linux提权辅助工具:LinEnum.sh
Posted zlgxzswjy
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux提权辅助工具:LinEnum.sh相关的知识,希望对你有一定的参考价值。
来自:https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
#!/bin/bash #A script to enumerate local information from a Linux host version="version 0.94" #@rebootuser #help function usage () { echo -e " e[00;31m#########################################################e[00m" echo -e "e[00;31m#e[00m" "e[00;33mLocal Linux Enumeration & Privilege Escalation Scripte[00m" "e[00;31m#e[00m" echo -e "e[00;31m#########################################################e[00m" echo -e "e[00;33m# www.rebootuser.com | @rebootuser e[00m" echo -e "e[00;33m# $versione[00m " echo -e "e[00;33m# Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t e[00m " echo "OPTIONS:" echo "-k Enter keyword" echo "-e Enter export location" echo "-s Supply user password for sudo checks (INSECURE)" echo "-t Include thorough (lengthy) tests" echo "-r Enter report name" echo "-h Displays this help text" echo -e " " echo "Running with no options = limited scans/no output file" echo -e "e[00;31m#########################################################e[00m" } header() { echo -e " e[00;31m#########################################################e[00m" echo -e "e[00;31m#e[00m" "e[00;33mLocal Linux Enumeration & Privilege Escalation Scripte[00m" "e[00;31m#e[00m" echo -e "e[00;31m#########################################################e[00m" echo -e "e[00;33m# www.rebootuser.come[00m" echo -e "e[00;33m# $versione[00m " } debug_info() { echo "[-] Debug Info" if [ "$keyword" ]; then echo "[+] Searching for the keyword $keyword in conf, php, ini and log files" fi if [ "$report" ]; then echo "[+] Report name = $report" fi if [ "$export" ]; then echo "[+] Export location = $export" fi if [ "$thorough" ]; then echo "[+] Thorough tests = Enabled" else echo -e "e[00;33m[+] Thorough tests = Disabled (SUID/GUID checks will not be perfomed!)e[00m" fi sleep 2 if [ "$export" ]; then mkdir $export 2>/dev/null format=$export/LinEnum-export-`date +"%d-%m-%y"` mkdir $format 2>/dev/null fi if [ "$sudopass" ]; then echo -e "e[00;35m[+] Please enter password - INSECURE - really only for CTF use!e[00m" read -s userpassword echo fi who=`whoami` 2>/dev/null echo -e " " echo -e "e[00;33mScan started at:"; date echo -e "e[00m " } # useful binaries (thanks to https://gtfobins.github.io/) binarylist=‘nmap|perl|awk|find|bash|sh|man|more|less|vi|emacs|vim|nc|netcat|python|ruby|lua|irb|tar|zip|gdb|pico|scp|git|rvim|script|ash|csh|curl|dash|ed|env|expect|ftp|sftp|node|php|rpm|rpmquery|socat|strace|taskset|tclsh|telnet|tftp|wget|wish|zsh|ssh‘ system_info() { echo -e "e[00;33m### SYSTEM ##############################################e[00m" #basic kernel info unameinfo=`uname -a 2>/dev/null` if [ "$unameinfo" ]; then echo -e "e[00;31m[-] Kernel information:e[00m $unameinfo" echo -e " " fi procver=`cat /proc/version 2>/dev/null` if [ "$procver" ]; then echo -e "e[00;31m[-] Kernel information (continued):e[00m $procver" echo -e " " fi #search all *-release files for version info release=`cat /etc/*-release 2>/dev/null` if [ "$release" ]; then echo -e "e[00;31m[-] Specific release information:e[00m $release" echo -e " " fi #target hostname info hostnamed=`hostname 2>/dev/null` if [ "$hostnamed" ]; then echo -e "e[00;31m[-] Hostname:e[00m $hostnamed" echo -e " " fi } user_info() { echo -e "e[00;33m### USER/GROUP ##########################################e[00m" #current user details currusr=`id 2>/dev/null` if [ "$currusr" ]; then echo -e "e[00;31m[-] Current user/group info:e[00m $currusr" echo -e " " fi #last logged on user information lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null` if [ "$lastlogedonusrs" ]; then echo -e "e[00;31m[-] Users that have previously logged onto the system:e[00m $lastlogedonusrs" echo -e " " fi #who else is logged on loggedonusrs=`w 2>/dev/null` if [ "$loggedonusrs" ]; then echo -e "e[00;31m[-] Who else is logged on:e[00m $loggedonusrs" echo -e " " fi #lists all id‘s and respective group(s) grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null` if [ "$grpinfo" ]; then echo -e "e[00;31m[-] Group memberships:e[00m $grpinfo" echo -e " " fi #added by phackt - look for adm group (thanks patrick) adm_users=$(echo -e "$grpinfo" | grep "(adm)") if [[ ! -z $adm_users ]]; then echo -e "e[00;31m[-] It looks like we have some admin users:e[00m $adm_users" echo -e " " fi #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) hashesinpasswd=`grep -v ‘^[^:]*:[x]‘ /etc/passwd 2>/dev/null` if [ "$hashesinpasswd" ]; then echo -e "e[00;33m[+] It looks like we have password hashes in /etc/passwd!e[00m $hashesinpasswd" echo -e " " fi #contents of /etc/passwd readpasswd=`cat /etc/passwd 2>/dev/null` if [ "$readpasswd" ]; then echo -e "e[00;31m[-] Contents of /etc/passwd:e[00m $readpasswd" echo -e " " fi if [ "$export" ] && [ "$readpasswd" ]; then mkdir $format/etc-export/ 2>/dev/null cp /etc/passwd $format/etc-export/passwd 2>/dev/null fi #checks to see if the shadow file can be read readshadow=`cat /etc/shadow 