fstab colors

This commit is contained in:
carlospolop 2019-05-11 18:40:50 +02:00
parent d531fd6d1e
commit d92de319ff
2 changed files with 29 additions and 9 deletions

View File

@ -6,10 +6,12 @@ This script does not have any dependency.
There is not need even for bash shell, **it runs using /bin/sh**. There is not need even for bash shell, **it runs using /bin/sh**.
It could take from **2 to 3 minutes** to execute the hole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside files and 1 min to monitor the process in order to find very frequent cron jobs). It could take from **2 to 3 minutes** to execute the hole script (less than 1 min to make almost all the checks, almost 1 min to search for possible passwords inside files and 1 min to monitor the processes in order to find very frequent cron jobs).
This script have several lists included inside it to be able to color the results in order to help to discover PE vector. This script have several lists included inside it to be able to color the results in order to help to discover PE vector.
The script **automatically finds a writable directory** and writes the output of the checks there. The first console output will be the path of the file created.
## Checks ## Checks
- **System Information** - **System Information**
- [x] SO, kernel version & sudo version - [x] SO, kernel version & sudo version
@ -84,6 +86,8 @@ The **Red/Yellow** color is used for identifing configurations that lead to PE.
The **Red** color is used for identifing suspicious configurations that could lead to PE: The **Red** color is used for identifing suspicious configurations that could lead to PE:
- Possible exploitable kernel versions - Possible exploitable kernel versions
- Identify processes running as root - Identify processes running as root
- Not mounted devices
- Dangerous fstab permissions
- Writable files in interesting directories - Writable files in interesting directories
- SUID/SGID binaries that can be used to escalate privileges (https://gtfobins.github.io/) - SUID/SGID binaries that can be used to escalate privileges (https://gtfobins.github.io/)
- SUDO binaries that can be used to escalate privileges in sudo -l (without passwd) (https://gtfobins.github.io/) - SUDO binaries that can be used to escalate privileges in sudo -l (without passwd) (https://gtfobins.github.io/)
@ -97,6 +101,8 @@ The **Red** color is used for identifing suspicious configurations that could le
- Files that could contains passwords - Files that could contains passwords
The **Green** color is used for: The **Green** color is used for:
