Bash Script to automate Basic Linux Privilege Escalation information collection

priv_basic.sh

#!/bin/bash
# how to run it to output everything to file : 
	# chmod +x priv_basic.sh
	# ./priv_basic.sh > file_name.rc  2>&1
# Notes: 
	# 1) It takes around 1 min.
	# Commands mostly gathered from g0tmi1k priv escalation post (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
global_seprator=$"\n------------------------------------------------------------------------------------------------------------------------------\n" ;

# Setting commands to be printed before execution:
trap '! [[ "$BASH_COMMAND" =~ ^(echo|read|if) ]] && \
cmd=`eval echo "+ $BASH_COMMAND" 2>/dev/null` && echo "$cmd"' DEBUG

echo -e "\n$global_seprator\n"

echo -e "Basic Priv Escallation Infomration Collector \n"

echo -e "\n$global_seprator\n"


echo -e "What's the distribution type? What version?" "\n"

uname -a
cat /etc/issue

echo -e "$global_seprator"


echo -e "GCC Version ? kernel version ? 64-bit ?" "\n"

cat /proc/version

echo -e "$global_seprator"



echo -e "What can be learnt from the environmental variables?"     "\n"

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set
echo -e "$global_seprator"


echo -e "  Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm "     "\n"
find / -writable -type d 2>/dev/null      # world-writeable folders
echo -e "$global_seprator"


echo -e "  Is there a printer?   "     "\n"
lpstat -a
echo -e "$global_seprator"


echo -e "  What services are running?    "     "\n"
ps aux
echo -e "$global_seprator"



echo -e "  Which service(s) are been running by root?  "     "\n"
ps aux | grep root
echo -e "$global_seprator"


echo -e "  What applications are installed?  "     "\n"

ls -alhr /usr/bin/
ls -alhr /sbin/
echo -e "$global_seprator"


echo -e "  What jobs are scheduled?   "     "\n"

crontab -l
ls -alhR /etc/cron*
echo -e "$global_seprator"


echo -e "  Network interfaces ?   "     "\n"

/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network
echo -e "$global_seprator"



echo -e "  What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?   "     "\n"

cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

echo -e "$global_seprator"


echo -e "  Whats cached? IP and/or MAC addresses ?   "     "\n"
netstat -antup
/sbin/route
arp -e
echo -e "$global_seprator"


echo -e "  Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?   "     "\n"
id
who
w
last
cat /etc/passwd | cut -d: -f1    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers

echo -e "$global_seprator"


echo -e "   What sensitive files can be found?    "     "\n"
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/
echo -e "$global_seprator"


echo -e " Anything (interesting) in the home directorie(s)? If it's possible to access   "     "\n"
ls -ahlR /root/
ls -ahlR /home/
echo -e "$global_seprator"


echo -e "  What our current user being doing? Is there any password in plain text? What have they been edting?   "     "\n"
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root
echo -e "$global_seprator"


echo -e "  What our current user being doing? Is there any password in plain text? What have they been edting?   "     "\n"
ls -lahR ~/.ssh
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key
echo -e "$global_seprator"


echo -e "  What can be found in /var/ ?   "     "\n"

ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql

echo -e "$global_seprator"

echo -e " Any settings/files (hidden) on website? Any settings file with database information?     "     "\n"
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
echo -e "$global_seprator"


echo -e " Is there anything in the log file(s) (Could help with (Local File Includes)!) (more commands check it in the gotmilk priv esc post)   "     "\n"
cat /etc/httpd/logs/access_log
echo -e "$global_seprator"


echo -e " How are file-systems mounted?  "     "\n"
mount
df -h
echo -e "$global_seprator"


echo -e " Are there any unmounted file-systems? ( we might need to mount unmounted paritions :) )  "     "\n"
cat /etc/fstab
echo -e "$global_seprator"

echo -e "  SGID or SUID binaries (more commands to check in gotmilk priv esc post)"     "\n"
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
echo -e "$global_seprator"

echo -e "\n\n   ------------------------------- DONE :) -------------------------------  \n\n"