2>/dev/null` if [ "$readshadow" ]; then echo -e "e[00;33m[+] We can read the shadow file!e[00m $readshadow" echo -e " " fi if [ "$export" ] && [ "$readshadow" ]; then mkdir $format/etc-export/ 2>/dev/null cp /etc/shadow $format/etc-export/shadow 2>/dev/null fi #checks to see if /etc/master.passwd can be read - BSD ‘shadow‘ variant readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` if [ "$readmasterpasswd" ]; then echo -e "e[00;33m[+] We can read the master.passwd file!e[00m $readmasterpasswd" echo -e " " fi if [ "$export" ] && [ "$readmasterpasswd" ]; then mkdir $format/etc-export/ 2>/dev/null cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null fi #all root accounts (uid 0) superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: ‘$3 == 0 { print $1}‘ 2>/dev/null` if [ "$superman" ]; then echo -e "e[00;31m[-] Super user account(s):e[00m $superman" echo -e " " fi #pull out vital sudoers info sudoers=`grep -v -e ‘^$‘ /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null` if [ "$sudoers" ]; then echo -e "e[00;31m[-] Sudoers configuration (condensed):e[00m$sudoers" echo -e " " fi if [ "$export" ] && [ "$sudoers" ]; then mkdir $format/etc-export/ 2>/dev/null cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null fi #can we sudo without supplying a password sudoperms=`echo ‘‘ | sudo -S -l -k 2>/dev/null` if [ "$sudoperms" ]; then echo -e "e[00;33m[+] We can sudo without supplying a password!e[00m $sudoperms" echo -e " " fi #check sudo perms - authenticated if [ "$sudopass" ]; then if [ "$sudoperms" ]; then : else sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null` if [ "$sudoauth" ]; then echo -e "e[00;33m[+] We can sudo when supplying a password!e[00m $sudoauth" echo -e " " fi fi fi ##known ‘good‘ breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated if [ "$sudopass" ]; then if [ "$sudoperms" ]; then : else sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed ‘s/,*$//g‘ 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$sudopermscheck" ]; then echo -e "e[00;33m[-] Possible sudo pwnage!e[00m $sudopermscheck" echo -e " " fi fi fi #known ‘good‘ breakout binaries (cleaned to parse /etc/sudoers for comma separated values) sudopwnage=`echo ‘‘ | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed ‘s/,*$//g‘ 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$sudopwnage" ]; then echo -e "e[00;33m[+] Possible sudo pwnage!e[00m $sudopwnage" echo -e " " fi #who has sudoed in the past whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null` if [ "$whohasbeensudo" ]; then echo -e "e[00;31m[-] Accounts that have recently used sudo:e[00m $whohasbeensudo" echo -e " " fi #checks to see if roots home directory is accessible rthmdir=`ls -ahl /root/ 2>/dev/null` if [ "$rthmdir" ]; then echo -e "e[00;33m[+] We can read root‘s home directory!e[00m $rthmdir" echo -e " " fi #displays /home directory permissions - check if any are lax homedirperms=`ls -ahl /home/ 2>/dev/null` if [ "$homedirperms" ]; then echo -e "e[00;31m[-] Are permissions on /home directories lax:e[00m $homedirperms" echo -e " " fi #looks for files we can write to that don‘t belong to us if [ "$thorough" = "1" ]; then grfilesall=`find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} ; 2>/dev/null` if [ "$grfilesall" ]; then echo -e "e[00;31m[-] Files not owned by user but writable by group:e[00m $grfilesall" echo -e " " fi fi #looks for files that belong to us if [ "$thorough" = "1" ]; then ourfilesall=`find / -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} ; 2>/dev/null` if [ "$ourfilesall" ]; then echo -e "e[00;31m[-] Files owned by our user:e[00m $ourfilesall" echo -e " " fi fi #looks for hidden files if [ "$thorough" = "1" ]; then hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} ; 2>/dev/null` if [ "$hiddenfiles" ]; then echo -e "e[00;31m[-] Hidden files:e[00m $hiddenfiles" echo -e " " fi fi #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only ‘activated‘ with thorough scanning switch if [ "$thorough" = "1" ]; then wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} ; 2>/dev/null` if [ "$wrfileshm" ]; then echo -e "e[00;31m[-] World-readable files within /home:e[00m $wrfileshm" echo -e " " fi fi if [ "$thorough" = "1" ]; then if [ "$export" ] && [ "$wrfileshm" ]; then mkdir $format/wr-files/ 2>/dev/null for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null fi fi #lists current user‘s home directory contents if [ "$thorough" = "1" ]; then homedircontents=`ls -ahl ~ 2>/dev/null` if [ "$homedircontents" ] ; then echo -e "e[00;31m[-] Home directory contents:e[00m $homedircontents" echo -e " " fi fi #checks for if various ssh files are accessible - this can take some time so is only ‘activated‘ with thorough scanning switch if [ "$thorough" = "1" ]; then sshfiles=`find / ( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" ) -exec ls -la {} 2>/dev/null ;` if [ "$sshfiles" ]; then echo -e "e[00;31m[-] SSH keys/host information found in the following locations:e[00m $sshfiles" echo -e " " fi fi if [ "$thorough" = "1" ]; then if [ "$export" ] && [ "$sshfiles" ]; then mkdir $format/ssh-files/ 2>/dev/null for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null fi fi #is root permitted to login via ssh sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk ‘{print $2}‘` if [ "$sshrootlogin" = "yes" ]; then echo -e "e[00;31m[-] Root is allowed to login via SSH:e[00m" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" echo -e " " fi } environmental_info() { echo -e "e[00;33m### ENVIRONMENTAL #######################################e[00m" #env information envinfo=`env 2>/dev/null | grep -v ‘LS_COLORS‘ 2>/dev/null` if [ "$envinfo" ]; then echo -e "e[00;31m[-] Environment information:e[00m $envinfo" echo -e " " fi #check if selinux is enabled sestatus=`sestatus 2>/dev/null` if [ "$sestatus" ]; then echo -e "e[00;31m[-] SELinux seems to be present:e[00m $sestatus" echo -e " " fi #phackt #current path configuration pathinfo=`echo $PATH 2>/dev/null` if [ "$pathinfo" ]; then echo -e "e[00;31m[-] Path information:e[00m $pathinfo" echo -e " " fi #lists available shells shellinfo=`cat /etc/shells 2>/dev/null` if [ "$shellinfo" ]; then echo -e "e[00;31m[-] Available shells:e[00m $shellinfo" echo -e " " fi #current umask value with both octal and symbolic output umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null` if [ "$umaskvalue" ]; then echo -e "e[00;31m[-] Current umask value:e[00m $umaskvalue" echo -e " " fi #umask value as in /etc/login.defs umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null` if [ "$umaskdef" ]; then echo -e "e[00;31m[-] umask value as specified in /etc/login.defs:e[00m $umaskdef" echo -e " " fi #password policy information as stored in /etc/login.defs logindefs=`grep "^PASS_MAX_DAYS|^PASS_MIN_DAYS|^PASS_WARN_AGE|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null` if [ "$logindefs" ]; then echo -e "e[00;31m[-] Password and storage information:e[00m $logindefs" echo -e " " fi if [ "$export" ] && [ "$logindefs" ]; then mkdir $format/etc-export/ 2>/dev/null cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null fi } job_info() { echo -e "e[00;33m### JOBS/TASKS ##########################################e[00m" #are there any cron jobs configured cronjobs=`ls -la /etc/cron* 2>/dev/null` if [ "$cronjobs" ]; then echo -e "e[00;31m[-] Cron jobs:e[00m $cronjobs" echo -e " " fi #can we manipulate these jobs in any way cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} ; -exec cat {} 2>/dev/null ;` if [ "$cronjobwwperms" ]; then echo -e "e[00;33m[+] World-writable cron jobs and file contents:e[00m $cronjobwwperms" echo -e " " fi #contab contents crontabvalue=`cat /etc/crontab 2>/dev/null` if [ "$crontabvalue" ]; then echo -e "e[00;31m[-] Crontab contents:e[00m $crontabvalue" echo -e " " fi crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` if [ "$crontabvar" ]; then echo -e "e[00;31m[-] Anything interesting in /var/spool/cron/crontabs:e[00m $crontabvar" echo -e " " fi anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` if [ "$anacronjobs" ]; then echo -e "e[00;31m[-] Anacron jobs and associated file permissions:e[00m $anacronjobs" echo -e " " fi anacrontab=`ls -la /var/spool/anacron 2>/dev/null` if [ "$anacrontab" ]; then echo -e "e[00;31m[-] When were jobs last executed (/var/spool/anacron contents):e[00m $anacrontab" echo -e " " fi #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null` if [ "$cronother" ]; then echo -e "e[00;31m[-] Jobs held by all users:e[00m $cronother" echo -e " " fi # list systemd timers if [ "$thorough" = "1" ]; then # include inactive timers in thorough mode systemdtimers="$(systemctl list-timers --all 2>/dev/null)" info="" else systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)" # replace the info in the output with a hint towards thorough mode info="e[2mEnable thorough tests to see inactive timerse[00m" fi if [ "$systemdtimers" ]; then echo -e "e[00;31m[-] Systemd timers:e[00m $systemdtimers $info" echo -e " " fi } networking_info() { echo -e "e[00;33m### NETWORKING ##########################################e[00m" #nic information nicinfo=`/sbin/ifconfig -a 2>/dev/null` if [ "$nicinfo" ]; then echo -e "e[00;31m[-] Network and IP info:e[00m $nicinfo" echo -e " " fi #nic information (using ip) nicinfoip=`/sbin/ip a 2>/dev/null` if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then echo -e "e[00;31m[-] Network and IP info:e[00m $nicinfoip" echo -e " " fi arpinfo=`arp -a 2>/dev/null` if [ "$arpinfo" ]; then echo -e "e[00;31m[-] ARP history:e[00m $arpinfo" echo -e " " fi arpinfoip=`ip n 2>/dev/null` if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then echo -e "e[00;31m[-] ARP history:e[00m $arpinfoip" echo -e " " fi #dns settings nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null` if [ "$nsinfo" ]; then echo -e "e[00;31m[-] Nameserver(s):e[00m $nsinfo" echo -e " " fi nsinfosysd=`systemd-resolve --status 2>/dev/null` if [ "$nsinfosysd" ]; then echo -e "e[00;31m[-] Nameserver(s):e[00m $nsinfosysd" echo -e " " fi #default route configuration defroute=`route 2>/dev/null | grep default` if [ "$defroute" ]; then echo -e "e[00;31m[-] Default route:e[00m $defroute" echo -e " " fi #default route configuration defrouteip=`ip r 2>/dev/null | grep default` if [ ! "$defroute" ] && [ "$defrouteip" ]; then echo -e "e[00;31m[-] Default route:e[00m $defrouteip" echo -e " " fi #listening TCP tcpservs=`netstat -antp 2>/dev/null` if [ "$tcpservs" ]; then echo -e "e[00;31m[-] Listening TCP:e[00m $tcpservs" echo -e " " fi tcpservsip=`ss -t 2>/dev/null` if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then echo -e "e[00;31m[-] Listening TCP:e[00m $tcpservsip" echo -e " " fi #listening UDP udpservs=`netstat -anup 2>/dev/null` if [ "$udpservs" ]; then echo -e "e[00;31m[-] Listening UDP:e[00m $udpservs" echo -e " " fi udpservsip=`ip -u 2>/dev/null` if [ ! "$udpservs" ] && [ "$udpservsip" ]; then echo -e "e[00;31m[-] Listening UDP:e[00m $udpservsip" echo -e " " fi } services_info() { echo -e "e[00;33m### SERVICES #############################################e[00m" #running processes psaux=`ps aux 2>/dev/null` if [ "$psaux" ]; then echo -e "e[00;31m[-] Running processes:e[00m $psaux" echo -e " " fi #lookup process binary path and permissisons procperm=`ps aux 2>/dev/null | awk ‘{print $11}‘|xargs -r ls -la 2>/dev/null |awk ‘!x[$0]++‘ 2>/dev/null` if [ "$procperm" ]; then echo -e "e[00;31m[-] Process binaries and associated permissions (from above list):e[00m $procperm" echo -e " " fi if [ "$export" ] && [ "$procperm" ]; then procpermbase=`ps aux 2>/dev/null | awk ‘{print $11}‘ | xargs -r ls 2>/dev/null | awk ‘!x[$0]++‘ 2>/dev/null` mkdir $format/ps-export/ 2>/dev/null for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null fi #anything ‘useful‘ in inetd.conf inetdread=`cat /etc/inetd.conf 2>/dev/null` if [ "$inetdread" ]; then echo -e "e[00;31m[-] Contents of /etc/inetd.conf:e[00m $inetdread" echo -e " " fi if [ "$export" ] && [ "$inetdread" ]; then mkdir $format/etc-export/ 2>/dev/null cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null fi #very ‘rough‘ command to extract associated binaries from inetd.conf & show permisisons of each inetdbinperms=`awk ‘{print $7}‘ /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$inetdbinperms" ]; then echo -e "e[00;31m[-] The related inetd binary permissions:e[00m $inetdbinperms" echo -e " " fi xinetdread=`cat /etc/xinetd.conf 2>/dev/null` if [ "$xinetdread" ]; then echo -e "e[00;31m[-] Contents of /etc/xinetd.conf:e[00m $xinetdread" echo -e " " fi if [ "$export" ] && [ "$xinetdread" ]; then mkdir $format/etc-export/ 2>/dev/null cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null fi xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null` if [ "$xinetdincd" ]; then echo -e "e[00;31m[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below:e[00m"; ls -la /etc/xinetd.d 2>/dev/null echo -e " " fi #very ‘rough‘ command to extract associated binaries from xinetd.conf & show permisisons of each xinetdbinperms=`awk ‘{print $7}‘ /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$xinetdbinperms" ]; then echo -e "e[00;31m[-] The related xinetd binary permissions:e[00m $xinetdbinperms" echo -e " " fi initdread=`ls -la /etc/init.d 2>/dev/null` if [ "$initdread" ]; then echo -e "e[00;31m[-] /etc/init.d/ binary permissions:e[00m $initdread" echo -e " " fi #init.d files NOT belonging to root! initdperms=`find /etc/init.d/ ! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$initdperms" ]; then echo -e "e[00;31m[-] /etc/init.d/ files not belonging to root:e[00m $initdperms" echo -e " " fi rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` if [ "$rcdread" ]; then echo -e "e[00;31m[-] /etc/rc.d/init.d binary permissions:e[00m $rcdread" echo -e " " fi #init.d files NOT belonging to root! rcdperms=`find /etc/rc.d/init.d ! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$rcdperms" ]; then echo -e "e[00;31m[-] /etc/rc.d/init.d files not belonging to root:e[00m $rcdperms" echo -e " " fi usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` if [ "$usrrcdread" ]; then echo -e "e[00;31m[-] /usr/local/etc/rc.d binary permissions:e[00m $usrrcdread" echo -e " " fi #rc.d files NOT belonging to root! usrrcdperms=`find /usr/local/etc/rc.d ! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$usrrcdperms" ]; then echo -e "e[00;31m[-] /usr/local/etc/rc.d files not belonging to root:e[00m $usrrcdperms" echo -e " " fi initread=`ls -la /etc/init/ 2>/dev/null` if [ "$initread" ]; then echo -e "e[00;31m[-] /etc/init/ config file permissions:e[00m $initread" echo -e " " fi # upstart scripts not belonging to root initperms=`find /etc/init ! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$initperms" ]; then echo -e "e[00;31m[-] /etc/init/ config files not belonging to root:e[00m $initperms" echo -e " " fi systemdread=`ls -lthR /lib/systemd/ 2>/dev/null` if [ "$systemdread" ]; then echo -e "e[00;31m[-] /lib/systemd/* config file permissions:e[00m $systemdread" echo -e " " fi # systemd files not belonging to root systemdperms=`find /lib/systemd/ ! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` if [ "$systemdperms" ]; then echo -e "e[00;31m[-] /lib/systemd/* config files not belonging to root:e[00m $systemdperms" echo -e " " fi } software_configs() { echo -e "e[00;33m### SOFTWARE #############################################e[00m" #sudo version - check to see if there are any known vulnerabilities with this sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null` if [ "$sudover" ]; then echo -e "e[00;31m[-] Sudo version:e[00m $sudover" echo -e " " fi #mysql details - if installed mysqlver=`mysql --version 2>/dev/null` if [ "$mysqlver" ]; then echo -e "e[00;31m[-] MYSQL version:e[00m $mysqlver" echo -e " " fi #checks to see if root/root will get us a connection mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` if [ "$mysqlconnect" ]; then echo -e "e[00;33m[+] We can connect to the local MYSQL service with default root/root credentials!e[00m $mysqlconnect" echo -e " " fi #mysql version details mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` if [ "$mysqlconnectnopass" ]; then echo -e "e[00;33m[+] We can connect to the local MYSQL service as ‘root‘ and without a password!e[00m $mysqlconnectnopass" echo -e " " fi #postgres details - if installed postgver=`psql -V 2>/dev/null` if [ "$postgver" ]; then echo -e "e[00;31m[-] Postgres version:e[00m $postgver" echo -e " " fi #checks to see if any postgres password exists and connects to DB ‘template0‘ - following commands are a variant on this postcon1=`psql -U postgres template0 -c ‘select version()‘ 2>/dev/null | grep version` if [ "$postcon1" ]; then echo -e "e[00;33m[+] We can connect to Postgres DB ‘template0‘ as user ‘postgres‘ with no password!:e[00m $postcon1" echo -e " " fi postcon11=`psql -U postgres template1 -c ‘select version()‘ 2>/dev/null | grep version` if [ "$postcon11" ]; then echo -e "e[00;33m[+] We can connect to Postgres DB ‘template1‘ as user ‘postgres‘ with no password!:e[00m $postcon11" echo -e " " fi postcon2=`psql -U pgsql template0 -c ‘select version()‘ 2>/dev/null | grep version` if [ "$postcon2" ]; then echo -e "e[00;33m[+] We can connect to Postgres DB ‘template0‘ as user ‘psql‘ with no password!:e[00m $postcon2" echo -e " " fi postcon22=`psql -U pgsql template1 -c ‘select version()‘ 2>/dev/null | grep version` if [ "$postcon22" ]; then echo -e "e[00;33m[+] We can connect to Postgres DB ‘template1‘ as user ‘psql‘ with no password!:e[00m $postcon22" echo -e " " fi #apache details - if installed apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` if [ "$apachever" ]; then echo -e "e[00;31m[-] Apache version:e[00m $apachever" echo -e " " fi #what account is apache running under apacheusr=`grep -i ‘user|group‘ /etc/apache2/envvars 2>/dev/null |awk ‘{sub(/.*export /,"")}1‘ 2>/dev/null` if [ "$apacheusr" ]; then echo -e "e[00;31m[-] Apache user configuration:e[00m $apacheusr" echo -e " " fi if [ "$export" ] && [ "$apacheusr" ]; then mkdir --parents $format/etc-export/apache2/ 2>/dev/null cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null fi #installed apache modules apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null` if [ "$apachemodules" ]; then echo -e "e[00;31m[-] Installed Apache modules:e[00m $apachemodules" echo -e " " fi #htpasswd check htpasswd=`find / -name .htpasswd -print -exec cat {} ; 2>/dev/null` if [ "$htpasswd" ]; then echo -e "e[00;33m[-] htpasswd found - could contain passwords:e[00m $htpasswd" echo -e " " fi #anything in the default http home dirs (changed to thorough as can be large) if [ "$thorough" = "1" ]; then apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null` if [ "$apachehomedirs" ]; then echo -e "e[00;31m[-] www home dir contents:e[00m $apachehomedirs" echo -e " " fi fi } interesting_files() { echo -e "e[00;33m### INTERESTING FILES ####################################e[00m" #checks to see if various files are installed echo -e "e[00;31m[-] Useful file locations:e[00m" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null echo -e " " #limited search for installed compilers compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed ‘gcc*‘ 2>/dev/null| grep gcc 2>/dev/null` if [ "$compiler" ]; then echo -e "e[00;31m[-] Installed compilers:e[00m $compiler" echo -e " " fi #manual check - lists out sensitive files, can we read/modify etc. echo -e "e[00;31m[-] Can we read/write sensitive files:e[00m" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null echo -e " " #search for suid files - this can take some time so is only ‘activated‘ with thorough scanning switch (as are all suid scans below) if [ "$thorough" = "1" ]; then findsuid=`find / -perm -4000 -type f -exec ls -la {} 2>/dev/null ;` if [ "$findsuid" ]; then echo -e "e[00;31m[-] SUID files:e[00m $findsuid" echo -e " " fi fi if [ "$thorough" = "1" ]; then if [ "$export" ] && [ "$findsuid" ]; then mkdir $format/suid-files/ 2>/dev/null for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null fi fi #list of ‘interesting‘ suid files - feel free to make additions if [ "$thorough" = "1" ]; then intsuid=`find / -perm -4000 -type f -exec ls -la {} ; 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$intsuid" ]; then echo -e "e[00;33m[+] Possibly interesting