| skipped 1 lines |
2 | 2 | | |
3 | 3 | | ############################################################################################################### |
4 | 4 | | ## [Title]: linuxprivchecker.sh -- a Linux Privilege Escalation Check Script |
5 | | - | ## [Original Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift |
6 | | - | ## Forked from linuxprivchecker.py -- https://github.com/sleventyeleven/linuxprivchecker |
7 | | - | ## [Contributors]: |
8 | | - | ## Mike Merrill (linted) -- https://github.com/linted |
9 | | - | ## James Hogan (5aru) -- https://github.com/5aru |
10 | | - | ## Ali Kaba (alibkaba) -- https://github.com/alibkaba |
| 5 | + | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift |
| 6 | + | ## [Contributors]: Mike Merrill (linted) -- https://github.com/linted |
| 7 | + | ## James Hogan (5aru) -- https://github.com/5aru |
11 | 8 | | ##------------------------------------------------------------------------------------------------------------- |
12 | 9 | | ## [Details]: |
| 10 | + | ## Similar functions to Mike Czumak's linuxprivchecker.py Linux Privilege Escalation Check Script. |
13 | 11 | | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and |
14 | 12 | | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text |
15 | 13 | | ## passwords and applicable exploits. |
| skipped 17 lines |
33 | 31 | | ## USE OR OTHER DEALINGS IN THE SOFTWARE. |
34 | 32 | | ############################################################################################################### |
35 | 33 | | |
36 | | - | # command paths |
37 | | - | PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games" |
| 34 | + | ### Useful functions |
38 | 35 | | |
39 | | - | # fonts formatting |
40 | | - | RESET='\e[0m'; # No Color |
41 | | - | RED='\e[31m'; |
42 | | - | LRED='\e[91m'; |
43 | | - | GREEN='\e[32m'; |
44 | | - | LGREEN='\e[92m'; |
45 | | - | LYELLOW='\e[93m'; |
46 | | - | LCYAN='\e[96m'; |
47 | | - | BLINK='\e[5m'; |
48 | | - | BOLD='\e[1m'; |
| 36 | + | PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games" |
49 | 37 | | |
50 | | - | # line formatting |
51 | | - | titleLINE=$(printf "${LGREEN}%*s\n" "70" | tr ' ' "="); |
52 | | - | sectionLINE=$(printf "${LGREEN}%*s\n" "40" | tr ' ' "-"); |
| 38 | + | TITLE_LINE=$(printf "%*s\n" "80" | tr ' ' "=") |
| 39 | + | SECTION_LINE=$(printf "%*s\n" "80" | tr ' ' "-") |
53 | 40 | | |
54 | | - | # title |
55 | | - | scriptTITLE(){ |
56 | | - | echo ${titleLINE}; |
57 | | - | echo "LINUX PRIVILEGE ESCALATION CHECKER" |
58 | | - | echo "Go to https://github.com/linted/linuxprivchecker for more info..." |
59 | | - | echo -e ${titleLINE}${RESET}; |
| 41 | + | function formatCommand(){ |
| 42 | + | eval $1 | sed 's|^| |' |
60 | 43 | | } |
61 | 44 | | |
62 | | - | systemAREAtitle(){ |
63 | | - | echo ${sectionLINE}; |
64 | | - | echo "[*] $systemAREA..."; |
65 | | - | echo -e ${sectionLINE}${RESET}; |
66 | | - | printf "\n"; |
67 | | - | sleep .5s; |
68 | | - | } |
| 45 | + | echo ${TITLE_LINE} |
| 46 | + | echo "LINUX_PRIVILEGE ESCALATION CHECKER" |
| 47 | + | echo ${TITLE_LINE} |
69 | 48 | | |
70 | | - | cmdRESPONSE(){ |
71 | | - | # run and format cmd |
72 | | - | cmdRESULT=$(eval $1 2>/dev/null | sed 's|^| |'; echo "${PIPESTATUS[0]}"); |
| 49 | + | echo -e "\n[*] GETTING BASIC SYSTEM INFO...\n" |
