Merge pull request #1 from adi7312/dev

1st stable ver
adi7312 · Aug 8, 2023 · 1f7107c · 1f7107c
2 parents 066c1a6 + d57576e
commit 1f7107c
Show file tree

Hide file tree

Showing 2 changed files with 258 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -25,4 +25,31 @@ For now, script perfrom these tasks:
   * Checkinge env variables
   * Checking /etc/shells
 * Files enum:
-  * SUID binaries
+  * SUID binaries
+  * SGID binaries
+  * Capabilities
+  * Config files
+  * .bak files
+  * Available compilers
+  * Private keys
+  * Git credentials
+  * NFS Shares
+* Crontab enum:
+  * Checking crons/jobs of current and other users
+* Service enum:
+  * Running processess
+  * Content of init.d
+  * Checking installed serivces: mysql, postgresql, apache2 (more services will be added in the future)
+* Docker enum:
+  * Checking if we are inside container
+  * Docker version, images, files (to be expanded)
+* LXC/LXD enum:
+  * Checking if we are LXC/LXD container
+
+
+Running script:
+
+    git clone https://github.com/adi7312/LEES.git
+    cd LEES
+    chmod +x lees.sh
+    ./lees.sh
diff --git a/lees.sh b/lees.sh
@@ -125,7 +125,7 @@ function user_enum(){
 
     # finding .ssh directories
     echo -e "[*] Looking for ssh directories"
-    ssh_dirs=`timeout 1 find / -name .ssh -exec ls -la {} 2>/dev/null \;` 
+    ssh_dirs=`find / -name .ssh -exec ls -la {} 2>/dev/null \;` 
     if [[ $ssh_dirs ]]; then
         echo -e "\e[0;31m[+] .ssh directories found: \e[m"
         echo -e "\e[0;34m$ssh_dirs\e[m"
@@ -220,7 +220,7 @@ function env_enum(){
     fi
 
     # check available shells
-    shells=`cat /etc/shells 2>/dev/null`
+    shells=`cat /etc/shells 2>/dev/null | tail -n +1`
     if [[ $shells ]]; then
         echo -e "[*] Available shells: \n$shells"
     else
@@ -233,21 +233,247 @@ function env_enum(){
 function files_enum(){
     echo -e '\e[0;32m-------------------Performing files enumeration-------------------\e[m'
     # checking suid binaries from GTFO, via HackTheBox
-    suid_binaries=`timeout 1 find / -perm -4000 -type f 2>/dev/null`
+    suid_binaries=`find / -perm -4000 -type f 2>/dev/null`
     if [[ $suid_binaries ]]; then
         echo -e "\e[0;31m[+] SUID binaries: \n$suid_binaries\e[m"
     else
         echo -e "[-] Can't get any SUID binaries"
     fi
 
