diff --git a/README.md b/README.md index 802ebd3a..5bcc7f00 100644 --- a/README.md +++ b/README.md @@ -1,79 +1,29 @@ +#LEAP +LEAP: Local Enumeration And Privesc. By Ben Roxbee Cox, Oliver Fulong, Omar and Andrei. + # Introduction In this group project we are going to do enumerations which is to gather information from the local system as much as possible, also we are going to discover some privilege escalation methods. We are going to build our tool to run Linux and Windows operating systems. Everyone of us will work independently to build and design his own tool. However, we will contibute some functionalities to each other's projects. +# LEAP -# LEAP +#Discusions +During the first meeting we decided all of the names and file trees that we will +work with. This included having seperate sub directories for the Linux and Windows plugins. +We agreed that all enumerations would be inside one file, but priv escs would have their own file. +For the function naming convention, we decided that all +Windows enumarators will be named winEnum{name} and all Linux enumarators will be +called linEnum{name}. For the file tree we chose that all programs will be in /src +directory, Windows and Linux will each have a sub directory, the enumeration script +will be in /src, the enumeration plugins will be in only one file, +but priv escs would each have their own file. LEAP: Local Enumeration And Privesc. By Ben Roxbee Cox, Oliver Fulong, Omar and Andrei. - -## What is here? - -Not much. - -This project requires you to generate most of the actual code -yourselves. To start with, each team should work on a fork of this -repository together to define the common features of the individual -pieces of functionality - we'll refer to them as "plugins". This is a -kind of **design by contract**, which you can read about here: -. Some -things to decide might be: - - Will each piece of functionality be in a separate file or subdirectory? - - Will your team have a naming convention? For example, maybe all - windows enumerators will begin with "wEnum_", linux with "lEnum_" - and so on. - - What will each function return or display? Will each function - print out to the user? Or will it return a block of text in a - string? Or a list of lines? Or maybe a dict with some meta-info - (version, plugin name, plugin author, date, time, etc.) and text - data? Or JSON? All are possibilities. - - Will you have a standard set of parameters to be passed in? Or can - each plugin have a different set of required parameters? - - What plugins will be implemented? Who will be the author? - -You should document these decisions here in the `README.md` file. Once -you are all happy with this, stage, commit and push it to your shared -fork. Then, each team member can begin writing their own tool by -creating an individual fork. Naming your tool something sensible and -uniquely identifiable at this point will be very helpful. If you all -keep the simple name "LEAP", you will find it tricky to remember which -repository you are working on later. You can call your own fork -whatever you like. - -When the individual tools are working and each team member has their -own plugins working, it is their responsibility to liaise with the -other members of the team to import the other plugins. Each team -member should create a fork of the repositories of each of their -team-mates, integrate their plugins and submit a pull-request for each -fork. - -So, if the team members are A, B, C and D, we will have one fork to -start with in which the team collaborates on defining the basics. -Then A will create a personal fork of the shared repository and work -on their tool and plugins. When they're done, they will create forks -from their team-mate's repositories. Let's call them LEAP-B, LEAP-C -and LEAP-D. A will then port their plugins to each of these new forks -and submit pull requests for them to be merged into the repositories -of their teammates. - -## Why? - -This might seem overly complex, but it's not. In reality, this is one -of the common ways people collaborate using git. You can fork any -public project and work on your own copy without needing to ask -permission or get added to the original repo, then if you want to -recommend your changes to the original author you create a pull -request and they can decide to merge it into their work or not. - -In