1 | 1 | | #!/bin/bash |
2 | | - | |
3 | 2 | | ############################################################################################################### |
4 | 3 | | ## [Title]: linuxprivchecker.sh -- a Linux Privilege Escalation Check Script |
5 | | - | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift |
6 | | - | ## [Contributors]: Mike Merrill (linted) -- https://github.com/linted |
7 | | - | ## James Hogan (5aru) -- https://github.com/5aru |
| 4 | + | ## [Original Author]: Mike Czumak (T_v3rn1x) -- https://twitter.com/SecuritySift |
| 5 | + | ## Forked from linuxprivchecker.py -- https://github.com/sleventyeleven/linuxprivchecker |
| 6 | + | ## [Contributors]: |
| 7 | + | ## Mike Merrill (linted) -- https://github.com/linted |
| 8 | + | ## James Hogan (5aru) -- https://github.com/5aru |
| 9 | + | ## Ali Kaba (alibkaba) -- https://github.com/alibkaba |
8 | 10 | | ##------------------------------------------------------------------------------------------------------------- |
9 | 11 | | ## [Details]: |
10 | | - | ## Similar functions to Mike Czumak's linuxprivchecker.py Linux Privilege Escalation Check Script. |
11 | 12 | | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and |
12 | 13 | | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text |
13 | 14 | | ## passwords and applicable exploits. |
| skipped 17 lines |
31 | 32 | | ## USE OR OTHER DEALINGS IN THE SOFTWARE. |
32 | 33 | | ############################################################################################################### |
33 | 34 | | |
34 | | - | ### Useful functions |
| 35 | + | # command paths |
| 36 | + | PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games"; |
35 | 37 | | |
36 | | - | PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games" |
| 38 | + | # line formatting |
| 39 | + | LINE=$(printf "%*s\n" "80" | tr ' ' "#"); |
37 | 40 | | |
38 | | - | TITLE_LINE=$(printf "%*s\n" "80" | tr ' ' "=") |
39 | | - | SECTION_LINE=$(printf "%*s\n" "80" | tr ' ' "-") |
| 41 | + | # title |
| 42 | + | scriptTITLE(){ |
| 43 | + | echo ${LINE}; |
| 44 | + | echo " LINUX PRIVILEGE ESCALATION CHECKER" |
| 45 | + | echo " https://github.com/linted/linuxprivchecker for more info..." |
| 46 | + | echo ${LINE}; |
| 47 | + | echo |
| 48 | + | } |
40 | 49 | | |
41 | | - | function formatCommand(){ |
42 | | - | eval $1 | sed 's|^| |' |
| 50 | + | systemAREAtitle(){ |
| 51 | + | echo ${LINE}; |
| 52 | + | echo -e " $systemAREA"; |
| 53 | + | echo ${LINE}; |
| 54 | + | echo |
43 | 55 | | } |
44 | 56 | | |
45 | | - | echo ${TITLE_LINE} |
46 | | - | echo "LINUX_PRIVILEGE ESCALATION CHECKER" |
47 | | - | echo ${TITLE_LINE} |
| 57 | + | cmdRESPONSE(){ |
| 58 | + | # run and format cmd |
| 59 | + | cmdRESULT=$(eval $1 2>/dev/null | sed 's|^| |'; echo "${PIPESTATUS[0]}"); |
48 | 60 | | |
49 | | - | echo -e "\n[*] GETTING BASIC SYSTEM INFO...\n" |
| 61 | + | # check cmd status |
| 62 | + | if [ ${cmdRESULT:(-1)} -eq 0 ]; then |
| 63 | + | echo "[+] $systemNAME"; |
| 64 | + | echo "${cmdRESULT%?}"; |
| 65 | + | else |
| 66 | + | echo "[-] $systemNAME"; |
| 67 | + | echo "${cmdRESULT%?}"; |
| 68 | + | fi |
| 69 | + | } |
50 | 70 | | |
51 | | - | echo "[+] Operating System" |
52 | | - | formatCommand "cat /etc/issue" |
| 71 | + | operatingSYSTEM(){ |
