#!/bin/sh file="/tmp/linPE" RED='\033[0;31m' Y='\033[0;33m' B='\033[0;34m' NC='\033[0m' C=$(printf '\033') suidG="/bin/fusermount\|\ /bin/mount\|\ /bin/ntfs-3g\|\ /bin/ping\|\ /bin/ping6\|\ /bin/rcp\|\ /bin/su\|\ /bin/systemctl\|\ /bin/umount\|\ /sbin/mksnap_ffs\|\ /sbin/mount.cifs\|\ /sbin/ping\|\ /sbin/ping6\|\ /sbin/poweroff\|\ /sbin/shutdown\|\ /usr/bin/at\|\ /usr/bin/atq\|\ /usr/bin/atrm\|\ /usr/bin/batch\|\ /usr/bin/bwrap\|\ /usr/bin/chage\|\ /usr/bin/chfn\|\ /usr/bin/chpass\|\ /usr/bin/chsh\|\ /usr/bin/crontab\|\ /usr/bin/doas\|\ /usr/bin/fusermount\|\ /usr/bin/gpasswd\|\ /usr/bin/kismet_capture\|\ /usr/bin/lock\|\ /usr/bin/login\|\ /usr/bin/lpq\|\ /usr/bin/lpr\|\ /usr/bin/lprm\|\ /usr/bin/mount\|\ /usr/bin/newgidmap\|\ /usr/bin/newgrp\|\ /usr/bin/newuidmap\|\ /usr/bin/ntfs-3g\|\ /usr/bin/opieinfo\|\ /usr/bin/opiepasswd\|\ /usr/bin/passwd\|\ /usr/bin/pkexec\|\ /usr/bin/quota\|\ /usr/bin/rlogin\|\ /usr/bin/rsh\|\ /usr/bin/staprun\|\ /usr/bin/su\|\ /usr/bin/sudo\|\ /usr/bin/traceroute6.iputils\|\ /usr/bin/umount\|\ /usr/bin/vmware-user-suid-wrapper\|\ /usr/lib/chromium/chrome-sandbox\|\ /usr/lib/dbus-1.0/dbus-daemon-launch-helper\|\ /usr/lib/eject/dmcrypt-get-device\|\ /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache\|\ /usr/libexec/auth/login_chpass\|\ /usr/libexec/auth/login_lchpass\|\ /usr/libexec/auth/login_passwd\|\ /usr/libexec/dbus-1/dbus-daemon-launch-helper\|\ /usr/libexec/dma-mbox-create\|\ /usr/libexec/lockspool\|\ /usr/libexec/ssh-keysign\|\ /usr/libexec/ulog-helper\|\ /usr/lib/i386-linux-gnu/lxc/lxc-user-nic\|\ /usr/lib/openssh/ssh-keysign\|\ /usr/lib/policykit-1/polkit-agent-helper-1\|\ /usr/lib/polkit-1/polkit-agent-helper-1\|\ /usr/lib/snapd/snap-confine\|\ /usr/lib/xorg/Xorg.wrap\|\ /usr/local/bin/Xorg\|\ /usr/local/libexec/dbus-daemon-launch-helper\|\ /usr/sbin/authpf\|\ /usr/sbin/authpf-noip\|\ /usr/sbin/exim4\|\ /usr/sbin/mount.nfs\|\ /usr/sbin/pam_timestamp_check\|\ /usr/sbin/ppp\|\ /usr/sbin/pppd\|\ /usr/sbin/timedc\|\ /usr/sbin/traceroute\|\ /usr/sbin/traceroute6\|\ /usr/sbin/unix_chkpwd\|\ /usr/sbin/userhelper\|\ /usr/sbin/usernetctl\|\ /usr/X11R6/bin/Xorg" suidB='nmap\|perl\|awk\|find\|bash\|sh\|man\|more\|less\|vi\|emacs\|vim\|nc\|netcat\|python\|ruby\|lua\|irb\|tar\|zip\|gdb\|pico\|scp\|git\|rvim\|script\|ash\|csh\|curl\|dash\|ed\|env\|expect\|ftp\|sftp\|node\|php\|rpm\|rpmquery\|socat\|strace\|taskset\|tclsh\|telnet\|tftp\|wget\|wish\|zsh\|ssh$\|ip$\|arp\|mtr' sgid="/sbin/pam_extrausers_chkpwd\|\ /sbin/unix_chkpwd\|\ /usr/bin/at\|\ /usr/bin/atq\|\ /usr/bin/atrm\|\ /usr/bin/batch\|\ /usr/bin/bsd-write\|\ /usr/bin/btsockstat\|\ /usr/bin/chage\|\ /usr/bin/crontab\|\ /usr/bin/dotlockfile\|\ /usr/bin/dotlock.mailutils\|\ /usr/bin/expiry\|\ /usr/bin/lock\|\ /usr/bin/lpq\|\ /usr/bin/lpr\|\ /usr/bin/lprm\|\ /usr/bin/mlocate\|\ /usr/bin/mutt_dotlock\|\ /usr/bin/netstat\|\ /usr/bin/screen\|\ /usr/bin/skeyaudit\|\ /usr/bin/skeyinfo\|\ /usr/bin/skeyinit\|\ /usr/bin/ssh-agent\|\ /usr/bin/wall\|\ /usr/bin/write\|\ /usr/lib/emacs/24.5/i686-linux-gnu/movemail\|\ /usr/lib/evolution/camel-lock-helper-1.2\|\ /usr/libexec/auth/login_activ\|\ /usr/libexec/auth/login_crypto\|\ /usr/libexec/auth/login_radius\|\ /usr/libexec/auth/login_skey\|\ /usr/libexec/auth/login_snk\|\ /usr/libexec/auth/login_token\|\ /usr/libexec/auth/login_yubikey\|\ /usr/libexec/dma\|\ /usr/libexec/sendmail/sendmail\|\ /usr/lib/i386-linux-gnu/utempter/utempter\|\ /usr/lib/libvte9/gnome-pty-helper\|\ /usr/lib/mc/cons.saver\|\ /usr/lib/snapd/snap-confine\|\ /usr/lib/x86_64-linux-gnu/utempter/utempter\|\ /usr/lib/xemacs-21.4.22/i686-linux-gnu/movemail\|\ /usr/lib/xorg/Xorg.wrap\|\ /usr/sbin/authpf\|\ /usr/sbin/authpf-noip\|\ /usr/sbin/lpc\|\ /usr/sbin/lpd\|\ /usr/sbin/smtpctl\|\ /usr/sbin/trpt\|\ /usr/sbin/unix_chkpwd\|\ /usr/X11R6/bin/xlock\|\ /usr/X11R6/bin/xterm" intfol="/etc/\|/root/\|/home/\|/var/log\|/mnt/\|/usr/local/sbin\|/usr/sbin\|/sbin\|/usr/local/bin\|/usr/bin\|/bin\|/usr/local/games\|/usr/games\|/usr/lib" if [ "$(/usr/bin/id -u)" -eq "0" ]; then printf $B"[*] "$RED"YOU ARE ALREADY ROOT!!! (nothing is going to be executed)\n"$NC; exit; fi rm -rf $file echo "File: $file" echo "[+]Gathering system information..." printf $B"[*] "$RED"BASIC SYSTEM INFO\n"$NC >> $file echo "" >> $file printf $Y"[+] "$RED"Operative system\n"$NC >> $file (cat /proc/version || uname -a ) 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"PATH\n"$NC >> $file echo $PATH 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Date\n"$NC >> $file date 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Sudo version\n"$NC >> $file sudo -V 2>/dev/null| grep "Sudo ver" >> $file echo "" >> $file printf $Y"[+] "$RED"selinux enabled?\n"$NC >> $file sestatus 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Useful software?\n"$NC >> $file which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Capabilities\n"$NC >> $file getcap -r / 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Environment\n"$NC >> $file (set || env) 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Cleaned proccesses\n"$NC >> $file ps aux 2>/dev/null | grep -v "\[" | sed "s,root,${C}[31m&${C}[0m," >> $file echo "" >> $file printf $Y"[+] "$RED"Binary processes permissions\n"$NC >> $file ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Services\n"$NC >> $file (/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Different processes executed during 1 min (HTB)\n"$NC >> $file if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi echo "" >> $file printf $Y"[+] "$RED"Proccesses binary permissions\n"$NC >> $file ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file crontab -l 2>/dev/null >> $file ls -al /etc/cron* 2>/dev/null >> $file cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file echo "" >> $file printf $Y"[+] "$RED"Any sd* disk in /dev?\n"$NC >> $file ls /dev 2>/dev/null | grep -i "sd" >> $file echo "" >> $file printf $Y"[+] "$RED"Storage information\n"$NC >> $file df -h 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Unmounted file-system?\n"$NC >> $file cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file echo "" >> $file printf $Y"[+] "$RED"Printer?\n"$NC >> $file lpstat -a 2>/dev/null >> $file echo "" >> $file echo "" >> $file echo "[+]Gathering network information..." printf $B"[*] "$RED"NETWORK INFO\n"$NC >> $file echo "" >> $file printf $Y"[+] "$RED"Hostname, hosts and DNS\n"$NC >> $file cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" >> $file dnsdomainname 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Networks and neightbours\n"$NC >> $file cat /etc/networks 2>/dev/null >> $file (ifconfig || ip a) 2>/dev/null >> $file iptables -L 2>/dev/null >> $file ip n 2>/dev/null >> $file route -n 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Ports\n"$NC >> $file (netstat -punta || ss -t; ss -u) 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Can I sniff with tcpdump?\n"$NC >> $file timeout 1 tcpdump >> $file 2>&1 echo "" >> $file echo "" >> $file echo "[+]Gathering users information..." printf $B"[*] "$RED"USERS INFO\n"$NC >> $file echo "" >> $file printf $Y"[+] "$RED"Me\n"$NC >> $file (id || (whoami && groups)) 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Sudo -l without password\n"$NC >> $file echo '' | sudo -S -l -k 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file gpg --list-keys 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Superusers\n"$NC >> $file awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Login\n"$NC >> $file w 2>/dev/null >> $file last 2>/dev/null | tail >> $file echo "" >> $file printf $Y"[+] "$RED"Users with console\n"$NC >> $file cat /etc/passwd 2>/dev/null | grep "sh$" >> $file echo "" >> $file printf $Y"[+] "$RED"All users\n"$NC >> $file