this project you will be getting experience of working on a project -and receiving multiple pull-requests from contributors and at the same -time, contributing to the repositories of others. - -# Plugins +## Plugins This project uses a number of plugins in order to carry out the enumeration and priv esc. Each plugin will be written by one author and then integrated into the the other projects. ## Enumaration ### Windows @@ -128,4 +78,4 @@ This is an exploit which searches for SUID Files on the host system and checks t #### Docker Exploiter **Author: Ben Roxbee Cox** -This plugin is a Linux Docker exploiter. It requires the current user to be a member of the "docker" group. This exploit leverages the fact that that Docker essentially runs as root, and so a member of the docker group can mount the root file system inside a docker container and operate as the root user via the docker container. +This plugin is a Linux Docker exploiter. It requires the current user to be a member of the "docker" group. This exploit leverages the fact that that Docker essentially runs as root, and so a member of the docker group can mount the root file system inside a docker container and operate as the root user via the docker container. \ No newline at end of file diff --git a/src/js_plugins.py b/src/js_plugins.py new file mode 100644 index 00000000..6024f093 --- /dev/null +++ b/src/js_plugins.py @@ -0,0 +1,46 @@ +""" Plugins for LEAP designed by James Shuttleworth """ + +from plugins import PrivEsc, Enumeration + +import os, tempfile + +from subprocess import Popen, PIPE + +import pty + + +# A very basic method, but useful +def shellRun(command): + """ Put given commands into a temporary file, spawn a shell and explain how to use the command """ + f = tempfile.NamedTemporaryFile(delete=False) + fname=f.name + f.write(command.encode()) + f.close() + os.system(f"chmod u+x {fname}") + print(f"Execute command with '{fname}'...\nCtrl-D to leave shell") + + pty.spawn("/bin/bash") + #os.system(fname) + os.unlink(fname) + + +class DumbSudoEscalation(PrivEsc): + """An example plugin that tries to use `sudo su` to get root. + + Requires being given the password for the current user and relies + on the current user having sudo privs, so while technically it + escalates proveleges, it does so only if you already have the + right credentials + + """ + def __init__(self, pw): + PrivEsc.__init__(self) + self.pw=pw + self.name="DumbSudoEscalation - not that useful" + self.author="James Shuttleworth" + self.description="Use sudo to 'hack' into the root account" + def execute(self): + print("Executing") + + shellRun("sudo xterm") + print("Done") diff --git a/src/leap.py b/src/leap.py old mode 100644 new mode 100755 index b4c6d13c..1a5e85d9 --- a/src/leap.py +++ b/src/leap.py @@ -1,22 +1,59 @@ -def dummyFunc(data): - """ This function is a placeholder """ - import base64 - out="" - for i in data: - v=ord(i) - v=((v&1)<<6) | (v>>1) - out+=chr(v) - return base64.b64encode(str.encode("".join(out))).decode() +#!/usr/bin/env python3 -def unDummyFunc(data): - """ This function is a placeholder """ - import base64 - out="" - for i in base64.b64decode(str.encode(data)).decode("utf-8"): - v=ord(i) - v=((v&64)>>6) | ((v<<1)&127) - out+=chr(v) - return "".join(out) +from js_plugins import DumbSudoEscalation if __name__=="__main__": - print("Your code goes here") + #Make a list of available privescs + pes=[] + pes.append(DumbSudoEscalation("swordfish")) + #And enumerations + ens=[] + + + shouldQuit=False + + while not shouldQuit: + print("=".join("-"*10)) + print(" Logo here...") + print("LEAP Menu") + + print("\nPrivescs:") + for i in range(len(pes)): + print(f"\tP{i}: {pes[i].name}") + + print("\nEnumerations:") + for i in range(len(ens)): + print(f"\tE{i}: {ens[i].name}") + + print("\nQ to quit") + print() + userInput=input("Enter a selection: ") + print("-"*20) + #remove whitespace, make uppercase + userInput=userInput.strip().upper() + + if userInput == "Q": + shouldQuit=True + + elif (userInput[0] in ["P","E"] and #Privesc or enumeration + len(userInput)>1): #Make sure it's more than 1 letter + + useList=ens + if userInput[0]=="P": + useList=pes + index=userInput[1:] #Get the number part... + for i in index: + if not i.isdigit(): + print("Invalid selection:",userInput) + break + else: + index=int(index) #Make it a number + if index