| 72 | + | systemAREA="OPERATING SYSTEM"; |
| 73 | + | systemAREAtitle; |
53 | 74 | | |
54 | | - | echo -e "\n[+] Kernel" |
55 | | - | formatCommand "cat /proc/version" |
| 75 | + | systemNAME="Distribution"; |
| 76 | + | cmdRESPONSE "cat /etc/*-release"; |
56 | 77 | | |
57 | | - | echo -e "\n[+] Hostname/FQDN" |
58 | | - | formatCommand "hostname -f" |
| 78 | + | systemNAME="Kernel"; |
| 79 | + | cmdRESPONSE "if [ -f /proc/version ]; then cat /proc/version; else uname -a; fi"; |
59 | 80 | | |
60 | | - | echo -ne "\n${SECTION_LINE}\n" |
61 | | - | echo -e "[*] GETTING NETWORKING INFO...\n" |
| 81 | + | systemNAME="Hostname"; |
| 82 | + | cmdRESPONSE "hostname -f"; |
| 83 | + | } |
62 | 84 | | |
63 | | - | echo "[+] Route" |
| 85 | + | netWORK(){ |
| 86 | + | systemAREA="NETWORK"; |
| 87 | + | systemAREAtitle; |
64 | 88 | | |
65 | | - | if [ -x "$(command -v route)" ]; then |
66 | | - | formatCommand "route -n" |
67 | | - | else |
68 | | - | formatCommand "ip route" |
69 | | - | fi |
| 89 | + | systemNAME="Network Interfaces"; |
| 90 | + | cmdRESPONSE "ifconfig || ip a"; |
70 | 91 | | |
71 | | - | echo -e "\n[+] Interfaces" |
| 92 | + | systemNAME="DNS Resolver"; |
| 93 | + | cmdRESPONSE "cat /etc/resolv.conf"; |
72 | 94 | | |
73 | | - | if [ -x "$(command -v ifconfig)" ]; then |
74 | | - | formatCommand "ifconfig -a" |
75 | | - | else |
76 | | - | formatCommand "ip addr show" |
77 | | - | fi |
| 95 | + | systemNAME="Route"; |
| 96 | + | cmdRESPONSE "route -n || ip route"; |
| 97 | + | } |
78 | 98 | | |
79 | | - | echo -e "\n[+] Network Connections" |
| 99 | + | userENVIRONMENT(){ |
| 100 | + | systemAREA="USERS & ENVIRONMENT"; |
| 101 | + | systemAREAtitle; |
80 | 102 | | |
81 | | - | if [ -x "$(command -v netstat)" ]; then |
82 | | - | formatCommand "netstat -tupan | grep -v TIME_WAIT" |
83 | | - | else |
84 | | - | formatCommand "ss -tupan | grep -v CLOSE_WAIT" |
85 | | - | fi |
| 103 | + | systemNAME="Current User"; |
| 104 | + | cmdRESPONSE "whoami"; |
86 | 105 | | |
87 | | - | echo -ne "\n${SECTION_LINE}\n" |
88 | | - | echo -e "[*] GETTING FILESYSTEM INFO...\n" |
| 106 | + | systemNAME="Current User ID"; |
| 107 | + | cmdRESPONSE "id"; |
89 | 108 | | |
90 | | - | echo -e "\n[+] Mount Results" |
91 | | - | formatCommand "mount" |
| 109 | + | systemNAME="Who's Logged Right Now"; |
| 110 | + | cmdRESPONSE "w"; |
92 | 111 | | |
93 | | - | echo -e "\n[+] fstab Entries" |
94 | | - | formatCommand "cat /etc/fstab 2>/dev/null" |
| 112 | + | systemNAME="Who's Logged Last"; |
| 113 | + | cmdRESPONSE "last"; |
95 | 114 | | |
96 | | - | echo -e "\n[+] Scheduled cron jobs" |
97 | | - | formatCommand "ls -al /etc/cron* 2>/dev/null" |
| 115 | + | systemNAME="All Users"; |
| 116 | + | cmdRESPONSE "cat /etc/passwd"; |
98 | 117 | | |
99 | | - | echo -e "\n[+] Writable cron directories" |
100 | | - | formatCommand "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$' 2>/dev/null" |
| 118 | + | systemNAME="All Groups"; |
| 119 | + | cmdRESPONSE "cat /etc/group"; |
101 | 120 | | |
102 | | - | echo -ne "\n${SECTION_LINE}\n" |
103 | | - | echo -e "[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" |
104 | | - | echo -e "\n[+] Current User" |
105 | | - | formatCommand "whoami" |
| 121 | + | systemNAME="Shadow File"; |