73 | 50 | | |
74 | | - | # check cmd status |
75 | | - | if [ ${cmdRESULT:(-1)} -eq 0 ]; then |
76 | | - | echo -e "${LGREEN}[+] $systemNAME"; |
77 | | - | printf "${GREEN}${cmdRESULT%?}\n${RESET}"; |
78 | | - | else |
79 | | - | echo -e "${LRED}[!] $systemNAME"; |
80 | | - | printf "${LYELLOW}${cmdRESULT%?}\n${RESET}"; |
81 | | - | fi |
82 | | - | sleep .5s; |
83 | | - | } |
| 51 | + | echo "[+] Operating System" |
| 52 | + | formatCommand "cat /etc/issue" |
84 | 53 | | |
85 | | - | operatingSYSTEM(){ |
86 | | - | systemAREA="OPERATING SYSTEM"; |
87 | | - | systemAREAtitle; |
| 54 | + | echo -e "\n[+] Kernel" |
| 55 | + | formatCommand "cat /proc/version" |
88 | 56 | | |
89 | | - | systemNAME="Distribution"; |
90 | | - | cmdRESPONSE "cat /etc/*-release"; |
| 57 | + | echo -e "\n[+] Hostname/FQDN" |
| 58 | + | formatCommand "hostname -f" |
91 | 59 | | |
92 | | - | systemNAME="Kernel"; |
93 | | - | cmdRESPONSE "if [ -f /proc/version ]; then cat /proc/version; else uname -a; fi"; |
| 60 | + | echo -ne "\n${SECTION_LINE}\n" |
| 61 | + | echo -e "[*] GETTING NETWORKING INFO...\n" |
94 | 62 | | |
95 | | - | systemNAME="Hostname"; |
96 | | - | cmdRESPONSE "hostname -f"; |
97 | | - | } |
| 63 | + | echo "[+] Route" |
98 | 64 | | |
99 | | - | netWORK(){ |
100 | | - | systemAREA="NETWORK"; |
101 | | - | systemAREAtitle; |
| 65 | + | if [ -x "$(command -v route)" ]; then |
| 66 | + | formatCommand "route -n" |
| 67 | + | else |
| 68 | + | formatCommand "ip route" |
| 69 | + | fi |
102 | 70 | | |
103 | | - | systemNAME="Network Interfaces"; |
104 | | - | cmdRESPONSE "ifconfig || ip a"; |
| 71 | + | echo -e "\n[+] Interfaces" |
105 | 72 | | |
106 | | - | systemNAME="DNS Resolver"; |
107 | | - | cmdRESPONSE "cat /etc/resolv.conf"; |
| 73 | + | if [ -x "$(command -v ifconfig)" ]; then |
| 74 | + | formatCommand "ifconfig -a" |
| 75 | + | else |
| 76 | + | formatCommand "ip addr show" |
| 77 | + | fi |
108 | 78 | | |
109 | | - | systemNAME="Route"; |
110 | | - | cmdRESPONSE "route -n || ip route"; |
111 | | - | } |
| 79 | + | echo -e "\n[+] Network Connections" |
112 | 80 | | |
113 | | - | userENVIRONMENT(){ |
114 | | - | systemAREA="USERS & ENVIRONMENT"; |
115 | | - | systemAREAtitle; |
| 81 | + | if [ -x "$(command -v netstat)" ]; then |
| 82 | + | formatCommand "netstat -tupan | grep -v TIME_WAIT" |
| 83 | + | else |
| 84 | + | formatCommand "ss -tupan | grep -v CLOSE_WAIT" |
| 85 | + | fi |
116 | 86 | | |
117 | | - | systemNAME="Current User"; |
118 | | - | cmdRESPONSE "whoami"; |
| 87 | + | echo -ne "\n${SECTION_LINE}\n" |
| 88 | + | echo -e "[*] GETTING FILESYSTEM INFO...\n" |
119 | 89 | | |
120 | | - | systemNAME="Current User ID"; |
121 | | - | cmdRESPONSE "id"; |
| 90 | + | echo -e "\n[+] Mount Results" |
| 91 | + | formatCommand "mount" |
122 | 92 | | |
123 | | - | systemNAME="Who's Logged Right Now"; |
124 | | - | cmdRESPONSE "w"; |
| 93 | + | echo -e "\n[+] fstab Entries" |
| 94 | + | formatCommand "cat /etc/fstab 2>/dev/null" |
125 | 95 | | |
126 | | - | systemNAME="Who's Logged Last"; |
127 | | - | cmdRESPONSE "last"; |
| 96 | + | echo -e "\n[+] Scheduled cron jobs" |
| 97 | + | formatCommand "ls -al /etc/cron* 2>/dev/null" |
128 | 98 | | |
129 | | - | systemNAME="All Users"; |
130 | | - | cmdRESPONSE "cat /etc/passwd"; |
