forked from RajChowdhury240/OSCP-CheatSheet
-
Notifications
You must be signed in to change notification settings - Fork 0
/
LinuxPrivCheck.sh
186 lines (185 loc) · 10.1 KB
/
LinuxPrivCheck.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
#---------------------------------------------------------------------------------#
# Name = Linux Quick n' Dirty Privilege Escalation Check Script #
# Author = Raj Chowdhury #
# Usage = chmod +x LinuxPrivCheck.sh && ./LinuxPrivCheck.sh #
#---------------------------------------------------------------------------------#
echo " "
echo -e "\e[35m#----------------------------------#"
echo -e "\e[35m# \e[36m OS Information \e[35m #"
echo -e "\e[35m#----------------------------------#"
echo " "
echo -e "\e[39m"
uname -a # Kernel Version
cat /etc/issue # Distribution
cat /etc/*release # OS Release
echo " "
echo -e "\e[35m#----------------------------------#"
echo -e "\e[35m# \e[36m Network Information \e[35m #"
echo -e "\e[35m#----------------------------------#"
echo " "
echo -e "\e[39m"
cat /etc/resolv.conf # Nameservers
cat /etc/hosts # Hosts
route -n # Route Info.
iptables -L # Firewall Rules
cat /etc/network/interfaces # Network Interfaces
echo " "
echo -e "\e[35m#----------------------------------#"
echo -e "\e[35m# \e[36m Password Information \e[35m #"
echo -e "\e[35m#----------------------------------#"
echo " "
echo -e "\e[39m"
echo -e "\e[34m"
echo "----------|Password File|-----------"
echo " "
echo -e "\e[39m"
cat /etc/passwd
echo " " # Password File
echo -e "\e[39m"
echo -e "\e[34m"
echo "-----------|Shadow File|------------"
echo " "
echo -e "\e[39m"
cat /etc/shadow # Shadow File
echo " "
echo -e "\e[34m"
echo " "
echo "------------|SSH Keys|--------------"
echo " "
echo -e "\e[39m"
cat /root/.ssh/authorized_keys # Authorized SSH Keys
cat /root/.ssh/known_hosts # SSH Known Hosts
cat ~/.ssh/id_rsa # RSA Keys
cat ~/.ssh/id_dsa # DSA Keys
cat /etc/ssh/ssh_host_dsa_key # Alernative DSA keys
cat /etc/ssh/ssh_host_rsa_key # Alternative RSA Keys
echo " "
echo -e "\e[35m#----------------------------------#"
echo -e "\e[35m# \e[36m Misc. Information \e[35m #"
echo -e "\e[35m#----------------------------------#"
echo " "
echo -e "\e[39m"
echo -e "\e[34m"
echo "------|Important Executables|-------"
echo -e "\e[39m"
echo " "
which wget # Check Wget
which nc # Check Nc
which netcat # Check Netcat
which python # Check Python
which python3 # Check Python3
which gcc # Check GCC
which perl # Check Perl
echo -e "\e[34m"
echo " "
echo "-----------|Sudoers File|-----------"
echo " "
echo -e "\e[39m"
cat /etc/sudoers # Check Sudoers
echo -e "\e[34m"
echo " "
echo "--------------|Users|---------------"
echo " "
echo -e "\e[39m"
cat /etc/passwd | cut -d: -f1 # List Users
echo -e "\e[34m"
echo " "
echo "-------------|Groups|---------------"
echo " "
echo -e "\e[39m"
cat /etc/group # Check Groups
echo -e "\e[34m"
echo " "
echo "-----------|SUID Files|-------------"
echo " "
echo -e "\e[39m"
find / -type f -perm -u=s -exec ls -la {} + 2>/dev/null # Check SUID Files
echo -e "\e[34m"
echo " "
echo "-----------|GUID Files|-------------"
echo " "
echo -e "\e[39m"
find / -type f -perm -g=s -exec ls -la {} + 2>/dev/null # Check GUID Files
echo -e "\e[34m"
echo " "
echo "-----------|NO ROOT SQUASH|---------"
echo " "
echo -e "\e[39m" # check no_root_squash
if [ $(cat /etc/exports 2>/dev/null | grep no_root_squash | wc -c) -ne 0 ]
then
echo "NO_ROOT_SQUASH FOUND! " && cat /etc/exports | grep no_root_squash
else
echo "NO_ROOT_SQUASH NOT FOUND!"
fi
echo -e "\e[34m"
echo " "
echo "----------------|EXIM|--------------"
echo " "
echo -e "\e[39m" # Check exim
if [ $(which exim | wc -c) -ne 0 ]
then
echo -n "EXIM FOUND! " && exim -bV | grep version
else
echo "EXIM NOT FOUND!"
fi
echo -e "\e[34m"
echo " "
echo "-------------|CHKROOTKIT|-----------"
echo " "
echo -e "\e[39m" # Check chkrootkit
if [ $(which chkrootkit | wc -c) -ne 0 ]
then
echo -n "CHKROOTKIT FOUND! " && chkrootkit -V
else
echo "CHKROOTKIT NOT FOUND!"
fi
echo -e "\e[34m"
echo " "
echo "-------------|MySQL Creds|-----------"
echo " "
echo -e "\e[39m" # Check MySQL Creds
if [ $(find / -iname wp-config.php 2>/dev/null | wc -c) -ne 0 ]
then
echo "WP-CONFIG.PHP FOUND! " && cat $(locate wp-config.php) | grep DB_NAME && cat $(locate wp-config.php) | grep DB_USER && cat $(locate wp-config.php) | grep DB_PASSWORD
else
echo "WP-CONFIG.PHP NOT FOUND!"
fi
echo -e "\e[34m"
echo " "
echo "--------------|FSTab|---------------"
echo " "
echo -e "\e[39m"
cat /etc/fstab # Check Fstab
echo -e "\e[34m"
echo " "
echo "---------|Daily Cron Jobs|----------"
echo " "
echo -e "\e[39m"
ls -la /etc/cron.d/ # Check Cron Jobs
ls -la /etc/cron.daily/ # Alternative Check Cron Jobs
echo -e "\e[34m"
echo " "
echo "-------------|Crontab|--------------"
echo " "
echo -e "\e[39m"
cat /etc/crontab # Check Crontab
echo -e "\e[34m"
echo " "
echo "------|World Writable Folders|------"
echo " "
echo -e "\e[39m"
find / -perm -222 -type d 2>/dev/null # World Wireable Folders
echo -e "\e[34m"
echo " "
echo "-----------|Home Directory|---------"
echo " "
echo -e "\e[39m"
ls -ahl /home/ 2>/dev/null # Check Home Directory
echo " "
touch ~/.bash_history # Clear Command History
echo " "
echo -e "\e[35m#----------------------------------#"
echo -e "\e[35m# \e[36m Script has been completed! \e[35m #"
echo -e "\e[35m#----------------------------------#"
echo " "
echo -e "\e[39m"