From 0401fbd5c83fa25fcd7d1e96a924a6bdbd383fec Mon Sep 17 00:00:00 2001 From: ad1s0n Date: Mon, 7 Aug 2023 00:37:26 +0200 Subject: [PATCH 1/3] Adding config files --- lees.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lees.sh b/lees.sh index d24308c..3f08465 100755 --- a/lees.sh +++ b/lees.sh @@ -220,7 +220,7 @@ function env_enum(){ fi # check available shells - shells=`cat /etc/shells 2>/dev/null` + shells=`cat /etc/shells 2>/dev/null | tail -n +1` if [[ $shells ]]; then echo -e "[*] Available shells: \n$shells" else @@ -240,6 +240,14 @@ function files_enum(){ echo -e "[-] Can't get any SUID binaries" fi + # looking for .config files + config_files=`timeout 5 find / ! -path /proc -iname "*config*" 2>/dev/null` + if [[ $config_files ]]; then + echo -e "\e[0;31m[+] config files: \n\e[m" + echo -e "\e[0;34m$config_files\e[m" + else + echo -e "[-] Can't get any .config files" + fi } From b4e47139d1aef4c921bef7b1573ff358484b4e44 Mon Sep 17 00:00:00 2001 From: ad1s0n Date: Mon, 7 Aug 2023 11:40:54 +0200 Subject: [PATCH 2/3] Upgrading files enum, adding cron and service enum --- README.md | 23 +++++++++- lees.sh | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 143 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1a95702..91fd026 100644 --- a/README.md +++ b/README.md @@ -25,4 +25,25 @@ For now, script perfrom these tasks: * Checkinge env variables * Checking /etc/shells * Files enum: - * SUID binaries \ No newline at end of file + * SUID binaries + * SGID binaries + * Capabilities + * Config files + * .bak files + * Available compilers + * Private keys + * Git credentials + * NFS Shares +* Crontab enum: + * Checking crons/jobs of current and other users +* Service enum: + * Running processess + * Content of init.d + + +Running script: + + git clone https://github.com/adi7312/LEES.git + cd LEES + chmod +x lees.sh + ./lees.sh \ No newline at end of file diff --git a/lees.sh b/lees.sh index 3f08465..535f895 100755 --- a/lees.sh +++ b/lees.sh @@ -248,6 +248,124 @@ function files_enum(){ else echo -e "[-] Can't get any .config files" fi + + # looking for .bak files + bak_files=`timeout 5 find / ! -path /proc -iname "*.bak*" 2>/dev/null` + if [[ $bak_files ]]; then + echo -e "\e[0;31m[+] Found some .bak files: \n\e[m" + echo -e "\e[0;34m$bak_files\e[m" + else + echo -e "[-] Can't get any .bak files" + fi + + # installed compilers + compilers=`dpkg --list 2>/dev/null| grep compiler` + if [[ $compilers ]]; then + echo -e "\e[0;31m[+] Installed compilers: \n\e[m" + echo -e "\e[0;34m$compilers\e[m" + else + echo -e "[-] Can't get any installed compilers" + fi + + # looking for sgid files + sgid_files=`timeout 5 find / ! -path /proc -perm -2000 -type f 2>/dev/null` + if [[ $sgid_files ]]; then + echo -e "\e[0;31m[+] Found some sgid files: \n\e[m" + echo -e "\e[0;34m$sgid_files\e[m" + else + echo -e "[-] Can't get any sgid files" + fi + + # checking files with capabilities + capabilities=`getcap -r / 2>/dev/null` + if [[ $capabilities ]]; then + echo -e "\e[0;31m[+] Files with capabilities: \n\e[m" + echo -e "\e[0;34m$capabilities\e[m" + else + echo -e "[-] Can't get any files with capabilities" + fi + + # lookig for private keys + echo -e "\e[1;33mWarning: this operation could be slow\e[m" + read -p 'Do you want to look for private