Skip to content
Permalink
fce200cac0
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

OMARLEAP/README.md

Go to file
 
 
Cannot retrieve contributors at this time
Introduction LEAP Plugins Enumaration Windows checkIfAdmin Host Information appsNServices fileInfo Network Information Linux checkRoot cronInfo fileInfo networkInfo devProgs Priv-Esc Windows Linux SUID Exploiter Docker Exploiter
81 lines (60 sloc) 4.11 KB
Raw Blame

#LEAP LEAP: Local Enumeration And Privesc. By Ben Roxbee Cox, Oliver Fulong, Omar and Andrei.

Introduction

In this group project we are going to do enumerations which is to gather information from the local system as much as possible, also we are going to discover some privilege escalation methods. We are going to build our tool to run Linux and Windows operating systems. Everyone of us will work independently to build and design his own tool. However, we will contibute some functionalities to each other's projects.

LEAP

#Discusions During the first meeting we decided all of the names and file trees that we will work with. This included having seperate sub directories for the Linux and Windows plugins. We agreed that all enumerations would be inside one file, but priv escs would have their own file. For the function naming convention, we decided that all Windows enumarators will be named winEnum{name} and all Linux enumarators will be called linEnum{name}. For the file tree we chose that all programs will be in /src directory, Windows and Linux will each have a sub directory, the enumeration script will be in /src, the enumeration plugins will be in only one file, but priv escs would each have their own file.

LEAP: Local Enumeration And Privesc. By Ben Roxbee Cox, Oliver Fulong, Omar and Andrei.

Plugins

This project uses a number of plugins in order to carry out the enumeration and priv esc. Each plugin will be written by one author and then integrated into the the other projects.

Enumaration

Windows

checkIfAdmin

Author: Oliver Furlong This plugin will check to see if the user already have admin privillages. Just in case. This function will return True/False and LEAP will ask if enumaration should still run if True.

Host Information

Author: Andrei Ciobotaru This plugin will gather information about the host such as Operating system, Kernel Version, and Host name.

appsNServices

Author: Oliver Furlong

fileInfo

Author: Oliver Furlong Will enumarate the file system to gather information on file permissions, if any potentially sensitive files can be read, if the user can read files from other users etc.

Network Information

Author: Anrei Ciobotaru A plugin to gather network infomration such as IP address, MAC address, the name of the WiFi the target is connected to.

Linux

checkRoot

Author: Ben Roxbee Cox This plugin will check to see if the user already have root privillages already. Just in case. This function will return True/False and LEAP will ask if enumaration should still run if True.

cronInfo

Author: Ben Roxbee Cox Returns infomration about Cron jobs. This infomation could be useful because if a running Cron job has incorrect file permissons an attacker could manipulate the file to exploit the local system.

fileInfo

Author: Ben Roxbee Cox Will enumarate the file system to gather information on file permissions, if any potentially sensitive files can be read, if the user can read files from other users etc. It will also check for SUID files that could be exploited.

networkInfo

Author: Omar Alhendi A plugin to gather network infomration such as IP address, MAC address, the name of the WiFi the target is connected to.

devProgs

Author: Omar Alhendi

Priv-Esc

Windows

Linux

SUID Exploiter

Author: Ben Roxbee Cox This is an exploit which searches for SUID Files on the host system and checks them against a large dictioary or known vulnerable SUIDs, and safe SUIDs. It them catagorises the Unexploitable, Possible exploitable and Definitely exploitable. If there is an SUID with an entry on GTFObins then it links to the GTFObins page, If it finds an SUID with a known easy exploit it runs the exploit and drops into a shell.

Docker Exploiter

Author: Ben Roxbee Cox This plugin is a Linux Docker exploiter. It requires the current user to be a member of the "docker" group. This exploit leverages the fact that that Docker essentially runs as root, and so a member of the docker group can mount the root file system inside a docker container and operate as the root user via the docker container.