| 99 | + | echo -e "\n[+] Writable cron directories" |
| 100 | + | formatCommand "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$' 2>/dev/null" |
131 | 101 | | |
132 | | - | systemNAME="All Groups"; |
133 | | - | cmdRESPONSE "cat /etc/group"; |
| 102 | + | echo -ne "\n${SECTION_LINE}\n" |
| 103 | + | echo -e "[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" |
| 104 | + | echo -e "\n[+] Current User" |
| 105 | + | formatCommand "whoami" |
134 | 106 | | |
135 | | - | systemNAME="Shadow File"; |
136 | | - | cmdRESPONSE "cat /etc/shadow"; |
| 107 | + | echo -e "\n[+] Current User ID" |
| 108 | + | formatCommand "id" |
137 | 109 | | |
138 | | - | systemNAME="Super Users"; |
139 | | - | cmdRESPONSE "grep -v -E '^#' /etc/passwd | awk -F: '(/$3 == 0) { print /$1 }'"; |
| 110 | + | echo -e "\n[+] All users" |
| 111 | + | formatCommand "cat /etc/passwd" |
140 | 112 | | |
141 | | - | systemNAME="Sudo Users"; |
142 | | - | cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; |
| 113 | + | echo -e "\n[+] Super Users Found" |
| 114 | + | formatCommand "grep -v -E '^#' /etc/passwd | awk -F: '\$3 == 0{print \$1}'" |
143 | 115 | | |
144 | | - | systemNAME="Sudoers (Privileged) [/etc/sudoers]"; |
145 | | - | cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; |
| 116 | + | echo -e "\n[+] Root and current user history (depends on privs)" |
| 117 | + | formatCommand "ls -al ~/.*_history; ls -la /root/.*_history 2>/dev/null" |
146 | 118 | | |
147 | | - | systemNAME="Sudoers Files (Privileged) [/etc/sudoers.d/*]"; |
148 | | - | cmdRESPONSE "cat /etc/sudoers.d/* | grep -v '#'"; |
| 119 | + | echo -e "\n[+] Environment Variables" |
| 120 | + | formatCommand "env 2>/dev/null | grep -v 'LS_COLORS'" |
149 | 121 | | |
150 | | - | systemNAME="Root and Current User History (depends on privs)"; |
151 | | - | cmdRESPONSE "ls -al ~/.*_history 2>/dev/null; ls -la /root/.*_history"; |
| 122 | + | echo -e "\n[+] Sudoers (Privileged) [/etc/sudoers]" |
| 123 | + | formatCommand "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null" |
152 | 124 | | |
153 | | - | systemNAME="Environment Variables"; |
154 | | - | cmdRESPONSE "env | grep -v "LS_COLORS""; |
| 125 | + | echo -e "\n[+] Sudoers Files (Privileged) [/etc/sudoers.d/*]" |
| 126 | + | formatCommand "cat /etc/sudoers.d/* 2>/dev/null | grep -v '#' 2>/dev/null" |
155 | 127 | | |
156 | | - | systemNAME="Printer"; |
157 | | - | cmdRESPONSE "lpstat -a"; |
158 | | - | } |
| 128 | + | echo -e "\n[+] Logged in User Activity" |
| 129 | + | formatCommand "w 2>/dev/null" |
159 | 130 | | |
160 | | - | filePERMISSIONS(){ |
161 | | - | systemAREA="FILE SYSTEMS & PERMISSIONS"; |
162 | | - | systemAREAtitle; |
| 131 | + | echo -ne "\n${SECTION_LINE}\n" |
| 132 | + | echo -e "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" |
163 | 133 | | |
164 | | - | systemNAME="Mounts"; |
165 | | - | cmdRESPONSE "mount"; |
| 134 | + | echo -e "\n[+] World Writable Directories for User/Group 'root'" |
| 135 | + | formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root" |
166 | 136 | | |
167 | | - | systemNAME="fstab Entries"; |
168 | | - | cmdRESPONSE "cat /etc/fstab"; |
| 137 | + | echo -e "\n[+] World Writable Directories for User other than 'root'" |
| 138 | + | formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null" |