keys?? [n/y]: ' option + if [[ $option == 'y' ]]; then + priv_keys=`grep -rl PRIVATE KEY---- /home 2>/dev/null` + if [[ $priv_keys ]]; then + echo -e "\e[0;31m[+] Found some private keys: \n\e[m" + echo -e "\e[0;34m$priv_keys\e[m" + else + echo -e "[-] Can't get any private keys" + fi + fi + + # lookig for git credentials + git=`timeout 5find / -type f -name ".git-credentials" 2>/dev/null` + if [[ $git ]]; then + echo -e "\e[0;31m[+] Found some git credentials: \n\e[m" + echo -e "\e[0;34m$git\e[m" + else + echo -e "[-] Can't get any git credentials" + fi + + # listing nfs shares + nfs=`timeout 5 showmount -e 2>/dev/null` + if [[ $nfs ]]; then + echo -e "\e[0;31m[+] NFS shares: \n\e[m" + echo -e "\e[0;34m$nfs\e[m" + else + echo -e "[-] Can't get any NFS shares" + fi +} + +function cron_enum(){ + echo -e '\e[0;32m-------------------Performing cron jobs enumeration-------------------\e[m' + # checking cron jobs + cron=`ls -la /etc/cron* 2>/dev/null; cat /etc/crontab 2>/dev/null; crontab -l 2>/dev/null` + if [[ $cron ]]; then + echo -e "[*] Cron jobs: \n$cron" + else + echo -e "[-] Can't get any cron jobs" + fi + + # checking if we can modify any cron job + cron_files=`find /etc/cron* -perm -o+w 2>/dev/null` + if [[ $cron_files ]]; then + echo -e "\e[0;31m[+] You can modify the following cron jobs: \n\e[m" + echo -e "\e[0;34m$cron_files\e[m" + else + echo -e "[-] Can't modify any cron job" + fi + + # checking crontabs of other uses + cronusers=`cut -d ":" -f 1 /etc/passwd | xargs -n1 crontab -l -u 2>/dev/null` + if [[ $cronusers ]]; then + echo -e "\e[0;31m[+] Cron jobs of other users: \n\e[m" + echo -e "\e[0;34m$cronusers\e[m" + else + echo -e "[-] Can't get any cron jobs of other users" + fi + +} + +function service_enum(){ + echo -e '\e[0;32m-------------------Performing service enumeration-------------------\e[m' + # checking running processes + processes=`ps aux 2>/dev/null` + if [[ $processes ]]; then + echo -e "\e[0;31m[+] Running processes: \n\e[m" + echo -e "\e[0;34m$processes\e[m" + else + echo -e "[-] Can't get any running processes" + fi + + # check content of init.d + initd=`ls -la /etc/init.d/ 2>/dev/null` + if [[ $initd ]]; then + echo -e "\e[0;31m[+] Content of init.d: \n\e[m" + echo -e "\e[0;34m$initd\e[m" + else + echo -e "[-] Can't get any content of init.d" + fi } @@ -258,4 +376,6 @@ system_enum user_enum net_enum env_enum -files_enum \ No newline at end of file +files_enum +cron_enum +service_enum \ No newline at end of file From d57576e88b6f3a4d0b2b3c9730417f303fdabef6 Mon Sep 17 00:00:00 2001 From: ad1s0n Date: Mon, 7 Aug 2023 12:38:00 +0200 Subject: [PATCH 3/3] First stable version. --- README.md | 6 +++ lees.sh | 126 ++++++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 118 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 91fd026..9b3e8ef 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,12 @@ For now, script perfrom these tasks: * Service enum: * Running processess * Content of init.d + * Checking installed serivces: mysql, postgresql, apache2 (more services will be added in the future) +* Docker enum: + * Checking if we are inside container + * Docker version, images, files (to be expanded) +* LXC/LXD enum: + * Checking if we are LXC/LXD container Running script: diff --git a/lees.sh