| 122 | + | cmdRESPONSE "cat /etc/shadow"; |
106 | 123 | | |
107 | | - | echo -e "\n[+] Current User ID" |
108 | | - | formatCommand "id" |
| 124 | + | systemNAME="Super Users"; |
| 125 | + | cmdRESPONSE "grep -v -E '^#' /etc/passwd | awk -F: '(/$3 == 0) { print /$1 }'"; |
109 | 126 | | |
110 | | - | echo -e "\n[+] All users" |
111 | | - | formatCommand "cat /etc/passwd" |
| 127 | + | systemNAME="Sudo Users"; |
| 128 | + | cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; |
112 | 129 | | |
113 | | - | echo -e "\n[+] Super Users Found" |
114 | | - | formatCommand "grep -v -E '^#' /etc/passwd | awk -F: '\$3 == 0{print \$1}'" |
115 | | - | |
116 | | - | echo -e "\n[+] Root and current user history (depends on privs)" |
117 | | - | formatCommand "ls -al ~/.*_history; ls -la /root/.*_history 2>/dev/null" |
118 | | - | |
119 | | - | echo -e "\n[+] Environment Variables" |
120 | | - | formatCommand "env 2>/dev/null | grep -v 'LS_COLORS'" |
121 | | - | |
122 | | - | echo -e "\n[+] Sudoers (Privileged) [/etc/sudoers]" |
123 | | - | formatCommand "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null" |
| 130 | + | systemNAME="Sudoers (Privileged) [/etc/sudoers]"; |
| 131 | + | cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; |
124 | 132 | | |
125 | | - | echo -e "\n[+] Sudoers Files (Privileged) [/etc/sudoers.d/*]" |
126 | | - | formatCommand "cat /etc/sudoers.d/* 2>/dev/null | grep -v '#' 2>/dev/null" |
| 133 | + | systemNAME="Sudoers Files (Privileged) [/etc/sudoers.d/*]"; |
| 134 | + | cmdRESPONSE "cat /etc/sudoers.d/* | grep -v '#'"; |
127 | 135 | | |
128 | | - | echo -e "\n[+] User's specific NOPASSWD sudo entries" |
129 | | - | formatCommand "sudo -ln" |
130 | | - | |
131 | | - | echo -e "\n[+] Logged in User Activity" |
132 | | - | formatCommand "w 2>/dev/null" |
| 136 | + | systemNAME="User's specific NOPASSWD sudo entries"; |
| 137 | + | cmdRESPONSE "sudo -ln"; |
133 | 138 | | |
134 | | - | echo -ne "\n${SECTION_LINE}\n" |
135 | | - | echo -e "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" |
| 139 | + | systemNAME="Root and Current User History (depends on privs)"; |
| 140 | + | cmdRESPONSE "ls -al ~/.*_history 2>/dev/null; ls -la /root/.*_history"; |
136 | 141 | | |
137 | | - | echo -e "\n[+] World Writable Directories for User/Group 'root'" |
138 | | - | formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root" |
| 142 | + | systemNAME="Environment Variables"; |
| 143 | + | cmdRESPONSE "env | grep -v "LS_COLORS""; |
139 | 144 | | |
140 | | - | echo -e "\n[+] World Writable Directories for User other than 'root'" |
141 | | - | formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null" |
| 145 | + | systemNAME="Printer"; |
| 146 | + | cmdRESPONSE "lpstat -a"; |
| 147 | + | } |
142 | 148 | | |
143 | | - | echo -e "\n[+] World Writable Files" |
144 | | - | formatCommand "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';' 2>/dev/null" |
| 149 | + | filePERMISSIONS(){ |
| 150 | + | systemAREA="FILE SYSTEMS & PERMISSIONS"; |
| 151 | + | systemAREAtitle; |
145 | 152 | | |
146 | | - | echo -e "\n[+] SUID/GUID Files and Directories" |
147 | | - | formatCommand "find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null" |
| 153 | + | systemNAME="Mounts"; |
| 154 | + | cmdRESPONSE "mount"; |
148 | 155 | | |
