1 1 #!/bin/bash 2 - 3 2 ############################################################################################################### 4 3 ## [Title]: linuxprivchecker.sh -- a Linux Privilege Escalation Check Script 5 - ## [Author]: Mike Czumak (T_v3rn1x) -- @ SecuritySift 6 - ## [Contributors]: Mike Merrill (linted) -- https://github.com/linted 7 - ## James Hogan (5aru) -- https://github.com/5aru 4 + ## [Original Author]: Mike Czumak (T_v3rn1x) -- https : / / twitter . com / SecuritySift 5 + ## Forked from linuxprivchecker.py -- https://github.com/sleventyeleven/linuxprivchecker 6 + ## [Contributors]: 7 + ## Mike Merrill (linted) -- https://github.com/linted 8 + ## James Hogan (5aru) -- https://github.com/5aru 9 + ## Ali Kaba (alibkaba) -- https://github.com/alibkaba 8 10 ##------------------------------------------------------------------------------------------------------------- 9 11 ## [Details]: 10 - ## Similar functions to Mike Czumak's linuxprivchecker.py Linux Privilege Escalation Check Script. 11 12 ## This script is intended to be executed locally on a Linux box to enumerate basic system info and 12 13 ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text 13 14 ## passwords and applicable exploits. skipped 17 lines 31 32 ## USE OR OTHER DEALINGS IN THE SOFTWARE. 32 33 ############################################################################################################### 33 34 34 - ### Useful functions 35 - 35 + # command paths 36 36 PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games" 37 37 38 - TITLE_LINE=$(printf "%*s\n" "80" | tr ' ' "=") 39 - SECTION_LINE =$(printf "%*s\n" "80" | tr ' ' "- ") 38 + # line formatting 39 + titleLINE =$(printf "%*s\n" "80" | tr ' ' "= "); 40 + sectionLINE=$(printf "%*s\n" "40" | tr ' ' "-"); 40 41 41 - function formatCommand(){ 42 - eval $1 | sed 's|^| |' 42 + # title 43 + scriptTITLE(){ 44 + echo ${titleLINE}; 45 + echo " LINUX PRIVILEGE ESCALATION CHECKER" 46 + echo " https://github.com/linted/linuxprivchecker for more info..." 47 + echo ${titleLINE}; 43 48 } 44 49 45 - echo ${TITLE_LINE} 46 - echo "LINUX_PRIVILEGE ESCALATION CHECKER" 47 - echo ${TITLE_LINE} 50 + systemAREAtitle(){ 51 + echo ${sectionLINE}; 52 + echo -e " $systemAREA"; 53 + echo ${sectionLINE}; 54 + echo 55 + sleep .5s; 56 + } 48 57 49 - echo -e "\n[*] GETTING BASIC SYSTEM INFO...\n" 58 + cmdRESPONSE(){ 59 + # run and format cmd 60 + cmdRESULT=$(eval $1 2>/dev/null | sed 's|^| |'; echo "${PIPESTATUS[0]}"); 50 61 51 - echo "[+] Operating System" 52 - formatCommand "cat /etc/issue" 62 + # check cmd status 63 + if [ ${cmdRESULT:(-1)} -eq 0 ]; then 64 + echo "[OK] $systemNAME"; 65 + echo "${cmdRESULT%?}"; 66 + echo 67 + else 68 + echo "[FAILED] $systemNAME"; 69 + echo "${cmdRESULT%?}"; 70 + echo 71 + fi 72 + sleep .5s; 73 + } 53 74 54 - echo -e "\n[+] Kernel" 55 - formatCommand "cat /proc/version" 75 + operatingSYSTEM(){ 76 + systemAREA="OPERATING SYSTEM"; 77 + systemAREAtitle; 56 78 57 - echo -e "\n[+] Hostname/FQDN" 58 - formatCommand "hostname -f" 79 + systemNAME="Distribution"; 80 + cmdRESPONSE "cat /etc/*-release"; 59 81 60 - echo -ne "\n${SECTION_LINE}\n" 61 - echo -e "[*] GETTING NETWORKING INFO...\n" 82 + systemNAME="Kernel"; 83 + cmdRESPONSE "if [ -f /proc/version ]; then cat /proc/version; else uname -a; fi"; 62 84 63 - echo "[+] Route" 85 + systemNAME="Hostname"; 86 + cmdRESPONSE "hostname -f"; 87 + } 64 88 65 - if [ -x "$(command -v route)" ]; then 66 - formatCommand "route -n" 67 - else 68 - formatCommand "ip route" 69 - fi 89 + netWORK(){ 90 + systemAREA="NETWORK"; 91 + systemAREAtitle; 70 92 71 - echo -e "\n[+] Interfaces" 93 + systemNAME="Network Interfaces"; 94 + cmdRESPONSE "ifconfig || ip a"; 72 95 73 - if [ -x "$(command -v ifconfig)" ]; then 74 - formatCommand "ifconfig -a" 75 - else 76 - formatCommand "ip addr show" 77 - fi 96 + systemNAME="DNS Resolver"; 97 + cmdRESPONSE "cat /etc/resolv.conf"; 78 98 79 - echo -e "\n[+] Network Connections" 99 + systemNAME="Route"; 100 + cmdRESPONSE "route -n || ip route"; 101 + } 80 102 81 - if [ -x "$(command -v netstat)" ]; then 82 - formatCommand "netstat -tupan | grep -v TIME_WAIT" 83 - else 84 - formatCommand "ss -tupan | grep -v CLOSE_WAIT" 85 - fi 103 + userENVIRONMENT(){ 104 + systemAREA="USERS & ENVIRONMENT"; 105 + systemAREAtitle; 86 106 87 - echo -ne "\n${SECTION_LINE}\n" 88 - echo -e "[*] GETTING FILESYSTEM INFO...