This commit is contained in:
Roman Hergenreder 2024-02-03 20:53:55 +01:00
parent 8c42a9065a
commit 0fac5c75b0
10 changed files with 339 additions and 201 deletions

@ -369,7 +369,7 @@ userCheck() {
printQuestion "User ...................." printQuestion "User ...................."
if [ "$(id -u)" = 0 ]; then if [ "$(id -u)" = 0 ]; then
isUserRoot="1" isUserRoot="1"
printSuccess "root" printEx "root"
else else
printSuccess "$(whoami)" printSuccess "$(whoami)"
fi fi
@ -377,6 +377,29 @@ userCheck() {
printQuestion "Groups .................." printQuestion "Groups .................."
groups=$(groups| sed "s/\($DANGEROUS_GROUPS\)/${LG}${EX}&${NC}${DG}/g") groups=$(groups| sed "s/\($DANGEROUS_GROUPS\)/${LG}${EX}&${NC}${DG}/g")
printStatus "$groups" "None" printStatus "$groups" "None"
if ! [ $isUserRoot ]; then
printQuestion "Sudo ...................."
if [ -x "$(command -v sudo)" ]; then
if sudo -n -l 2>/dev/null; then
printEx "Passwordless Sudo"
isUserHasSudo="1"
else
printError "Password required"
fi
else
printError "sudo not found"
fi
else
printQuestion "Sudoers ................."
if [ -r /etc/sudoers ]; then
sudoers=$(grep -v "#\|^$\|^Defaults\|@include" /etc/sudoers)
printYes
printStatus "$sudoers"
else
printNo
fi
fi
} }
dockerSockCheck() { dockerSockCheck() {
@ -443,9 +466,7 @@ enumerateContainer() {
containerID() { containerID() {
# Get container ID # Get container ID
containerID="$(cat /etc/hostname)" containerID="$(cat /etc/hostname || uname -n || hostname)"
#containerID="$(hostname)"
#containerID="$(uname -n)"
# Get container full ID # Get container full ID
printResult "Container ID ............" "$containerID" "Unknown" printResult "Container ID ............" "$containerID" "Unknown"
@ -807,17 +828,18 @@ findInterestingFiles() {
printNo printNo
fi fi
hashes=$(cut -d':' -f2 < /etc/shadow 2>/dev/null | grep -v '^*$\|^!')
printQuestion "Hashes in shadow file ..............." printQuestion "Hashes in shadow file ..............."
if test -r /etc/shadow; then
hashes=$(cut -d':' -f2 < /etc/shadow 2>/dev/null | grep -v '^*$\|^!')
if [ "$hashes" ]; then if [ "$hashes" ]; then
printYes printYes
printStatus "$hashes" printStatus "$hashes"
elif test -r /etc/shadow; then
# Cannot check...
printFail "No permissions"
else else
printNo printNo
fi fi
else
printFail "Not readable"
fi
# TODO: Check this file /run/secrets/ # TODO: Check this file /run/secrets/
@ -829,7 +851,6 @@ findInterestingFiles() {
printMsg "$(ls -lAh "$p")" printMsg "$(ls -lAh "$p")"
fi fi
done done
} }
checkDockerRootless() { checkDockerRootless() {