169 | 139 | | |
170 | | - | systemNAME="Scheduled Cron Jobs"; |
171 | | - | cmdRESPONSE "ls -al /etc/cron*"; |
| 140 | + | echo -e "\n[+] World Writable Files" |
| 141 | + | formatCommand "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';' 2>/dev/null" |
172 | 142 | | |
173 | | - | systemNAME="Writable Cron Directories"; |
174 | | - | cmdRESPONSE "ls -aRl /etc/cron* | awk '/$1 ~ /w.$'"; |
| 143 | + | echo -e "\n[+] SUID/GUID Files and Directories" |
| 144 | + | formatCommand "find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null" |
175 | 145 | | |
176 | | - | systemNAME="Root Home Folder Accessibility"; |
177 | | - | cmdRESPONSE "ls -lt /root/"; |
| 146 | + | echo -e "\n[+] Checking if root's home folder is accessible" |
| 147 | + | formatCommand "ls -ahlR /root 2>/dev/null" |
178 | 148 | | |
179 | | - | systemNAME="World Writeables Directories for User/Group 'root'"; |
180 | | - | cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -o+w \) -exec ls -ld '{}' ';' | grep root"; |
| 149 | + | echo -e "\n[+] Logs containing keyword 'password'" |
| 150 | + | formatCommand "find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null" |
181 | 151 | | |
182 | | - | systemNAME="World Writeables Directories for non-root Users"; |
183 | | - | cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' | grep -v root "; |
| 152 | + | echo -e "\n[+] Config files containing keyword 'password'" |
| 153 | + | formatCommand "find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null" |
184 | 154 | | |
185 | | - | systemNAME="World Writeables Files"; |
186 | | - | cmdRESPONSE "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';'"; |
| 155 | + | echo -e "\n[+] Shadow Files (Privileged)" |
| 156 | + | formatCommand "cat /etc/shadow 2>/dev/null" |
187 | 157 | | |
188 | | - | systemNAME="SUID/GUID Files and Directories"; |
189 | | - | cmdRESPONSE "ls -ahlR /root"; |
| 158 | + | echo -ne "\n${SECTION_LINE}\n" |
| 159 | + | echo -e "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" |
190 | 160 | | |
191 | | - | systemNAME="Configuration Files Containing Keyword 'password'"; |
192 | | - | cmdRESPONSE "find /var/log -name '*.log' | xargs -l10 egrep 'pwd|password' 2>/dev/null"; |
193 | | - | } |
| 161 | + | echo -e "[+] Installed Packages" |
| 162 | + | if [ -x "$(command -v dpkg)" ]; then |
| 163 | + | PKGMNGR=1 |
| 164 | + | formatCommand "dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'" |
| 165 | + | elif [ -x "$(command -v dnf)" ]; then |
| 166 | + | PKGMNGR=2 |
| 167 | + | formatCommand "dnf -qa | sort -u" |
| 168 | + | elif [ -x "$(command -v rpm)" ]; then |
| 169 | + | PKGMNGR=3 |
| 170 | + | formatCommand "rpm -qa | sort -u" |
| 171 | + | fi |
194 | 172 | | |
195 | | - | applicationSERVICES(){ |
196 | | - | systemAREA="APPLICATIONS & SERVICES"; |
197 | | - | systemAREAtitle; |
| 173 | + | echo -e "\n[+] Current Processes" |
| 174 | + | formatCommand "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'" |
198 | 175 | | |
199 | | - | systemNAME="Installed Packages"; |
200 | | - | cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | sort -u; elif [ -x "$(command -v rpm)" ]; then rpm -qa | sort -u; fi"; |
| 176 | + | echo -e "\n[+] Sudo Version" |
| 177 | + | formatCommand "sudo -V | grep version 2>/dev/null" |