+    # looking for .config files
+    config_files=`find / ! -path /proc -iname "*config*" 2>/dev/null`
+    if [[ $config_files ]]; then
+        echo -e "[*] config files: \n"
+        echo -e "\e[0;34m$config_files\e[m"
+    else
+        echo -e "[-] Can't get any .config files"
+    fi
+
+    # looking for .bak files
+    bak_files=`find / ! -path /proc -iname "*.bak*" 2>/dev/null`
+    if [[ $bak_files ]]; then
+        echo -e "[*] Found some .bak files: \n"
+        echo -e "\e[0;34m$bak_files\e[m"
+    else
+        echo -e "[-] Can't get any .bak files"
+    fi
+
+    # installed compilers
+    compilers=`dpkg --list 2>/dev/null| grep compiler`
+    if [[ $compilers ]]; then
+        echo -e "[*] Installed compilers: \n"
+        echo -e "\e[0;34m$compilers\e[m"
+    else
+        echo -e "[-] Can't get any installed compilers"
+    fi
+
+    # looking for sgid files
+    sgid_files=`find / ! -path /proc -perm -2000 -type f 2>/dev/null`
+    if [[ $sgid_files ]]; then
+        echo -e "\e[0;31m[+] Found some sgid files: \n\e[m"
+        echo -e "\e[0;34m$sgid_files\e[m"
+    else
+        echo -e "[-] Can't get any sgid files"
+    fi
+
+    # checking files with capabilities
+    capabilities=`getcap -r / 2>/dev/null`
+    if [[ $capabilities ]]; then
+        echo -e "[*] Files with capabilities: \n"
+        echo -e "\e[0;34m$capabilities\e[m"
+    else
+        echo -e "[-] Can't get any files with capabilities"
+    fi
+
+    # lookig for private keys
+    echo -e "\e[1;33mWarning: this operation could be slow\e[m"
+    read -p 'Do you want to look for private keys?? [n/y]: ' option
+    if [[ $option == 'y' ]]; then
+        priv_keys=`grep -rl PRIVATE KEY---- /home 2>/dev/null`
+        if [[ $priv_keys ]]; then
+            echo -e "\e[0;31m[+] Found some private keys: \n\e[m"
+            echo -e "\e[0;34m$priv_keys\e[m"
+        else
+            echo -e "[-] Can't get any private keys"
+        fi
+    fi
+
+    # lookig for git credentials
+    git=`find / -type f -name ".git-credentials" 2>/dev/null`
+    if [[ $git ]]; then
+        echo -e "\e[0;31m[+] Found some git credentials: \n\e[m"
+        echo -e "\e[0;34m$git\e[m"
+    else
+        echo -e "[-] Can't get any git credentials"
+    fi
+
+    # listing nfs shares
+    nfs=`showmount -e 2>/dev/null`
+    if [[ $nfs ]]; then
+        echo -e "[*] NFS shares: \n"
+        echo -e "\e[0;34m$nfs\e[m"
+    else
+        echo -e "[-] Can't get any NFS shares"
+    fi
+
+    # listing smb shares
+    smb=`smbclient -L \\\\localhost -N 2>/dev/null`
+    if [[ $smb ]]; then
+        echo -e "[*] SMB shares: \n"
+        echo -e "\e[0;34m$smb\e[m"
+    else
+        echo -e "[-] Can't get any SMB shares"
+    fi
+
+    # checking htpasswd
+    htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null`
+    if [[ $htpasswd ]]; then
+        echo -e "\e[0;31m[+] Found some htpasswd files (possible credentials leak): \n\e[m"
+        echo -e "\e[0;34m$htpasswd\e[m"
+    else
+        echo -e "[-] Can't get any htpasswd files"
+    fi
 }
 
+function cron_enum(){
+    echo -e '\e[0;32m-------------------Performing cron jobs enumeration-------------------\e[m'
+    # checking cron jobs
+    cron=`ls -la /etc/cron* 2>/dev/null; cat /etc/crontab 2>/dev/null; crontab -l 2>/dev/null`
+    if [[ $cron ]]; then
+        echo -e "[*] Cron jobs: \n$cron"
+    else
+        echo -e "[-] Can't get any cron jobs"
+    fi
+
+    # checking if we can modify any cron job
+    cron_files=`find /etc/cron* -perm -o+w 2>/dev/null`
+    if [[ $cron_files ]]; then
+        echo -e "\e[0;31m[+] You can modify the following cron jobs: \n\e[m"
+        echo -e "\e[0;34m$cron_files\e[m"
+    else
+        echo -e "[-] Can't modify any cron job"
+    fi
+
+    # checking crontabs of other uses
+    cronusers=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null`
+    if [[ $cronusers ]]; then
+        echo -e "\e[0;31m[+] Cron jobs of other users: \n\e[m"
+        echo -e "\e[0;34m$cronusers\e[m"
+    else
+        echo -e "[-] Can't get any cron jobs of other users"
+    fi
 