SUID files:e[00m $intsuid" echo -e " " fi fi #lists word-writable suid files if [ "$thorough" = "1" ]; then wwsuid=`find / -perm -4007 -type f -exec ls -la {} 2>/dev/null ;` if [ "$wwsuid" ]; then echo -e "e[00;33m[+] World-writable SUID files:e[00m $wwsuid" echo -e " " fi fi #lists world-writable suid files owned by root if [ "$thorough" = "1" ]; then wwsuidrt=`find / -uid 0 -perm -4007 -type f -exec ls -la {} 2>/dev/null ;` if [ "$wwsuidrt" ]; then echo -e "e[00;33m[+] World-writable SUID files owned by root:e[00m $wwsuidrt" echo -e " " fi fi #search for guid files - this can take some time so is only ‘activated‘ with thorough scanning switch (as are all guid scans below) if [ "$thorough" = "1" ]; then findguid=`find / -perm -2000 -type f -exec ls -la {} 2>/dev/null ;` if [ "$findguid" ]; then echo -e "e[00;31m[-] GUID files:e[00m $findguid" echo -e " " fi fi if [ "$thorough" = "1" ]; then if [ "$export" ] && [ "$findguid" ]; then mkdir $format/guid-files/ 2>/dev/null for i in $findguid; do cp $i $format/guid-files/; done 2>/dev/null fi fi #list of ‘interesting‘ guid files - feel free to make additions if [ "$thorough" = "1" ]; then intguid=`find / -perm -2000 -type f -exec ls -la {} ; 2>/dev/null | grep -w $binarylist 2>/dev/null` if [ "$intguid" ]; then echo -e "e[00;33m[+] Possibly interesting GUID files:e[00m $intguid" echo -e " " fi fi #lists world-writable guid files if [ "$thorough" = "1" ]; then wwguid=`find / -perm -2007 -type f -exec ls -la {} 2>/dev/null ;` if [ "$wwguid" ]; then echo -e "e[00;33m[+] World-writable GUID files:e[00m $wwguid" echo -e " " fi fi #lists world-writable guid files owned by root if [ "$thorough" = "1" ]; then wwguidrt=`find / -uid 0 -perm -2007 -type f -exec ls -la {} 2>/dev/null ;` if [ "$wwguidrt" ]; then echo -e "e[00;33m[+] World-writable GUID files owned by root:e[00m $wwguidrt" echo -e " " fi fi #list all files with POSIX capabilities set along with there capabilities if [ "$thorough" = "1" ]; then fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null` if [ "$fileswithcaps" ]; then echo -e "e[00;31m[+] Files with POSIX capabilities set:e[00m $fileswithcaps" echo -e " " fi fi if [ "$thorough" = "1" ]; then if [ "$export" ] && [ "$fileswithcaps" ]; then mkdir $format/files_with_capabilities/ 2>/dev/null for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null fi fi #searches /etc/security/capability.conf for users associated capapilies if [ "$thorough" = "1" ]; then userswithcaps=`grep -v ‘^#|none|^$‘ /etc/security/capability.conf 2>/dev/null` if [ "$userswithcaps" ]; then echo -e "e[00;33m[+] Users with specific POSIX capabilities:e[00m $userswithcaps" echo -e " " fi fi if [ "$thorough" = "1" ] && [ "$userswithcaps" ] ; then #matches the capabilities found associated with users with the current user matchedcaps=`echo -e "$userswithcaps" | grep `whoami` | awk ‘{print $1}‘ 2>/dev/null` if [ "$matchedcaps" ]; then echo -e "e[00;33m[+] Capabilities associated with the current user:e[00m $matchedcaps" echo -e " " #matches the files with capapbilities with capabilities associated with the current user matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null` if [ "$matchedfiles" ]; then echo -e "e[00;33m[+] Files with the same capabilities associated with the current user (You may want to try abusing those capabilties):e[00m $matchedfiles" echo -e " " #lists the permissions of the files having the same capabilies associated with the current user matchedfilesperms=`echo -e "$matchedfiles" | awk ‘{print $1}‘ | while read -r f; do ls -la $f ;done 2>/dev/null` echo -e "e[00;33m[+] Permissions of files with the same capabilities associated with the current user:e[00m $matchedfilesperms" echo -e " " if [ "$matchedfilesperms" ]; then #checks if any of the files with same capabilities associated with the current user is writable writablematchedfiles=`echo -e "$matchedfiles" | awk ‘{print $1}‘ | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null` if [ "$writablematchedfiles" ]; then echo -e "e[00;33m[+] User/Group writable files with the same capabilities associated with the current user:e[00m $writablematchedfiles" echo -e " " fi fi fi fi fi #list all world-writable files excluding /proc and /sys if [ "$thorough" = "1" ]; then wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null ;` if [ "$wwfiles" ]; then echo -e "e[00;31m[-] World-writable files (excluding /proc and /sys):e[00m $wwfiles" echo -e " " fi fi if [ "$thorough" = "1" ]; then if [ "$export" ] && [ "$wwfiles" ]; then mkdir $format/ww-files/ 2>/dev/null for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null fi fi #are any .plan files accessible in /home (could contain useful information) usrplan=`find /home -iname *.plan -exec ls -la {} ; -exec cat {} 2>/dev/null ;` if [ "$usrplan" ]; then echo -e "e[00;31m[-] Plan file permissions and contents:e[00m $usrplan" echo -e " " fi if [ "$export" ] && [ "$usrplan" ]; then mkdir $format/plan_files/ 2>/dev/null for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null fi bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} ; -exec