201 | 178 | | |
202 | | - | systemNAME="Current Running Services"; |
203 | | - | cmdRESPONSE "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'"; |
| 179 | + | echo -e "\n[+] Apache Version and Modules" |
| 180 | + | formatCommand "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l 2>/dev/null" |
204 | 181 | | |
205 | | - | systemNAME="Sudo version"; |
206 | | - | cmdRESPONSE "sudo -V | grep version"; |
| 182 | + | echo -e "\n[+] Apache Config File" |
| 183 | + | formatCommand "cat /etc/apache2/apache2.conf 2>/dev/null" |
207 | 184 | | |
208 | | - | systemNAME="Apache Version and Modules"; |
209 | | - | cmdRESPONSE "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l"; |
| 185 | + | echo -ne "\n${SECTION_LINE}\n" |
| 186 | + | echo -e "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" |
210 | 187 | | |
211 | | - | systemNAME="Apache Config File"; |
212 | | - | cmdRESPONSE "cat /etc/apache2/apache2.conf"; |
| 188 | + | EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))" |
213 | 189 | | |
214 | | - | systemNAME="Processes and Packages Running as Root or other Superuser"; |
215 | | - | EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))"; |
216 | | - | cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v rpm)" ]; then rpm -qa | grep -iE '${EXTDGREP}'; fi"; |
| 190 | + | if [ $PKGMNGR -eq 1 ]; then |
| 191 | + | formatCommand "dpkg -l | grep -iE '${EXTDGREP}'" |
| 192 | + | elif [ $PKGMNGR -eq 2 ]; then |
| 193 | + | formatCommand "dnf -qa | grep -iE '${EXTDGREP}'" |
| 194 | + | elif [ $PKGMNGR -eq 3 ]; then |
| 195 | + | formatCommand "rpm -qa | grep -iE '${EXTDGREP}'" |
| 196 | + | fi |
217 | 197 | | |
218 | | - | systemNAME="Installed Tools"; |
219 | | - | cmdRESPONSE "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp"; |
| 198 | + | echo -ne "\n${SECTION_LINE}\n" |
| 199 | + | echo -e "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING..." |
220 | 200 | | |
221 | | - | systemNAME="Related Shell Escape Sequences"; |
222 | | - | cmdRESPONSE "if [ -x "$(command -v vi)" ]; then echo -ne \"vi-->\t:!bash\n\"; echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"; fi"; |
223 | | - | cmdRESPONSE "if [ -x "$(command -v vim)" ]; then echo -ne \"vim-->\t:!bash\n\" | sed 's|^| |'; echo -ne "vim-->\t:set shell=/bin/bash:shell\n" | sed 's|^| |'; fi"; |
224 | | - | cmdRESPONSE "if [ -x "$(command -v awk)" ]; then echo -ne \"awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n\" | sed 's|^| |'; fi"; |
225 | | - | cmdRESPONSE "if [ -x "$(command -v perl)" ]; then echo -ne \"perl-->\tperl -e 'exec \"/bin/bash\";'\n\" | sed 's|^| |'; fi"; |
226 | | - | cmdRESPONSE "if [ -x "$(command -v python)" ]; then echo -ne \"python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n\" | sed 's|^| |'; fi"; |
227 | | - | cmdRESPONSE "if [ -x "$(command -v find)" ]; then echo -ne \"find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n\" | sed 's|^| |'; fi"; |
228 | | - | cmdRESPONSE "if [ -x "$(command -v nmap)" ]; then echo -ne \"nmap-->\t--interactive\n\" | sed 's|^| |'; fi"; |
229 | | - | } |
| 201 | + | echo -e "\n[+] Installed Tools" |
| 202 | + | formatCommand "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null" |
230 | 203 | | |
231 | | - | searchEXPLOITS(){ |