+}
+
+function service_enum(){
+    echo -e '\e[0;32m-------------------Performing service and software enumeration-------------------\e[m'
+    # checking running processes
+    processes=`ps aux 2>/dev/null`
+    if [[ $processes ]]; then
+        echo -e "\e[0;31m[+] Running processes: \n\e[m"
+        echo -e "\e[0;34m$processes\e[m"
+    else
+        echo -e "[-] Can't get any running processes"
+    fi
+
+    # check content of init.d 
+    initd=`ls -la /etc/init.d/ 2>/dev/null`
+    if [[ $initd ]]; then
+        echo -e "\e[0;31m[+] Content of init.d: \n\e[m"
+        echo -e "\e[0;34m$initd\e[m"
+    else
+        echo -e "[-] Can't get any content of init.d"
+    fi
+
+    # checking if mysql is installed
+    mysql=`mysql --version 2>/dev/null`
+    if [[ $mysql ]]; then
+        echo -e "[*] MySQL version: $mysql\n"
+    else
+        echo -e "[-] Can't get MySQL version"
+    fi
+
+    # checking if postgres is installed
+    postgres=`psql --version 2>/dev/null`
+    if [[ $postgres ]]; then
+        echo -e "[*] Postgres version: $postgres\n"
+
+    else
+        echo -e "[-] Can't get Postgres version"
+    fi
+
+    # checking if apache is installed
+    apache=`apache2 -v 2>/dev/null`
+    if [[ $apache ]]; then
+        echo -e "[*] Apache version: $apache\n"
+    else
+        echo -e "[-] Can't get Apache version"
+    fi
+
+}
+
+function docker_enum(){
+    echo -e '\e[0;32m-------------------Performing docker enumeration-------------------\e[m'
+
+    # checking if we are inside container
+    container=`cat /proc/self/cgroup 2>/dev/null | grep -i docker; find / -name "*dockerenv*" 2>/dev/null`
+    if [[ $container ]]; then
+        echo -e "\e[0;31m[+] You are probably inside docker container: \n\e[m"
+        echo -e "\e[0;34m$container\e[m"
+    else
+        echo -e "[-] You are not inside docker container"
+    fi
+
+    # check docker version
+    docker_ver=`docker --version 2>/dev/null`
+    if [[ $docker_ver ]]; then
+        echo -e "[*] Docker version: $docker_ver\n"
+    else
+        echo -e "[-] Can't get Docker version"
+    fi
+
+    # check docker files
+    docker_files=`find / -name "Dockerfile" -exec ls -l {} 2>/dev/null \;`
+    if [[ $docker_files ]]; then
+        echo -e "[*] Fond some Docker files: \n"
+        echo -e "\e[0;34m$docker_files\e[m"
+    else
+        echo -e "[-] Can't get Docker files"
+    fi
+
+    # check docker images
+    docker_images=`docker images 2>/dev/null`
+    if [[ $docker_images ]]; then
+        echo -e "[*] Docker images: \n"
+        echo -e "\e[0;34m$docker_images\e[m"
+    else
+        echo -e "[-] Can't get Docker images"
+    fi
+
+}
+
+function lxc_lxd_enum(){
+    echo -e '\e[0;32m-------------------Performing LXC/LXD enumeration-------------------\e[m'
+    # check if we are inside lxc/lxd container
+    lxc=`cat /proc/self/cgroup 2>/dev/null | grep -i lxc || grep -qa container=lxc /proc/1/environ 2>/dev/null`
+    if [[ $lxc ]]; then
+        echo -e "\e[0;31m[+] You are probably inside lxc/lxd container: \n\e[m"
+        echo -e "\e[0;34m$lxc\e[m"
+    else
+        echo -e "[-] You are not inside lxc/lxd container"
+    fi
+
+
+}
 
 
 
 system_enum
 user_enum
 net_enum
 env_enum
-files_enum
+files_enum
+cron_enum
+service_enum
+docker_enum
+lxc_lxd_enum