This commit is contained in:
Roman Hergenreder 2024-02-03 20:53:55 +01:00
parent 8c42a9065a
commit 0fac5c75b0
10 changed files with 339 additions and 201 deletions

@ -369,7 +369,7 @@ userCheck() {
printQuestion "User ...................."
if [ "$(id -u)" = 0 ]; then
isUserRoot="1"
printSuccess "root"
printEx "root"
else
printSuccess "$(whoami)"
fi
@ -377,6 +377,29 @@ userCheck() {
printQuestion "Groups .................."
groups=$(groups| sed "s/\($DANGEROUS_GROUPS\)/${LG}${EX}&${NC}${DG}/g")
printStatus "$groups" "None"
if ! [ $isUserRoot ]; then
printQuestion "Sudo ...................."
if [ -x "$(command -v sudo)" ]; then
if sudo -n -l 2>/dev/null; then
printEx "Passwordless Sudo"
isUserHasSudo="1"
else
printError "Password required"
fi
else
printError "sudo not found"
fi
else
printQuestion "Sudoers ................."
if [ -r /etc/sudoers ]; then
sudoers=$(grep -v "#\|^$\|^Defaults\|@include" /etc/sudoers)
printYes
printStatus "$sudoers"
else
printNo
fi
fi
}
dockerSockCheck() {
@ -443,9 +466,7 @@ enumerateContainer() {
containerID() {
# Get container ID
containerID="$(cat /etc/hostname)"
#containerID="$(hostname)"
#containerID="$(uname -n)"
containerID="$(cat /etc/hostname || uname -n || hostname)"
# Get container full ID
printResult "Container ID ............" "$containerID" "Unknown"
@ -807,17 +828,18 @@ findInterestingFiles() {
printNo
fi
hashes=$(cut -d':' -f2 < /etc/shadow 2>/dev/null | grep -v '^*$\|^!')
printQuestion "Hashes in shadow file ..............."
if test -r /etc/shadow; then
hashes=$(cut -d':' -f2 < /etc/shadow 2>/dev/null | grep -v '^*$\|^!')
if [ "$hashes" ]; then
printYes
printStatus "$hashes"
elif test -r /etc/shadow; then
# Cannot check...
printFail "No permissions"
else
printNo
fi
else
printFail "Not readable"
fi
# TODO: Check this file /run/secrets/
@ -829,7 +851,6 @@ findInterestingFiles() {
printMsg "$(ls -lAh "$p")"
fi
done
}
checkDockerRootless() {

File diff suppressed because one or more lines are too long

29
lse.sh

@ -5,7 +5,7 @@
# Author: Diego Blanco <diego.blanco@treitos.com>
# GitHub: https://github.com/diego-treitos/linux-smart-enumeration
#
lse_version="4.13nw"
lse_version="4.14nw"
##( Colors
#
@ -89,7 +89,7 @@ lse_procmon_lock=`mktemp`
lse_cve_tmp=''
# printf
printf "%s" "$reset" | grep -q '\\' && alias printf="env printf"
printf "$reset" | grep -q '\\' && alias printf="env printf"
#( internal data
lse_common_setuid="
@ -262,7 +262,7 @@ cecho() { #(
printf "%b" "$@"
else
# If color is disabled we remove it
printf "%b" "$@" | sed 's/\x1B\[[0-9;]\+[A-Za-z]//g'
printf "%b" "$@" | sed -r 's/(\x1B|\\e)\[[0-9;:]+[A-Za-z]//g'
fi
} #)
lse_recolor() { #(
@ -381,6 +381,8 @@ lse_test() { #(
local deps="$5"
# Variable name where to store the output
local var="$6"
# Flags affecting the execution of certain tests
local flags="$7"
# Define colors
local l="${lred}!"
@ -408,6 +410,12 @@ lse_test() { #(
printf "."
done
# Check if test should be skipped when running as root
if [ "$lse_user_id" -eq 0 ] && [ "$flags" = "rootskip" ]; then
cecho " ${grey}skip\n"
return 1
fi
# Check dependencies
local non_met_deps=""
for d in $deps; do
@ -482,6 +490,10 @@ lse_show_info() { #(
echo
cecho "${green}=====================(${yellow} Current Output Verbosity Level: ${cyan}$lse_level ${green})======================${reset}"
echo
if [ "$lse_user_id" -eq 0 ]; then
cecho "${green}============(${yellow} Already running as ${red}root${yellow}, some tests will be skipped! ${green})============${reset}"
echo
fi
} #)
lse_serve() { #(
# get port
@ -778,7 +790,8 @@ lse_run_tests_filesystem() {
# Add symlinks owned by the user (so the user can change where they point)
find / -path "$lse_home" -prune -o $lse_find_opts -type l -user $lse_user -print' \
"" \
"lse_user_writable"
"lse_user_writable" \
"rootskip"
#get setuid binaries
lse_test "fst010" "1" \
@ -906,7 +919,8 @@ lse_run_tests_filesystem() {
#files owned by user
lse_test "fst500" "2" \
"Files owned by user '$lse_user'" \
'find / $lse_find_opts -user $lse_user -type f -exec ls -al {} \;'
'find / $lse_find_opts -user $lse_user -type f -exec ls -al {} \;' \
"" "" "rootskip"
#check for SSH files anywhere
lse_test "fst510" "2" \
@ -1356,6 +1370,11 @@ lse_run_tests_software() {
"Can we access MongoDB databases without credentials?" \
'echo "show dbs" | mongo --quiet | grep -E "(admin|config|local)"'
#find kerberos credentials
lse_test "sof180" "0" \
"Can we access any Kerberos credentials?" \
'find / $lse_find_opts -name "*.so" -prune -o \( -name "krb5cc*" -o -name "*.ccache" -o -name "*.kirbi" -o -name "*.keytab" \) -type f -readable -exec ls -lh {} +'
#sudo version - check to see if there are any known vulnerabilities with this
lse_test "sof500" "2" \
"Sudo version" \

@ -98,6 +98,8 @@ class ShellListener:
print("RECV first prompt")
else:
self.raw_output += data
for callback in self.on_message:
callback(data)
print("[-] Disconnected")
self.connection = None

@ -314,11 +314,12 @@ def rpad(x, n, b=b"\x00"):
return pad(x, n, b, "r")
def pad(x, n, b=b"\x00", s="r"):
if len(x) % n != 0:
pad_len = len(x) % n
if pad_len != 0:
if s == "r":
x += (n-(len(x)%n))*b
x += b * (n - pad_len)
elif s == "l":
x = (n-(len(x)%n))*b + x
x = b * (n - pad_len) + x
return x
def xor(a, b, *args):

Binary file not shown.

File diff suppressed because one or more lines are too long

@ -363,7 +363,7 @@ CALL :T_Progress 1
:WifiCreds
CALL :ColorLine " %E%33m[+]%E%97m WIFI"
for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
CALL :T_Progress 1
:BasicUserInfo

Binary file not shown.

Binary file not shown.