- Usually not interesting devices to mount
- Not dangerous fstab permissions
- SUID common binaries (the bin was already found in other machines) - SUID common binaries (the bin was already found in other machines)
- SGID common binaries - SGID common binaries
- .sh files in path - .sh files in path
@ -104,6 +110,7 @@ The **Green** color is used for:
The **Blue** color is used for: The **Blue** color is used for:
- Users without shell - Users without shell
- Mounted devices
The **Light Cyan** color is used for: The **Light Cyan** color is used for:
- Users with shell - Users with shell

View File

@ -1,6 +1,5 @@
#!/bin/bash #!/bin/sh
file="/tmp/linPE"
C=$(printf '\033') C=$(printf '\033')
RED="${C}[1;31m" RED="${C}[1;31m"
GREEN="${C}[1;32m" GREEN="${C}[1;32m"
@ -8,7 +7,14 @@ Y="${C}[1;33m"
B="${C}[1;34m" B="${C}[1;34m"
NC="${C}[0m" NC="${C}[0m"
kernelB="3.9.6\|3.9.0\|3.9\|3.8.9\|3.8.8\|3.8.7\|3.8.6\|3.8.5\|3.8.4\|3.8.3\|3.8.2\|3.8.1\|3.8.0\|3.8\|3.7.6\|3.7.0\|3.7\|3.6.0\|3.6\|3.5.0\|3.5\|3.4.9\|3.4.8\|3.4.6\|3.4.5\|3.4.4\|3.4.3\|3.4.2\|3.4.1\|3.4.0\|3.4\|3.3\|3.2\|3.19.0\|3.16.0\|3.15\|3.14\|3.13.1\|3.13.0\|3.13\|3.12.0\|3.12\|3.11.0\|3.11\|3.10.6\|3.10.0\|3.10\|3.1.0\|3.0.6\|3.0.5\|3.0.4\|3.0.3\|3.0.2\|3.0.1\|3.0.0\|2.6.9\|2.6.8\|2.6.7\|2.6.6\|2.6.5\|2.6.4\|2.6.39\|2.6.38\|2.6.37\|2.6.36\|2.6.35\|2.6.34\|2.6.33\|2.6.32\|2.6.31\|2.6.30\|2.6.3\|2.6.29\|2.6.28\|2.6.27\|2.6.26\|2.6.25\|2.6.24.1\|2.6.24\|2.6.23\|2.6.22\|2.6.21\|2.6.20\|2.6.2\|2.6.19\|2.6.18\|2.6.17\|2.6.16\|2.6.15\|2.6.14\|2.6.13\|2.6.12\|2.6.11\|2.6.10\|2.6.1\|2.6.0\|2.4.9\|2.4.8\|2.4.7\|2.4.6\|2.4.5\|2.4.4\|2.4.37\|2.4.36\|2.4.35\|2.4.34\|2.4.33\|2.4.32\|2.4.31\|2.4.30\|2.4.29\|2.4.28\|2.4.27\|2.4.26\|2.4.25\|2.4.24\|2.4.23\|2.4.22\|2.4.21\|2.4.20\|2.4.19\|2.4.18\|2.4.17\|2.4.16\|2.4.15\|2.4.14\|2.4.13\|2.4.12\|2.4.11\|2.4.10\|2.2.24" filename="linpe.txt"
kernelB=" 3.9.6\| 3.9.0\| 3.9\| 3.8.9\| 3.8.8\| 3.8.7\| 3.8.6\| 3.8.5\| 3.8.4\| 3.8.3\| 3.8.2\| 3.8.1\| 3.8.0\| 3.8\| 3.7.6\| 3.7.0\| 3.7\| 3.6.0\| 3.6\| 3.5.0\| 3.5\| 3.4.9\| 3.4.8\| 3.4.6\| 3.4.5\| 3.4.4\| 3.4.3\| 3.4.2\| 3.4.1\| 3.4.0\| 3.4\| 3.3\| 3.2\| 3.19.0\| 3.16.0\| 3.15\| 3.14\| 3.13.1\| 3.13.0\| 3.13\| 3.12.0\| 3.12\| 3.11.0\| 3.11\| 3.10.6\| 3.10.0\| 3.10\| 3.1.0\| 3.0.6\| 3.0.5\| 3.0.4\| 3.0.3\| 3.0.2\| 3.0.1\| 3.0.0\| 2.6.9\| 2.6.8\| 2.6.7\| 2.6.6\| 2.6.5\| 2.6.4\| 2.6.39\| 2.6.38\| 2.6.37\| 2.6.36\| 2.6.35\| 2.6.34\| 2.6.33\| 2.6.32\| 2.6.31\| 2.6.30\| 2.6.3\| 2.6.29\| 2.6.28\| 2.6.27\| 2.6.26\| 2.6.25\| 2.6.24.1\| 2.6.24\| 2.6.23\| 2.6.22\| 2.6.21\| 2.6.20\| 2.6.2\| 2.6.19\| 2.6.18\| 