cat {} 2>/dev/null ;` if [ "$bsdusrplan" ]; then echo -e "e[00;31m[-] Plan file permissions and contents:e[00m $bsdusrplan" echo -e " " fi if [ "$export" ] && [ "$bsdusrplan" ]; then mkdir $format/plan_files/ 2>/dev/null for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null fi #are there any .rhosts files accessible - these may allow us to login as another user etc. rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ;` if [ "$rhostsusr" ]; then echo -e "e[00;33m[+] rhost config file(s) and file contents:e[00m $rhostsusr" echo -e " " fi if [ "$export" ] && [ "$rhostsusr" ]; then mkdir $format/rhosts/ 2>/dev/null for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null fi bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ;` if [ "$bsdrhostsusr" ]; then echo -e "e[00;33m[+] rhost config file(s) and file contents:e[00m $bsdrhostsusr" echo -e " " fi if [ "$export" ] && [ "$bsdrhostsusr" ]; then mkdir $format/rhosts 2>/dev/null for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null fi rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ;` if [ "$rhostssys" ]; then echo -e "e[00;33m[+] Hosts.equiv file and contents: e[00m $rhostssys" echo -e " " fi if [ "$export" ] && [ "$rhostssys" ]; then mkdir $format/rhosts/ 2>/dev/null for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null fi #list nfs shares/permisisons etc. nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` if [ "$nfsexports" ]; then echo -e "e[00;31m[-] NFS config details: e[00m $nfsexports" echo -e " " fi if [ "$export" ] && [ "$nfsexports" ]; then mkdir $format/etc-export/ 2>/dev/null cp /etc/exports $format/etc-export/exports 2>/dev/null fi if [ "$thorough" = "1" ]; then #phackt #displaying /etc/fstab fstab=`cat /etc/fstab 2>/dev/null` if [ "$fstab" ]; then echo -e "e[00;31m[-] NFS displaying partitions and filesystems - you need to check if exotic filesystemse[00m" echo -e "$fstab" echo -e " " fi fi #looking for credentials in /etc/fstab fstab=`grep username /etc/fstab 2>/dev/null |awk ‘{sub(/.*username=/,"");sub(/,.*/,"")}1‘ 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk ‘{sub(/.*password=/,"");sub(/,.*/,"")}1‘ 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk ‘{sub(/.*domain=/,"");sub(/,.*/,"")}1‘ 2>/dev/null| xargs -r echo domain: 2>/dev/null` if [ "$fstab" ]; then echo -e "e[00;33m[+] Looks like there are credentials in /etc/fstab!e[00m $fstab" echo -e " " fi if [ "$export" ] && [ "$fstab" ]; then mkdir $format/etc-exports/ 2>/dev/null cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null fi fstabcred=`grep cred /etc/fstab 2>/dev/null |awk ‘{sub(/.*credentials=/,"");sub(/,.*/,"")}1‘ 2>/dev/null | xargs -I{} sh -c ‘ls -la {}; cat {}‘ 2>/dev/null` if [ "$fstabcred" ]; then echo -e "e[00;33m[+] /etc/fstab contains a credentials file!e[00m $fstabcred" echo -e " " fi if [ "$export" ] && [ "$fstabcred" ]; then mkdir $format/etc-exports/ 2>/dev/null cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null fi #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ]; then echo -e "[-] Can‘t search *.conf files as no keyword was entered " else confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} ; 2>/dev/null` if [ "$confkey" ]; then echo -e "e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels - output format filepath:identified line number where keyword appears):e[00m $confkey" echo -e " " else echo -e "e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):e[00m" echo -e "‘$keyword‘ not found in any .conf files" echo -e " " fi fi if [ "$keyword" = "" ]; then : else if [ "$export" ] && [ "$confkey" ]; then confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} ; 2>/dev/null` mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null fi fi #use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ]; then echo -e "[-] Can‘t search *.php files as no keyword was entered " else phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} ; 2>/dev/null` if [ "$phpkey" ]; then echo -e "e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):e[00m $phpkey" echo -e " " else echo -e "e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):e[00m" echo -e "‘$keyword‘ not found in any .php files" echo -e " " fi fi if [ "$keyword" = "" ]; then : else if [ "$export" ] && [ "$phpkey" ]; then phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} ; 2>/dev/null` mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null fi fi #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ];then echo -e "[-] Can‘t search *.log files as no keyword was entered " else logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} ; 2>/dev/null` if [ "$logkey" ]; then echo -e "e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):e[00m $logkey" echo -e " " else echo -e "e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):e[00m" echo -e "‘$keyword‘ not found in any .log files" echo -e " " fi fi if [ "$keyword" = "" ];then : else if [ "$export" ] && [ "$logkey" ]; then logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} ; 2>/dev/null` mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null