149 | | - | echo -e "\n[+] Checking if root's home folder is accessible" |
150 | | - | formatCommand "ls -ahlR /root 2>/dev/null" |
| 156 | + | systemNAME="fstab Entries"; |
| 157 | + | cmdRESPONSE "cat /etc/fstab"; |
151 | 158 | | |
152 | | - | echo -e "\n[+] Logs containing keyword 'password'" |
153 | | - | formatCommand "find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null" |
| 159 | + | systemNAME="Scheduled Cron Jobs"; |
| 160 | + | cmdRESPONSE "ls -al /etc/cron*"; |
154 | 161 | | |
155 | | - | echo -e "\n[+] Config files containing keyword 'password'" |
156 | | - | formatCommand "find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null" |
| 162 | + | systemNAME="Writable Cron Directories"; |
| 163 | + | cmdRESPONSE "ls -aRl /etc/cron* | awk '/$1 ~ /w.$'"; |
157 | 164 | | |
158 | | - | echo -e "\n[+] Shadow Files (Privileged)" |
159 | | - | formatCommand "cat /etc/shadow 2>/dev/null" |
| 165 | + | systemNAME="Root Home Folder Accessibility"; |
| 166 | + | cmdRESPONSE "ls -lt /root/"; |
160 | 167 | | |
161 | | - | echo -ne "\n${SECTION_LINE}\n" |
162 | | - | echo -e "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" |
| 168 | + | systemNAME="World Writeables Directories for User/Group 'root'"; |
| 169 | + | cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -o+w \) -exec ls -ld '{}' ';' | grep root"; |
163 | 170 | | |
164 | | - | echo -e "[+] Installed Packages" |
165 | | - | if [ -x "$(command -v dpkg)" ]; then |
166 | | - | PKGMNGR=1 |
167 | | - | formatCommand "dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'" |
168 | | - | elif [ -x "$(command -v dnf)" ]; then |
169 | | - | PKGMNGR=2 |
170 | | - | formatCommand "dnf -qa | sort -u" |
171 | | - | elif [ -x "$(command -v rpm)" ]; then |
172 | | - | PKGMNGR=3 |
173 | | - | formatCommand "rpm -qa | sort -u" |
174 | | - | fi |
| 171 | + | systemNAME="World Writeables Directories for non-root Users"; |
| 172 | + | cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' | grep -v root "; |
175 | 173 | | |
176 | | - | echo -e "\n[+] Current Processes" |
177 | | - | formatCommand "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'" |
| 174 | + | systemNAME="World Writeables Files"; |
| 175 | + | cmdRESPONSE "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';'"; |
178 | 176 | | |
179 | | - | echo -e "\n[+] Sudo Version" |
180 | | - | formatCommand "sudo -V | grep version 2>/dev/null" |
| 177 | + | systemNAME="SUID/GUID Files and Directories"; |
| 178 | + | cmdRESPONSE "ls -ahlR /root"; |
181 | 179 | | |
182 | | - | echo -e "\n[+] Apache Version and Modules" |
183 | | - | formatCommand "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l 2>/dev/null" |
| 180 | + | systemNAME="Configuration Files Containing Keyword 'password'"; |
| 181 | + | cmdRESPONSE "find /var/log -name '*.log' | xargs -l10 egrep 'pwd|password' 2>/dev/null"; |
| 182 | + | } |
184 | 183 | | |
185 | | - | echo -e "\n[+] Apache Config File" |
186 | | - | formatCommand "cat /etc/apache2/apache2.conf 2>/dev/null" |
| 184 | + | applicationSERVICES(){ |
| 185 | + | systemAREA="APPLICATIONS & SERVICES"; |
| 186 | + | systemAREAtitle; |
187 | 187 | | |
188 | | - | echo -ne "\n${SECTION_LINE}\n" |
189 | | - | echo -e "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" |