2.6.17\| 2.6.16\| 2.6.15\| 2.6.14\| 2.6.13\| 2.6.12\| 2.6.11\| 2.6.10\| 2.6.1\| 2.6.0\| 2.4.9\| 2.4.8\| 2.4.7\| 2.4.6\| 2.4.5\| 2.4.4\| 2.4.37\| 2.4.36\| 2.4.35\| 2.4.34\| 2.4.33\| 2.4.32\| 2.4.31\| 2.4.30\| 2.4.29\| 2.4.28\| 2.4.27\| 2.4.26\| 2.4.25\| 2.4.24\| 2.4.23\| 2.4.22\| 2.4.21\| 2.4.20\| 2.4.19\| 2.4.18\| 2.4.17\| 2.4.16\| 2.4.15\| 2.4.14\| 2.4.13\| 2.4.12\| 2.4.11\| 2.4.10\| 2.2.24"
mounted=`(mount -l || cat /proc/mounts || cat /proc/self/mounts) 2>/dev/null | grep "^/" | cut -d " " -f1 | tr '\n' '|' | sed 's/|/\\\|/g'`"ImPoSSssSiBlEee"
mountG="swap\|/cdrom\|/floppy"
notmounted=`cat /etc/fstab | grep "^/" | grep -v $mountG | cut -d " " -f1 | grep -v $mounted | tr '\n' '|' | sed 's/|/\\\|/g'`"ImPoSSssSiBlEee"
mountpermsB="[^o]suid\|[^o]user\|[^o]exec"
mountpermsG="nosuid\|nouser\|noexec"
groupsB="(root)\|(shadow)\|(admin)\|(video)" groupsB="(root)\|(shadow)\|(admin)\|(video)"
groupsVB="(sudo)\|(docker)\|(lxd)\|(wheel)\|(disk)" groupsVB="(sudo)\|(docker)\|(lxd)\|(wheel)\|(disk)"
@ -33,18 +39,22 @@ knw_usrs='daemon:\|daemon\s\|^daemon$\|message+\|syslog\|www\|www-data\|mail\|no
USER=`whoami` USER=`whoami`
HOME=/home/$USER HOME=/home/$USER
Wfolders=`find /home /tmp /var /bin /etc /usr /lib /media /mnt /opt /root -writable -type d -maxdepth 2 2>/dev/null | tr '\n' '|' | sed 's/|/\\\|/g'`" \*" WF=`find /home /tmp /var /bin /etc /usr /lib /media /mnt /opt /root /dev -writable -type d -maxdepth 2 2>/dev/null | sort`
file=`echo $WF | cut -d " " -f 1`"/$filename"
Wfolders=`echo $WF | tr ' ' '|' | sed 's/|/\\\|/g'`"\| \*"
notExtensions="\.tif$\|\.tiff$\|\.gif$\|\.jpeg$\|\.jpg\|\.jif$\|\.jfif$\|\.jp2$\|\.jpx$\|\.j2k$\|\.j2c$\|\.fpx$\|\.pcd$\|\.png$\|\.pdf$\|\.flv$\|\.mp4$\|\.mp3$\|\.gifv$\|\.avi$\|\.mov$\|\.mpeg$\|\.wav$\|\.doc$\|\.docx$\|\.xls$\|\.xlsx$" notExtensions="\.tif$\|\.tiff$\|\.gif$\|\.jpeg$\|\.jpg\|\.jif$\|\.jfif$\|\.jp2$\|\.jpx$\|\.j2k$\|\.j2c$\|\.fpx$\|\.pcd$\|\.png$\|\.pdf$\|\.flv$\|\.mp4$\|\.mp3$\|\.gifv$\|\.avi$\|\.mov$\|\.mpeg$\|\.wav$\|\.doc$\|\.docx$\|\.xls$\|\.xlsx$"
TIMEOUT=`which timeout 2>/dev/null` TIMEOUT=`which timeout 2>/dev/null`
GCC=`which gcc 2>/dev/null`
pathshG="/0trace.sh\|/blueranger.sh\|/dnsmap-bulk.sh\|/gettext.sh\|/go-rhn.sh\|/gvmap.sh\|/lesspipe.sh\|/mksmbpasswd.sh\|/setuporamysql.sh\|/testacg.sh\|/testlahf.sh\|/url_handler.sh"
pathshG="/dnsmap-bulk.sh\|/0trace.sh\|/gvmap.sh\|/blueranger.sh\|/testacg.sh\|/gettext.sh\|/testlahf.sh\|/setuporamysql.sh"
if [ "$(/usr/bin/id -u)" -eq "0" ]; then printf $B"[*] "$RED"YOU ARE ALREADY ROOT!!! (nothing is going to be executed)\n"$NC; exit; fi if [ "$(/usr/bin/id -u)" -eq "0" ]; then printf $B"[*] "$RED"YOU ARE ALREADY ROOT!!! (nothing is going to be executed)\n"$NC; exit; fi