File diff suppressed because one or more lines are too long

29
lse.sh

@ -5,7 +5,7 @@
# Author: Diego Blanco <diego.blanco@treitos.com> # Author: Diego Blanco <diego.blanco@treitos.com>
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration # GitHub: https://github.com/diego-treitos/linux-smart-enumeration
# #
lse_version="4.13nw" lse_version="4.14nw"
##( Colors ##( Colors
# #
@ -89,7 +89,7 @@ lse_procmon_lock=`mktemp`
lse_cve_tmp='' lse_cve_tmp=''
# printf # printf
printf "%s" "$reset" | grep -q '\\' && alias printf="env printf" printf "$reset" | grep -q '\\' && alias printf="env printf"
#( internal data #( internal data
lse_common_setuid=" lse_common_setuid="
@ -262,7 +262,7 @@ cecho() { #(
printf "%b" "$@" printf "%b" "$@"
else else
# If color is disabled we remove it # If color is disabled we remove it
printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g' printf "%b" "$@" | sed -r 's/(\x1B|\\e)\[[0-9;:]+[A-Za-z]//g'
fi fi
} #) } #)
lse_recolor() { #( lse_recolor() { #(
@ -381,6 +381,8 @@ lse_test() { #(
local deps="$5" local deps="$5"
# Variable name where to store the output # Variable name where to store the output
local var="$6" local var="$6"
# Flags affecting the execution of certain tests
local flags="$7"
# Define colors # Define colors
local l="${lred}!" local l="${lred}!"
@ -408,6 +410,12 @@ lse_test() { #(
printf "." printf "."
done done
# Check if test should be skipped when running as root
if [ "$lse_user_id" -eq 0 ] && [ "$flags" = "rootskip" ]; then
cecho " ${grey}skip\n"
return 1
fi
# Check dependencies # Check dependencies
local non_met_deps="" local non_met_deps=""
for d in $deps; do for d in $deps; do
@ -482,6 +490,10 @@ lse_show_info() { #(
echo echo
cecho "${green}=====================(${yellow} Current Output Verbosity Level: ${cyan}$lse_level ${green})======================${reset}" cecho "${green}=====================(${yellow} Current Output Verbosity Level: ${cyan}$lse_level ${green})======================${reset}"
echo echo
if [ "$lse_user_id" -eq 0 ]; then
cecho "${green}============(${yellow} Already running as ${red}root${yellow}, some tests will be skipped! ${green})============${reset}"
echo
fi
} #) } #)
lse_serve() { #( lse_serve() { #(
# get port # get port
@ -778,7 +790,8 @@ lse_run_tests_filesystem() {
# Add symlinks owned by the user (so the user can change where they point) # Add symlinks owned by the user (so the user can change where they point)
find / -path "$lse_home" -prune -o $lse_find_opts -type l -user $lse_user -print' \ find / -path "$lse_home" -prune -o $lse_find_opts -type l -user $lse_user -print' \
"" \ "" \
"lse_user_writable" "lse_user_writable" \
"rootskip"
#get setuid binaries #get setuid binaries
lse_test "fst010" "1" \ lse_test "fst010" "1" \
@ -906,7 +919,8 @@ lse_run_tests_filesystem() {
#files owned by user #files owned by user
lse_test "fst500" "2" \ lse_test "fst500" "2" \
"Files owned by user '$lse_user'" \ "Files owned by user '$lse_user'" \
'find / $lse_find_opts -user $lse_user -type f -exec ls -al {} \;' 'find / $lse_find_opts -user $lse_user -type f -exec ls -al {} \;' \
"" "" "rootskip"
#check for SSH files anywhere #check for SSH files anywhere
lse_test "fst510" "2" \ lse_test "fst510" "2" \
@ -1356,6 +1370,11 @@ lse_run_tests_software() {
"Can we access MongoDB databases without credentials?" \ "Can we access MongoDB databases without credentials?" \
'echo "show dbs" | mongo --quiet | grep -E "(admin|config|local)"' 'echo "show dbs" | mongo --quiet | grep -E "(admin|config|local)"'
#find kerberos credentials
lse_test "sof180" "0" \
"Can we access any Kerberos credentials?" \
'find / $lse_find_opts -name "*.so" -prune -o \( -name "krb5cc*" -o -name "*.ccache" -o -name "*.kirbi" -o -name "*.keytab" \) -type f -readable -exec ls -lh {} +'
#sudo version - check to see if there are any known vulnerabilities with this #sudo version - check to see if there are any known vulnerabilities with this
lse_test "sof500" "2" \ lse_test "sof500" "2" \
"Sudo version" \ "Sudo version" \

@ -98,6 +98,8 @@ class ShellListener:
print("RECV first prompt") print("RECV first prompt")
else: else:
self.raw_output += data self.raw_output += data
for callback in self.on_message:
callback(data)
print("[-] Disconnected") print("[-] Disconnected")
self.connection = None self.connection = None

@ -314,11 +314,12 @@ def rpad(x, n, b=b"\x00"):
return pad(x, n, b, "r") return pad(x, n, b, "r")
def pad(x, n, b=b"\x00", s="r"): def pad(x, n, b=b"\x00", s="r"):
if len(x) % n != 0: pad_len = len(x) % n
if pad_len != 0:
if s == "r": if s == "r":
x += (n-(len(x)%n))*b x += b * (n - pad_len)
elif s == "l": elif s == "l":
x = (n-(len(x)%n))*b + x x = b * (n - pad_len) + x
return x return x
def xor(a, b, *args): def xor(a, b, *args):

Binary file not shown.

File diff suppressed because one or more lines are too long

@ -363,7 +363,7 @@ CALL :T_Progress 1
:WifiCreds :WifiCreds
CALL :ColorLine " %E%33m[+]%E%97m WIFI" CALL :ColorLine " %E%33m[+]%E%97m WIFI"
for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.) for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
CALL :T_Progress 1 CALL :T_Progress 1
:BasicUserInfo :BasicUserInfo

Binary file not shown.

Binary file not shown.