cat /etc/passwd 2>/dev/null | cut -d: -f1 >> $file echo "" >> $file echo "" >> $file echo "[+]Gathering files information..." printf $B"[*] "$RED"INTERESTING FILES\n"$NC >> $file echo "" >> $file printf $Y"[+] "$RED"SUID\n"$NC >> $file find / -perm -4000 2>/dev/null | sed "s,$suidB,${C}[31m&${C}[0m," | sed "s,$suidG,${C}[32m&${C}[0m," >> $file echo "" >> $file printf $Y"[+] "$RED"SGID\n"$NC >> $file find / -perm -g=s -type f 2>/dev/null | sed "s,$sgid,${C}[32m&${C}[0m," >> $file echo "" >> $file printf $Y"[+] "$RED"Files inside \$HOME (limit 20)\n"$NC >> $file ls -la $HOME 2>/dev/null | head -n 20 >> $file echo "" >> $file printf $Y"[+] "$RED"20 First files of /home\n"$NC >> $file find /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER | head -n 20 >> $file echo "" >> $file printf $Y"[+] "$RED"Files inside .ssh directory?\n"$NC >> $file find /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; >> $file echo "" >> $file printf $Y"[+] "$RED"*sa_key* files\n"$NC >> $file find / -type f -name "*sa_key*" -ls 2>/dev/null -exec ls -l {} \; >> $file echo "" >> $file printf $Y"[+] "$RED"Mails?\n"$NC >> $file ls -alh /var/mail/ /var/spool/mail/ 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"NFS exports?\n"$NC >> $file cat /etc/exports 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Hashes inside /etc/passwd? Readable /etc/shadow or /etc/master.passwd?\n"$NC >> $file grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null >> $file cat /etc/shadow /etc/master.passwd 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Readable /root?\n"$NC >> $file ls -ahl /root/ 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Inside docker or lxc?\n"$NC >> $file dockercontainer=`grep -i docker /proc/self/cgroup 2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null` lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null` if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" >> $file; fi if [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" >> $file; fi echo "" >> $file printf $Y"[+] "$RED"*_history, profile, bashrc, httpd.conf\n"$NC >> $file find / -type f \( -name "*_history" -o -name "profile" -o -name "*bashrc" -o -name "httpd.conf" \) -exec ls -l {} \; 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"All hidden files (not in /sys/) (limit 100)\n"$NC >> $file find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/" | head -n 100 >> $file echo "" >> $file printf $Y"[+] "$RED"What inside /tmp, /var/tmp, /var/backups\n"$NC >> $file ls -a /tmp /var/tmp /var/backups 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Interesting writable Files\n"$NC >> $file USER=`whoami` HOME=/home/$USER find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| sort | uniq | sed "s,$intfol,${C}[31m&${C}[0m," >> $file for g in `groups`; do find / \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs' | sed "s,$intfol,${C}[31m&${C}[0m,"; done >> $file echo "" >> $file printf $Y"[+] "$RED"Web files?(output limited)\n"$NC >> $file ls -alhR /var/www/ 2>/dev/null | head >> $file ls -alhR /srv/www/htdocs/ 2>/dev/null | head >> $file ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head >> $file ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head >> $file echo "" >> $file printf $Y"[+] "$RED"Backup files?\n"$NC >> $file find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*back*" -o -name "*bck*" \) 2>/dev/null >> $file echo "" >> $file printf $Y"[+] "$RED"Find IPs inside logs\n"$NC >> $file grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq >> $file echo "" >> $file printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /var/log, /etc\n"$NC >> $file grep -lRi "password\|passw" /home /var/www /var/log 2>/dev/null | sort | uniq >> $file echo "" >> $file printf $Y"[+] "$RED"Sudo -l (you need to puts the password and the result appear in console)\n"$NC >> $file sudo -l