| 188 | + | systemNAME="Installed Packages"; |
| 189 | + | cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | sort -u; elif [ -x "$(command -v rpm)" ]; then rpm -qa | sort -u; fi"; |
190 | 190 | | |
191 | | - | EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))" |
| 191 | + | systemNAME="Current Running Services"; |
| 192 | + | cmdRESPONSE "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'"; |
192 | 193 | | |
193 | | - | if [ $PKGMNGR -eq 1 ]; then |
194 | | - | formatCommand "dpkg -l | grep -iE '${EXTDGREP}'" |
195 | | - | elif [ $PKGMNGR -eq 2 ]; then |
196 | | - | formatCommand "dnf -qa | grep -iE '${EXTDGREP}'" |
197 | | - | elif [ $PKGMNGR -eq 3 ]; then |
198 | | - | formatCommand "rpm -qa | grep -iE '${EXTDGREP}'" |
199 | | - | fi |
| 194 | + | systemNAME="Bash version"; |
| 195 | + | cmdRESPONSE "bash --version | grep version"; |
200 | 196 | | |
201 | | - | echo -ne "\n${SECTION_LINE}\n" |
202 | | - | echo -e "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING..." |
| 197 | + | systemNAME="Sudo version"; |
| 198 | + | cmdRESPONSE "sudo -V | grep version"; |
203 | 199 | | |
204 | | - | echo -e "\n[+] Installed Tools" |
205 | | - | formatCommand "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null" |
| 200 | + | systemNAME="Apache Version and Modules"; |
| 201 | + | cmdRESPONSE "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l"; |
206 | 202 | | |
207 | | - | echo -e "\n[+] Related Shell Escape Sequences" |
208 | | - | if [ -x "$(command -v vi)" ]; then |
209 | | - | formatCommand "echo -ne \"vi-->\t:!bash\n\"" |
210 | | - | formatCommand "echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"" |
211 | | - | fi |
| 203 | + | systemNAME="Apache Config File"; |
| 204 | + | cmdRESPONSE "cat /etc/apache2/apache2.conf"; |
212 | 205 | | |
213 | | - | if [ -x "$(command -v vim)" ]; then |
214 | | - | echo -ne "vim-->\t:!bash\n" | sed 's|^| |' |
215 | | - | echo -ne "vim-->\t:set shell=/bin/bash:shell\n" | sed 's|^| |' |
216 | | - | fi |
| 206 | + | systemNAME="Processes and Packages Running as Root or other Superuser"; |
| 207 | + | EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))"; |
| 208 | + | cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v rpm)" ]; then rpm -qa | grep -iE '${EXTDGREP}'; fi"; |
217 | 209 | | |
218 | | - | if [ -x "$(command -v awk)" ]; then |
219 | | - | echo -ne "awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n" | sed 's|^| |' |
220 | | - | fi |
| 210 | + | systemNAME="Installed Tools"; |
| 211 | + | cmdRESPONSE "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp"; |
221 | 212 | | |
222 | | - | if [ -x "$(command -v perl)" ]; then |
223 | | - | echo -ne "perl-->\tperl -e 'exec \"/bin/bash\";'\n" | sed 's|^| |' |
224 | | - | fi |
| 213 | + | systemNAME="Related Shell Escape Sequences"; |
| 214 | + | cmdRESPONSE "if [ -x "$(command -v vi)" ]; then \ |
| 215 | + | echo -ne \"vi-->\t:!bash\n\"; \ |
| 216 | + | echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"; \ |
| 217 | + | fi; \ |
| 218 | + | if [ -x "$(command -v vim)" ]; then \ |
| 219 | + | echo -ne \"vim-->\t:!bash\n\" | sed 's|^| |'; \ |
| 220 | + | echo -ne \"vim-->\t:set shell=/bin/bash:shell\n\" | sed 's|^| |'; \ |
| 221 | + | fi; \ |
| 222 | + | if [ -x "$(command -v awk)" ]; then \ |
