Skip to content

alhendio/OMARLEAP

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
4 branches 0 tags
Code
This branch is 24 commits ahead, 2 commits behind CUEH:master.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
src
 
 
tests
 
 
.gitignore
 
 
Makefile
 
 
README.md
 
 
meetingNotes.txt
 
 
requirements.txt
 
 
Introduction: User Documentation: Unit tests: Plugins: My plugins and documentation: Other Members Duties: Group Working and Decisions: My Plugins: Basic Task: Intermediate Task: OS Detection:

README.md

Introduction:

Enumeration and Privilege Escalation is a group project in which I and my team will work on building Enumeration and privilege escalation tool independently, and then we will merge part of the project to each other’s ones. It is a tool used for penetration testing so we need to gather information and to know if there is a vulnerable method, we can use to privilege escalate it. The gathered information will let us know what vulnerability we can take and make a privilege escalation in the local host.

User Documentation:

The program or software that we need to do is to have enumerations and privilege escalations in the menu and by pressing the needed option for specific information it will be displayed to them. Also, the other options which they are privilege escalations that can be executed and displaying the restricted permission which is escalated.

To run the program LEAP by choosing specific character at the first E (Enumeration) or P (Privesc) case sensitive, depending on what you need to run first the enumeration or the privilege escalation and to choose the number {num} correspond to the option you need. The menu picture below.

To operate and run the program LEAP, choose the option in Capital Letter {E} Or {P} and the number follows to the option desired and then press "Y" to complete the operation and "N" to change the choice and "Q" to quit the menu.

Unit tests:

Function  -  Test  -  Expected Results  
test_host() - Checking if the user is “ student “ - student  
test_host() - Checking if it matches platform.node() - 4061CEMVbox  
test_host() - If UID and GID is available - True  
test_host() - UID, GID is not equal to 0 - True  
test_host() Checking UserID and GroupsID is not available. (Typo Errors)    True  
test_kernel() -  If Platform.system in output  -  True = Linux  
test_kernel() -  Checking if the User is not root  -  True  
test_kernel()  - Checking the Architecture  - x86_64  
test_kernel()  - CPU op-mode(s) - 32-bit , 64-bit  
test_network() - Checking the ip address for the local host - 10.0.2.15  
test_network() - If 80/tcp  port is open   -  True  
test_network() - If 8080/tcp  port is open  - True  
test_network() - If it generates ip address “ inet “ - inet is Available  
test_network() - If it generates localhost ipaddress - Loopback is available  
test_app() - If user root available - Root is Available  
test_app() - If user student Available  - Student is Available  
test_app() - The directory “/usr/bin”   - True available  
test_network() - The directory “/usr/sbin”   - True Available  
test_network() - The file “/etc/passwd” is not Available - True  
test_network() - The file “/etc/shadow” is not Available - True

Plugins:

My plugins and documentation:

For the documentation: Introduction to the project.

To make the following enumerations:

  •       Network Info, Host Info, Kernel Info, Applications & Services in Linux and General Information in Windows.

Also, to make the privescs:

  •       That have SUID bit to show and edit restricted files such as "/etc/shadow". Both of them in Linux Operating System.

Other Members Duties:

The documentation: User guide, Decisions and plugins.

Plugins for the others:

  •      Member1: Check if root, Cron jobs, Priv Esc - SUID & Docker (Linux)

  •      Member2: Check if admin, Applications & Services, Files Info and a PrivEsc. (Windows)

  •      Member3: Network Info, Host Info, Priv Esc. (Windows)

Group Working and Decisions:

First, our group is number 7 and we distributed the tasks for each member of us, and we have some uniform decisions that it should be consistent for all of us:

  1.  Define function naming convention:

  •      winEnumUsers

  •      linEnumUsers

  1.  File tree:

  •      All program will be in /src/ directory .

  •      Sub directory for each Windows and Linux.

  •      Enumeration script in base /src/.

  •      Enumeration Plugins will be in one file.

  •      Each plugin will have its own class.

My Plugins:

Basic Task:

Description: In this task 2 enumeration methods should be developed and one method of privilege escalation. The methods should work on Linux systems.

In this task I have two enumeration and they are Host Info and Network Information. Also, one privilege escalation which using SUID to access restricted file "/etc/shadow".

For the two enumerations, I have gathered information about the host which include the hostname, current working user, who is online and list of users in the host. Second, Kernel information, I have gathered general kernel info, operating system info and current operating system version. The kernel info and hostinfo are in the same class.

Algorithm:

In the basic task I have putted the host and kernel information in the same class. Under the function execute I used to return the option to return all the answers in an empty string. So, also, I have used the GrabOutput() function to be able to print out the answers in a organized way.

For the privilege escalation, I have used SUID method to escalate permissions in the command “cat” which will give the permission to view restricted files , and that enabled me to view “/etc/shadow” .

Intermediate Task:

In this task, 1 method of privilege escalation for each group member, and 2 enumeration methods for each group member. Also, in this task we can perform methods for different operating systems like Linux and Windows.

The two Enumerations, they are operated in Linux and I have enumerated Network Information and Application Running by Root. Network information will give me the ability to know the ip address and other important components to the current local host. However, applications running by root would be very useful to gather information about which can lead to root privileges from the application itself. Respectively the screenshots for the Network Info and for the Applications running by root.

Algorithm:

Like the basic task, Using class for every enumeration. In every class returning all the answers to an empty string and all of this under execute(), after that returning and printing the answers.

The privilege escalation method, in which I have set the SUID bit in the command “chmod” which is responsible to change permissions in the restricted files and this will lead to write, read, and execute. This privilege escalation gives me the ability to make a restricted file “/etc/shadow” writable which is a very dangerous thing to do.

OS Detection:

In this task we will run multiple enumerations for different operating systems, so the user should have appropriate choices appearing according to his OS. So, I have used the module (platform) with the option of ( platform.system() ) with if statements specific to the suitable enumeration. Usinf if statements to determine which options for either the enumeration or privesc is suitable to be running with OS that is in.

About

LEAP: Local Enumeration And Privesc. Framework for prohect.

Resources

Readme

Stars

0 stars

Watchers

0 watching

Forks

104 forks

Releases

No releases published

Languages

  • Python 84.2%
  • C# 10.6%
  • Makefile 4.2%
  • PowerShell 1.0%