232 | | - | systemAREA="Search for Exploits"; |
233 | | - | systemAREAtitle; |
| 204 | + | echo -e "\n[+] Related Shell Escape Sequences" |
| 205 | + | if [ -x "$(command -v vi)" ]; then |
| 206 | + | formatCommand "echo -ne \"vi-->\t:!bash\n\"" |
| 207 | + | formatCommand "echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"" |
| 208 | + | fi |
234 | 209 | | |
235 | | - | echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." |
236 | | - | read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer |
| 210 | + | if [ -x "$(command -v vim)" ]; then |
| 211 | + | echo -ne "vim-->\t:!bash\n" | sed 's|^| |' |
| 212 | + | echo -ne "vim-->\t:set shell=/bin/bash:shell\n" | sed 's|^| |' |
| 213 | + | fi |
| 214 | + | |
| 215 | + | if [ -x "$(command -v awk)" ]; then |
| 216 | + | echo -ne "awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n" | sed 's|^| |' |
| 217 | + | fi |
| 218 | + | |
| 219 | + | if [ -x "$(command -v perl)" ]; then |
| 220 | + | echo -ne "perl-->\tperl -e 'exec \"/bin/bash\";'\n" | sed 's|^| |' |
| 221 | + | fi |
| 222 | + | |
| 223 | + | if [ -x "$(command -v python)" ]; then |
| 224 | + | echo -ne "python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n" | sed 's|^| |' |
| 225 | + | fi |
| 226 | + | |
| 227 | + | if [ -x "$(command -v find)" ]; then |
| 228 | + | echo -ne "find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n" | sed 's|^| |' |
| 229 | + | fi |
| 230 | + | |
| 231 | + | if [ -x "$(command -v nmap)" ]; then |
| 232 | + | echo -ne "nmap-->\t--interactive\n" | sed 's|^| |' |
| 233 | + | fi |
237 | 234 | | |
238 | | - | if [[ $connectToServer = y* ]] |
239 | | - | then |
240 | | - | read -p "[?] What is the address of the server? " server |
241 | | - | read -p "[?] What port is the server using? " port |
242 | | - | echo -ne "\n\n" |
243 | | - | echo -e "[ ] Searching on $server:$port" |
244 | | - | printf "%*s\n" "80" | tr " " "*" |
245 | | - | dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port |
246 | | - | printf "%*s\n" "80" | tr " " "*" |
247 | | - | fi |
248 | | - | } |
| 235 | + | echo -ne "\n${SECTION_LINE}\n" |
| 236 | + | echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." |
| 237 | + | read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer |
249 | 238 | | |
250 | | - | start(){ |
251 | | - | scriptTITLE; |
252 | | - | operatingSYSTEM; |
253 | | - | netWORK; |
254 | | - | userENVIRONMENT; |
255 | | - | filePERMISSIONS; |
256 | | - | applicationSERVICES; |
257 | | - | searchEXPLOITS; |
258 | | - | echo ${titleLINE}; |
259 | | - | echo "FINISHED" |
260 | | - | echo -e ${titleLINE}${RESET}; |
261 | | - | echo -e $RESET; |
262 | | - | } |
| 239 | + | if [[ $connectToServer = y* ]] |
| 240 | + | then |
| 241 | + | read -p "[?] What is the address of the server? " server |
| 242 | + | read -p "[?] What port is the server using? " port |
| 243 | + | echo -ne "\n\n" |
| 244 | + | echo -e "[ ] Searching on $server:$port" |
| 245 | + | printf "%*s\n" "80" | tr " " "*" |
| 246 | + | dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port |
| 247 | + | printf "%*s\n" "80" | tr " " "*" |
| 248 | + | fi |
263 | 249 | | |
264 | | - | start; |
| 250 | + | echo -ne "\n\n${TITLE_LINE}" |
| 251 | + | echo -ne "\nFINISHED" |
| 252 | + | echo -ne "\n${TITLE_LINE}\n" |
265 | 253 | | |