b/lees.sh index 535f895..fd4bb97 100755 --- a/lees.sh +++ b/lees.sh @@ -125,7 +125,7 @@ function user_enum(){ # finding .ssh directories echo -e "[*] Looking for ssh directories" - ssh_dirs=`timeout 1 find / -name .ssh -exec ls -la {} 2>/dev/null \;` + ssh_dirs=`find / -name .ssh -exec ls -la {} 2>/dev/null \;` if [[ $ssh_dirs ]]; then echo -e "\e[0;31m[+] .ssh directories found: \e[m" echo -e "\e[0;34m$ssh_dirs\e[m" @@ -233,7 +233,7 @@ function env_enum(){ function files_enum(){ echo -e '\e[0;32m-------------------Performing files enumeration-------------------\e[m' # checking suid binaries from GTFO, via HackTheBox - suid_binaries=`timeout 1 find / -perm -4000 -type f 2>/dev/null` + suid_binaries=`find / -perm -4000 -type f 2>/dev/null` if [[ $suid_binaries ]]; then echo -e "\e[0;31m[+] SUID binaries: \n$suid_binaries\e[m" else @@ -241,18 +241,18 @@ function files_enum(){ fi # looking for .config files - config_files=`timeout 5 find / ! -path /proc -iname "*config*" 2>/dev/null` + config_files=`find / ! -path /proc -iname "*config*" 2>/dev/null` if [[ $config_files ]]; then - echo -e "\e[0;31m[+] config files: \n\e[m" + echo -e "[*] config files: \n" echo -e "\e[0;34m$config_files\e[m" else echo -e "[-] Can't get any .config files" fi # looking for .bak files - bak_files=`timeout 5 find / ! -path /proc -iname "*.bak*" 2>/dev/null` + bak_files=`find / ! -path /proc -iname "*.bak*" 2>/dev/null` if [[ $bak_files ]]; then - echo -e "\e[0;31m[+] Found some .bak files: \n\e[m" + echo -e "[*] Found some .bak files: \n" echo -e "\e[0;34m$bak_files\e[m" else echo -e "[-] Can't get any .bak files" @@ -261,14 +261,14 @@ function files_enum(){ # installed compilers compilers=`dpkg --list 2>/dev/null| grep compiler` if [[ $compilers ]]; then - echo -e "\e[0;31m[+] Installed compilers: \n\e[m" + echo -e "[*] Installed compilers: \n" echo -e "\e[0;34m$compilers\e[m" else echo -e "[-] Can't get any installed compilers" fi # looking for sgid files - sgid_files=`timeout 5 find / ! -path /proc -perm -2000 -type f 2>/dev/null` + sgid_files=`find / ! -path /proc -perm -2000 -type f 2>/dev/null` if [[ $sgid_files ]]; then echo -e "\e[0;31m[+] Found some sgid files: \n\e[m" echo -e "\e[0;34m$sgid_files\e[m" @@ -279,7 +279,7 @@ function files_enum(){ # checking files with capabilities capabilities=`getcap -r / 2>/dev/null` if [[ $capabilities ]]; then - echo -e "\e[0;31m[+] Files with capabilities: \n\e[m" + echo -e "[*] Files with capabilities: \n" echo -e "\e[0;34m$capabilities\e[m" else echo -e "[-] Can't get any files with capabilities" @@ -299,7 +299,7 @@ function files_enum(){ fi # lookig for git credentials - git=`timeout 5find / -type f -name ".git-credentials" 2>/dev/null` + git=`find / -type f -name ".git-credentials" 2>/dev/null` if [[ $git ]]; then echo -e "\e[0;31m[+] Found some git credentials: \n\e[m" echo -e "\e[0;34m$git\e[m" @@ -308,13 +308,31 @@ function files_enum(){ fi # listing nfs shares - nfs=`timeout 5 showmount -e 2>/dev/null` + nfs=`showmount -e 2>/dev/null` if [[ $nfs ]]; then - echo -e "\e[0;31m[+] NFS shares: \n\e[m" + echo -e "[*] NFS shares: \n" echo -e "\e[0;34m$nfs\e[m" else echo -e "[-] Can't get any NFS shares" fi + + # listing smb shares + smb=`smbclient -L \\\\localhost -N 2>/dev/null` + if [[ $smb ]]; then + echo -e "[*] SMB shares: \n" + echo -e "\e[0;34m$smb\e[m" + else + echo -e "[-] Can't get any SMB shares" + fi + + # checking htpasswd + htpasswd=`find / -name .htpasswd -print -exec cat {} \; 2>/dev/null` + if [[ $htpasswd ]]; then + echo -e "\e[0;31m[+] Found some htpasswd files (possible credentials leak): \n\e[m" + echo -e "\e[0;34m$htpasswd\e[m" + else + echo -e "[-] Can't get any htpasswd files" + fi } function cron_enum(){ @@ -348,7 +366,7 @@ function cron_enum(){ } function service_enum(){ - echo -e '\e[0;32m-------------------Performing service enumeration-------------------\e[m' + echo -e '\e[0;32m-------------------Performing service and software enumeration-------------------\e[m' # checking running processes processes=`ps aux 2>/dev/null` if [[ $processes ]]; then @@ -366,10 +384,88 @@ function service_enum(){ else echo -e "[-] Can't get any content of init.d" fi + + # checking if mysql is installed + mysql=`mysql --version 2>/dev/null` + if [[ $mysql ]]; then + echo -e "[*] MySQL version: $mysql\n" + else + echo -e "[-] Can't get MySQL version" + fi + + # checking if postgres is installed + postgres=`psql --version 2>/dev/null` + if [[ $postgres ]]; then + echo -e "[*] Postgres version: $postgres\n" + + else + echo -e "[-] Can't get Postgres version" + fi + + # checking if apache is installed + apache=`apache2 -v 2>/dev/null` + if [[ $apache ]]; then + echo -e "[*] Apache version: $apache\n" + else + echo -e "[-] Can't get Apache version" + fi + +} + +function docker_enum(){ + echo -e '\e[0;32m-------------------Performing docker enumeration-------------------\e[m' + + # checking if we are inside container + container=`cat /proc/self/cgroup 2>/dev/null | grep -i docker; find / -name "*dockerenv*" 2>/dev/null` + if [[ $container ]]; then + echo -e "\e[0;31m[+] You are probably inside docker container: \n\e[m" + echo -e "\e[0;34m$container\e[m" + else + echo -e "[-] You are not inside docker container" + fi + + # check docker version + docker_ver=`docker --version 2>/dev/null` + if [[ $docker_ver ]]; then + echo -e "[*] Docker version: $docker_ver\n" + else + echo -e "[-] Can't get Docker version" + fi + + # check docker files + docker_files=`find / -name "Dockerfile" -exec ls -l {} 2>/dev/null \;` + if [[ $docker_files ]]; then + echo -e "[*] Fond some Docker files: \n" + echo -e "\e[0;34m$docker_files\e[m" + else + echo -e "[-] Can't get Docker files" + fi + + # check docker images + docker_images=`docker images 2>/dev/null` + if [[ $docker_images ]]; then + echo -e "[*] Docker images: \n" + echo -e "\e[0;34m$docker_images\e[m" + else + echo -e "[-] Can't get Docker images" + fi + } +function lxc_lxd_enum(){ + echo -e '\e[0;32m-------------------Performing LXC/LXD enumeration-------------------\e[m' + # check if we are inside lxc/lxd container + lxc=`cat /proc/self/cgroup 2>/dev/null | grep -i lxc || grep -qa container=lxc /proc/1/environ 2>/dev/null` + if [[ $lxc ]]; then + echo -e "\e[0;31m[+] You are probably inside lxc/lxd container: \n\e[m" + echo -e "\e[0;34m$lxc\e[m" + else + echo -e "[-] You are not inside lxc/lxd container" + fi +} + system_enum @@ -378,4 +474,6 @@ net_enum env_enum files_enum cron_enum -service_enum \ No newline at end of file +service_enum +docker_enum +lxc_lxd_enum \ No newline at end of file