privilege escalation exploits into a single binary. The README is clear about the intended audience: people running authorized practice targets, virtual machines, and lab environments, where they have permission to test whether a system is patched against a given kernel or Polkit bug. The project is written in Go, even though GitHub tags the repo as C because the C language proof of concept files sit alongside the Go code. Each exploit is exposed as a module identified by its CVE number. The README lists CVE-2021-4034 (the Polkit bug commonly called PwnKit), CVE-2021-3560 (a Polkit D-Bus authentication bypass), CVE-2022-0847 (Dirty Pipe), CVE-2026-31431 (called Copy Fail, in the kernel's crypto and AF_ALG code paths), and CVE-2026-43284 (Dirty Frag, in the kernel's xfrm and ESP network packet handling). A results table in the README reports successful test runs on AnolisOS, openEuler, UOS, openKylin, Ubuntu, and CentOS 7. Usage is centered on a few flags. The -list flag prints the available modules. The -e flag runs a single CVE, for example ./RootHawk-amd64 -e CVE-2021-4034. The -any flag walks through every module in order. Two flags shape how Copy Fail behaves: -backup keeps a copy of the original su binary before the exploit modifies it, and -exec runs a chosen program after escalation rather than dropping into a su shell. A -v flag turns on verbose logging. Prebuilt binaries for amd64, arm64, and 386 ship in the bin folder, so a tester can mark one executable and run it directly inside a target VM.

Copy-paste prompts

Prompt 1
Read RootHawk and explain how the -e CVE-2021-4034 module invokes the PwnKit Polkit exploit step by step.
Prompt 2
Write a checklist to harden a fresh Ubuntu VM against every CVE listed in RootHawk. One mitigation per CVE.
Prompt 3
Add a new module to RootHawk for a hypothetical CVE. Show the Go module interface and where the CVE registry lives.
Prompt 4
Build RootHawk for arm64 from source in a Docker container, then test it inside a Multipass VM.
Prompt 5
Detect RootHawk activity from auditd logs. Write the audit rules and a journalctl filter that catches each CVE module.

Frequently asked questions

What is roothawk?

Go command line tool that bundles known Linux local privilege escalation exploits like PwnKit and Dirty Pipe into one binary for authorized lab testing.

What language is roothawk written in?

Mainly C. The stack also includes Go, C, Linux.

How hard is roothawk to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is roothawk for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.