fi fi #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located if [ "$keyword" = "" ];then echo -e "[-] Can‘t search *.ini files as no keyword was entered " else inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} ; 2>/dev/null` if [ "$inikey" ]; then echo -e "e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):e[00m $inikey" echo -e " " else echo -e "e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):e[00m" echo -e "‘$keyword‘ not found in any .ini files" echo -e " " fi fi if [ "$keyword" = "" ];then : else if [ "$export" ] && [ "$inikey" ]; then inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} ; 2>/dev/null` mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null fi fi #quick extract of .conf files from /etc - only 1 level allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} ; 2>/dev/null` if [ "$allconf" ]; then echo -e "e[00;31m[-] All *.conf files in /etc (recursive 1 level):e[00m $allconf" echo -e " " fi if [ "$export" ] && [ "$allconf" ]; then mkdir $format/conf-files/ 2>/dev/null for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null fi #extract any user history files that are accessible usrhist=`ls -la ~/.*_history 2>/dev/null` if [ "$usrhist" ]; then echo -e "e[00;31m[-] Current user‘s history files:e[00m $usrhist" echo -e " " fi if [ "$export" ] && [ "$usrhist" ]; then mkdir $format/history_files/ 2>/dev/null for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null fi #can we read roots *_history files - could be passwords stored etc. roothist=`ls -la /root/.*_history 2>/dev/null` if [ "$roothist" ]; then echo -e "e[00;33m[+] Root‘s history files are accessible!e[00m $roothist" echo -e " " fi if [ "$export" ] && [ "$roothist" ]; then mkdir $format/history_files/ 2>/dev/null cp $roothist $format/history_files/ 2>/dev/null fi #all accessible .bash_history files in /home checkbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null ;` if [ "$checkbashhist" ]; then echo -e "e[00;31m[-] Location and contents (if accessible) of .bash_history file(s):e[00m $checkbashhist" echo -e " " fi #is there any mail accessible readmail=`ls -la /var/mail 2>/dev/null` if [ "$readmail" ]; then echo -e "e[00;31m[-] Any interesting mail in /var/mail:e[00m $readmail" echo -e " " fi #can we read roots mail readmailroot=`head /var/mail/root 2>/dev/null` if [ "$readmailroot" ]; then echo -e "e[00;33m[+] We can read /var/mail/root! (snippet below)e[00m $readmailroot" echo -e " " fi if [ "$export" ] && [ "$readmailroot" ]; then mkdir $format/mail-from-root/ 2>/dev/null cp $readmailroot $format/mail-from-root/ 2>/dev/null fi } docker_checks() { #specific checks - check to see if we‘re in a docker container dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} ; 2>/dev/null` if [ "$dockercontainer" ]; then echo -e "e[00;33m[+] Looks like we‘re in a Docker container:e[00m $dockercontainer" echo -e " " fi #specific checks - check to see if we‘re a docker host dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null` if [ "$dockerhost" ]; then echo -e "e[00;33m[+] Looks like we‘re hosting Docker:e[00m $dockerhost" echo -e " " fi #specific checks - are we a member of the docker group dockergrp=`id | grep -i docker 2>/dev/null` if [ "$dockergrp" ]; then echo -e "e[00;33m[+] We‘re a member of the (docker) group - could possibly misuse these rights!e[00m $dockergrp" echo -e " " fi #specific checks - are there any docker files present dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null ;` if [ "$dockerfiles" ]; then echo -e "e[00;31m[-] Anything juicy in the Dockerfile:e[00m $dockerfiles" echo -e " " fi #specific checks - are there any docker files present dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null ;` if [ "$dockeryml" ]; then echo -e "e[00;31m[-] Anything juicy in docker-compose.yml:e[00m $dockeryml" echo -e " " fi } lxc_container_checks() { #specific checks - are we in an lxd/lxc container lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` if [ "$lxccontainer" ]; then echo -e "e[00;33m[+] Looks like we‘re in a lxc container:e[00m $lxccontainer" echo -e " " fi #specific checks - are we a member of the lxd group lxdgroup=`id | grep -i lxd 2>/dev/null` if [ "$lxdgroup" ]; then echo -e "e[00;33m[+] We‘re a member of the (lxd) group - could possibly misuse these rights!e[00m $lxdgroup" echo -e " " fi } footer() { echo -e "e[00;33m### SCAN COMPLETE ####################################e[00m" } call_each() { header debug_info system_info user_info environmental_info job_info networking_info services_info software_configs interesting_files docker_checks lxc_container_checks footer } while getopts "h:k:r:e:st" option; do case "${option}" in k) keyword=${OPTARG};; r) report=${OPTARG}"-"`date +"%d-%m-%y"`;; e) export=${OPTARG};; s) sudopass=1;; t) thorough=1;; h) usage; exit;; *) usage; exit;; esac done call_each | tee -a $report 2> /dev/null #EndOfScript
以上是关于linux提权辅助工具:LinEnum.sh的主要内容,如果未能解决你的问题,请参考以下文章
linux提权辅助工具:linux-exploit-suggester
Linux提权第四篇-Linux Cron Jobs(任务计划)提权(crontab文件覆盖提权Crontab Tar Wildcard(通配符)注入提权)