\n" 107 + systemNAME="Current User"; 108 + cmdRESPONSE "whoami"; 89 109 90 - echo -e "\n[+] Mount Results" 91 - formatCommand "mount" 110 + systemNAME="Current User ID"; 111 + cmdRESPONSE "id"; 92 112 93 - echo -e "\n[+] fstab Entries" 94 - formatCommand "cat /etc/fstab 2>/dev/null" 113 + systemNAME="Who's Logged Right Now"; 114 + cmdRESPONSE "w"; 95 115 96 - echo -e "\n[+] Scheduled cron jobs" 97 - formatCommand "ls -al /etc/cron* 2>/dev/null" 116 + systemNAME="Who's Logged Last"; 117 + cmdRESPONSE "last"; 98 118 99 - echo -e "\n[+] Writable cron directories" 100 - formatCommand "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$' 2>/dev/null" 119 + systemNAME="All Users"; 120 + cmdRESPONSE "cat /etc/passwd"; 101 121 102 - echo -ne "\n${SECTION_LINE}\n" 103 - echo -e "[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" 104 - echo -e "\n[+] Current User" 105 - formatCommand "whoami" 122 + systemNAME="All Groups"; 123 + cmdRESPONSE "cat /etc/group"; 106 124 107 - echo -e "\n[+] Current User ID" 108 - formatCommand "id" 125 + systemNAME="Shadow File"; 126 + cmdRESPONSE "cat /etc/shadow"; 109 127 110 - echo -e "\n[+] All users" 111 - formatCommand "cat /etc/passwd" 128 + systemNAME="Super Users"; 129 + cmdRESPONSE "grep -v -E '^#' /etc/passwd | awk -F: '(/$3 == 0) { print /$1 }'"; 112 130 113 - echo -e "\n[+] Super Users Found" 114 - formatCommand "grep -v -E '^#' /etc/passwd | awk -F: '\$3 == 0{print \$1}'" 131 + systemNAME="Sudo Users"; 132 + cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; 115 133 116 - echo -e "\n[+] Root and current user history (depends on privs)" 117 - formatCommand "ls -al ~/.*_history; ls -la /root/.*_history 2>/dev/null" 134 + systemNAME="Sudoers (Privileged) [/etc/sudoers]"; 135 + cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; 118 136 119 - echo -e "\n[+] Environment Variables" 120 - formatCommand "env 2>/dev/null | grep -v 'LS_COLORS'" 137 + systemNAME="Sudoers Files (Privileged) [/etc/sudoers.d/*]"; 138 + cmdRESPONSE "cat /etc/sudoers.d/* | grep -v '#'"; 121 139 122 - echo -e "\n[+] Sudoers (Privileged) [/etc/sudoers]" 123 - formatCommand "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null" 140 + systemNAME="Root and Current User History (depends on privs)"; 141 + cmdRESPONSE "ls -al ~/.*_history 2>/dev/null; ls -la /root/.*_history"; 124 142 125 - echo -e "\n[+] Sudoers Files (Privileged) [/etc/sudoers.d/*]" 126 - formatCommand "cat /etc/sudoers.d/* 2>/dev/null | grep -v '#' 2>/dev/null" 143 + systemNAME="Environment Variables"; 144 + cmdRESPONSE "env | grep -v "LS_COLORS""; 127 145 128 - echo -e "\n[+] Logged in User Activity" 129 - formatCommand "w 2>/dev/null" 146 + systemNAME="Printer"; 147 + cmdRESPONSE "lpstat -a"; 148 + } 130 149 131 - echo -ne "\n${SECTION_LINE}\n" 132 - echo -e "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" 150 + filePERMISSIONS(){ 151 + systemAREA="FILE SYSTEMS & PERMISSIONS"; 152 + systemAREAtitle; 133 153 134 - echo -e "\n[+] World Writable Directories for User/Group 'root'" 135 - formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root" 154 + systemNAME="Mounts"; 155 + cmdRESPONSE "mount"; 136 156 137 - echo -e "\n[+] World Writable Directories for User other than 'root'" 138 - formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null" 157 + systemNAME="fstab Entries"; 158 + cmdRESPONSE "cat /etc/fstab"; 139 159 140 - echo -e "\n[+] World Writable Files" 141 - formatCommand "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';' 2>/dev/null" 160 + systemNAME="Scheduled Cron Jobs"; 161 + cmdRESPONSE "ls -al /etc/cron*"; 142 162 143 - echo -e "\n[+] SUID/GUID Files and Directories" 144 - formatCommand "find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null" 163 + systemNAME="Writable Cron Directories"; 164 + cmdRESPONSE "ls -aRl /etc/cron* | awk '/$1 ~ /w.