| 223 | + | echo -ne \"awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n\" | sed 's|^| |'; \ |
| 224 | + | fi; \ |
| 225 | + | if [ -x "$(command -v perl)" ]; then \ |
| 226 | + | echo -ne \"perl-->\tperl -e 'exec \"/bin/bash\";'\n\" | sed 's|^| |'; \ |
| 227 | + | fi; \ |
| 228 | + | if [ -x "$(command -v python)" ]; then \ |
| 229 | + | echo -ne \"python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n\" | sed 's|^| |'; \ |
| 230 | + | fi; \ |
| 231 | + | if [ -x "$(command -v find)" ]; then \ |
| 232 | + | echo -ne \"find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n\" | sed 's|^| |'; \ |
| 233 | + | fi; \ |
| 234 | + | if [ -x "$(command -v nmap)" ]; then \ |
| 235 | + | echo -ne \"nmap-->\t--interactive\n\" | sed 's|^| |'; \ |
| 236 | + | fi"; |
225 | 237 | | |
226 | | - | if [ -x "$(command -v python)" ]; then |
227 | | - | echo -ne "python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n" | sed 's|^| |' |
228 | | - | fi |
| 238 | + | } |
229 | 239 | | |
230 | | - | if [ -x "$(command -v find)" ]; then |
231 | | - | echo -ne "find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n" | sed 's|^| |' |
232 | | - | fi |
| 240 | + | searchEXPLOITS(){ |
| 241 | + | systemAREA="Search for Exploits"; |
| 242 | + | systemAREAtitle; |
233 | 243 | | |
234 | | - | if [ -x "$(command -v nmap)" ]; then |
235 | | - | echo -ne "nmap-->\t--interactive\n" | sed 's|^| |' |
236 | | - | fi |
| 244 | + | echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." |
| 245 | + | read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer |
237 | 246 | | |
238 | | - | echo -ne "\n${SECTION_LINE}\n" |
239 | | - | echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." |
240 | | - | read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer |
| 247 | + | if [[ $connectToServer = y* ]] |
| 248 | + | then |
| 249 | + | read -p "[?] What is the address of the server? " server |
| 250 | + | read -p "[?] What port is the server using? " port |
| 251 | + | echo -ne "\n\n" |
| 252 | + | echo -e "[ ] Searching on $server:$port" |
| 253 | + | printf "%*s\n" "80" | tr " " "*" |
| 254 | + | dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port |
| 255 | + | printf "%*s\n" "80" | tr " " "*" |
| 256 | + | fi |
| 257 | + | } |
241 | 258 | | |
242 | | - | if [[ $connectToServer = y* ]] |
243 | | - | then |
244 | | - | read -p "[?] What is the address of the server? " server |
245 | | - | read -p "[?] What port is the server using? " port |
246 | | - | echo -ne "\n\n" |
247 | | - | echo -e "[ ] Searching on $server:$port" |
248 | | - | printf "%*s\n" "80" | tr " " "*" |
249 | | - | dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port |
250 | | - | printf "%*s\n" "80" | tr " " "*" |
251 | | - | fi |
| 259 | + | start(){ |
| 260 | + | scriptTITLE; |
| 261 | + | operatingSYSTEM; |
| 262 | + | netWORK; |
| 263 | + | userENVIRONMENT; |
| 264 | + | filePERMISSIONS; |
| 265 | + | applicationSERVICES; |
| 266 | + | searchEXPLOITS; |
| 267 | + | echo ${LINE}; |
| 268 | + | echo " FINISHED" |
| 269 | + | echo ${LINE}; |
| 270 | + | echo |
| 271 | + | } |
252 | 272 | | |
253 | | - | echo -ne "\n\n${TITLE_LINE}" |
254 | | - | echo -ne "\nFINISHED" |
255 | | - | echo -ne "\n${TITLE_LINE}\n" |
| 273 | + | start; |
256 | 274 | | |