rm -rf $file 2>/dev/null rm -rf $file 2>/dev/null
echo "File: $file" echo "File: $file" | sed "s,.*,${C}[1;4m&${C}[0m,"
echo "" >> $file echo "" >> $file
echo "LEYEND:" | sed "s,LEYEND,${C}[1;4m&${C}[0m," >> $file echo "LEYEND:" | sed "s,LEYEND,${C}[1;4m&${C}[0m," >> $file
@ -86,6 +96,9 @@ fi
printf $Y"[+] "$GREEN"Useful software?\n"$NC >> $file printf $Y"[+] "$GREEN"Useful software?\n"$NC >> $file
which nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch 2>/dev/null >> $file which nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch 2>/dev/null >> $file
if [ ! "$GCC" ]; then
locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/" >> $file
fi
echo "" >> $file echo "" >> $file
#limited search for installed compilers #limited search for installed compilers
@ -97,7 +110,7 @@ if [ "$compiler" ]; then
fi fi
printf $Y"[+] "$GREEN"Environment\n"$NC >> $file printf $Y"[+] "$GREEN"Environment\n"$NC >> $file
(env || set) 2>/dev/null | grep -v "kernelB=\|^C=\|^RED=\|^GREEN=\|^Y=\|^B=\|^NC=\|TIMEOUT=\|groupsB=\|groupsVB=\|knw_grps=\|sidG=\|sidB=\|sidVB=\|sudoB=\|sudoVB=\|sudocapsB=\|capsB=\|\notExtensions=\|Wfolders=\|writeB=\|writeVB=\|_usrs=\|compiler\|PWD=\|LS_COLORS=\|pathshG" | sed "s,pwd\|passw,${C}[1;31m&${C}[0m,Ig" >> $file (env || set) 2>/dev/null | grep -v "^mounted=\|^mountG=\|^notmounted=\|^mountpermsB=\|^mountpermsG=\|^kernelB=\|^C=\|^RED=\|^GREEN=\|^Y=\|^B=\|^NC=\|TIMEOUT=\|groupsB=\|groupsVB=\|knw_grps=\|sidG=\|sidB=\|sidVB=\|sudoB=\|sudoVB=\|sudocapsB=\|capsB=\|\notExtensions=\|Wfolders=\|writeB=\|writeVB=\|_usrs=\|compiler\|PWD=\|LS_COLORS=\|pathshG" | sed "s,pwd\|passw,${C}[1;31m&${C}[0m,Ig" >> $file
echo "" >> $file echo "" >> $file
printf $Y"[+] "$GREEN"Cleaned proccesses\n"$NC >> $file printf $Y"[+] "$GREEN"Cleaned proccesses\n"$NC >> $file
@ -132,7 +145,7 @@ ls /dev 2>/dev/null | grep -i "sd" >> $file
echo "" >> $file echo "" >> $file
printf $Y"[+] "$GREEN"Unmounted file-system?\n"$NC >> $file printf $Y"[+] "$GREEN"Unmounted file-system?\n"$NC >> $file
cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file cat /etc/fstab 2>/dev/null | grep -v "^#" | sed "s,$notmounted,${C}[1;31m&${C}[0m," | sed "s,$mounted,${C}[1;34m&${C}[0m," | sed "s,$mountG,${C}[1;32m&${C}[0m,g" | sed "s,$Wfolders,${C}[1;31m&${C}[0m," | sed "s,$mountpermsB,${C}[1;31m&${C}[0m,g" | sed "s,$mountpermsG,${C}[1;32m&${C}[0m,g" >> $file
echo "" >> $file echo "" >> $file
printer=`lpstat -a 2>/dev/null` printer=`lpstat -a 2>/dev/null`