$'"; 145 165 146 - echo -e "\n[+] Checking if root's home folder is accessible" 147 - formatCommand "ls -ahlR /root 2>/dev/null" 166 + systemNAME="Root Home Folder Accessibility"; 167 + cmdRESPONSE "ls -lt /root/"; 148 168 149 - echo -e "\n[+] Logs containing keyword 'password'" 150 - formatCommand "find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null" 169 + systemNAME="World Writeables Directories for User/Group 'root'"; 170 + cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -o+w \) -exec ls -ld '{}' ';' | grep root"; 151 171 152 - echo -e "\n[+] Config files containing keyword 'password'" 153 - formatCommand "find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null" 172 + systemNAME="World Writeables Directories for non-root Users"; 173 + cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' | grep -v root "; 154 174 155 - echo -e "\n[+] Shadow Files (Privileged)" 156 - formatCommand "cat /etc/shadow 2>/dev/null" 175 + systemNAME="World Writeables Files"; 176 + cmdRESPONSE "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';'"; 157 177 158 - echo -ne "\n${SECTION_LINE}\n" 159 - echo -e "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" 178 + systemNAME="SUID/GUID Files and Directories"; 179 + cmdRESPONSE "ls -ahlR /root"; 160 180 161 - echo -e "[+] Installed Packages" 162 - if [ -x "$(command -v dpkg)" ]; then 163 - PKGMNGR=1 164 - formatCommand "dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'" 165 - elif [ -x "$(command -v dnf)" ]; then 166 - PKGMNGR=2 167 - formatCommand "dnf -qa | sort -u" 168 - elif [ -x "$(command -v rpm)" ]; then 169 - PKGMNGR=3 170 - formatCommand "rpm -qa | sort -u" 171 - fi 181 + systemNAME="Configuration Files Containing Keyword 'password'"; 182 + cmdRESPONSE "find /var/log -name '*.log' | xargs -l10 egrep 'pwd|password' 2>/dev/null"; 183 + } 172 184 173 - echo -e "\n[+] Current Processes" 174 - formatCommand "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'" 185 + applicationSERVICES(){ 186 + systemAREA="APPLICATIONS & SERVICES"; 187 + systemAREAtitle; 175 188 176 - echo -e "\n[+] Sudo Version" 177 - formatCommand "sudo -V | grep version 2>/dev/null" 189 + systemNAME="Installed Packages"; 190 + cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | sort -u; elif [ -x "$(command -v rpm)" ]; then rpm -qa | sort -u; fi"; 178 191 179 - echo -e "\n[+] Apache Version and Modules" 180 - formatCommand "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l 2>/dev/null" 192 + systemNAME="Current Running Services"; 193 + cmdRESPONSE "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'"; 181 194 182 - echo -e "\n[+] Apache Config File" 183 - formatCommand "cat /etc/apache2/apache2.conf 2>/dev/null" 195 + systemNAME="Bash version"; 196 + cmdRESPONSE "bash --version | grep version"; 184 197 185 - echo -ne "\n${SECTION_LINE}\n" 186 - echo -e "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" 198 + systemNAME="Sudo version"; 199 + cmdRESPONSE "sudo -V | grep version"; 187 200 188 - EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))" 201 + systemNAME="Apache Version and Modules"; 202 + cmdRESPONSE "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l"; 189 203 190 - if [ $PKGMNGR -eq 1 ]; then 191 - formatCommand "dpkg -l | grep -iE '${EXTDGREP}'" 192 - elif [ $PKGMNGR -eq 2 ]; then 193 - formatCommand "dnf -qa | grep -iE '${EXTDGREP}'" 194 - elif [ $PKGMNGR -eq 3 ]; then 195 - formatCommand "rpm -qa | grep -iE '${EXTDGREP}'" 196 - fi 204 + systemNAME="Apache Config File"; 205 + cmdRESPONSE "cat /etc/apache2/apache2.conf"; 197 206 198 - echo -ne "\n${SECTION_LINE}\n" 199 - echo -e "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING..." 207 + systemNAME="Processes and Packages Running as Root or other Superuser"; 208 + EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))"; 209 + cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v rpm)" ]; then rpm -qa | grep -iE '${EXTDGREP}'; fi"; 200 210 201 - echo - e "\ n [ + ] Installed Tools"202 - formatCommand "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2 > / dev / null " 211 + systemNAME = "Installed Tools"; 212 + cmdRESPONSE "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp"; 203 213 204 - echo - e "\ n [ + ] Related Shell Escape Sequences"205 - if [ -x "$(command -v vi)" ]; then 206 - formatCommand "echo -ne \"vi-->\t:!bash\n\"" 207 - formatCommand "echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"" 208 - fi 214 + systemNAME = "Related Shell Escape Sequences"; 215 + cmdRESPONSE "if [ -x "$(command -v vi)" ]; then echo -ne \"vi-->\t:!bash\n\"; echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"; fi; if [ -x "$(command -v vim)" ]; then echo -ne \"vim-->\t:!bash\n\" | sed 's|^| |'; echo -ne \"vim-->\t:set shell=/bin/bash:shell\n\" | sed 's|^| |'; fi; if [ -x "$(command -v awk)" ]; then echo -ne \"awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n\" | sed 's|^| |'; fi; if [ -x "$(command -v perl)" ]; then echo -ne \"perl-->\tperl -e 'exec \"/bin/bash\";'\n\" | sed 's|^| |'; fi; if [ -x "$(command -v python)" ]; then echo -ne \"python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n\" | sed 's|^| |'; fi; if [ -x "$(command -v find)" ]; then echo -ne \"find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n\" | sed 's|^| |'; fi; if [ -x "$(command -v nmap)" ]; then echo -ne \"nmap-->\t--interactive\n\" | sed 's|^| |'; fi"; 216 + } 209 217 210 - if [ -x "$(command -v vim)" ]; then 211 - echo -ne "vim-->\t:!bash\n" | sed 's|^| |' 212 - echo -ne "vim-->\t:set shell=/bin/bash:shell\n" | sed 's|^| |' 213 - fi 218 + searchEXPLOITS(){ 219 + systemAREA="Search for Exploits"; 220 + systemAREAtitle; 214 221 215 - if [ -x "$(command -v awk)" ]; then 216 - echo -ne "awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n" | sed 's|^| |' 217 - fi 222 + echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." 223 + read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer 218 224 219 - if [ -x "$(command -v perl)" ]; then 220 - echo -ne "perl-->\tperl -e 'exec \"/bin/bash\";'\n" | sed 's|^| |' 221 - fi 225 + if [[ $connectToServer = y* ]] 226 + then 227 + read -p "[?] What is the address of the server? " server 228 + read -p "[?] What port is the server using? " port 229 + echo -ne "\n\n" 230 + echo -e "[ ] Searching on $server:$port" 231 + printf "%*s\n" "80" | tr " " "*" 232 + dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port 233 + printf "%*s\n" "80" | tr " " "*" 234 + fi 235 + } 222 236 223 - if [ -x "$(command -v python)" ]; then 224 - echo -ne "python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n" | sed 's|^| |' 225 - fi 237 + start(){ 238 + scriptTITLE; 239 + operatingSYSTEM; 240 + netWORK; 241 + userENVIRONMENT; 242 + filePERMISSIONS; 243 + applicationSERVICES; 244 + searchEXPLOITS; 245 + echo ${titleLINE}; 246 + echo " FINISHED" 247 + echo -e ${titleLINE}; 248 + echo -e $RESET; 249 + } 226 250 227 - if [ -x "$(command -v find)" ]; then 228 - echo -ne "find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n" | sed 's|^| |' 229 - fi 230 - 231 - if [ -x "$(command -v nmap)" ]; then 232 - echo -ne "nmap-->\t--interactive\n" | sed 's|^| |' 233 - fi 234 - 235 - echo -ne "\n${SECTION_LINE}\n" 236 - echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." 237 - read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer 238 - 239 - if [[ $connectToServer = y* ]] 240 - then 241 - read -p "[?] What is the address of the server? " server 242 - read -p "[?] What port is the server using? " port 243 - echo -ne "\n\n" 244 - echo -e "[ ] Searching on $server:$port" 245 - printf "%*s\n" "80" | tr " " "*" 246 - dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port 247 - printf "%*s\n" "80" | tr " " "*" 248 - fi 249 - 250 - echo -ne "\n\n${TITLE_LINE}" 251 - echo -ne "\nFINISHED" 252 - echo -ne "\n${TITLE_LINE}\n" 251 + start; 253 252