PEASS-ng/linPE.sh

#!/bin/sh

file="/tmp/linPE"
RED='\033[0;31m'
Y='\033[0;33m'
B='\033[0;34m'
NC='\033[0m'
C=$(printf '\033')

suidG="/bin/fusermount\|\
/bin/mount\|\
/bin/ntfs-3g\|\
/bin/ping\|\
/bin/ping6\|\
/bin/rcp\|\
/bin/su\|\
/bin/systemctl\|\
/bin/umount\|\
/sbin/mksnap_ffs\|\
/sbin/mount.cifs\|\
/sbin/ping\|\
/sbin/ping6\|\
/sbin/poweroff\|\
/sbin/shutdown\|\
/usr/bin/at\|\
/usr/bin/atq\|\
/usr/bin/atrm\|\
/usr/bin/batch\|\
/usr/bin/bwrap\|\
/usr/bin/chage\|\
/usr/bin/chfn\|\
/usr/bin/chpass\|\
/usr/bin/chsh\|\
/usr/bin/crontab\|\
/usr/bin/doas\|\
/usr/bin/fusermount\|\
/usr/bin/gpasswd\|\
/usr/bin/kismet_capture\|\
/usr/bin/lock\|\
/usr/bin/login\|\
/usr/bin/lpq\|\
/usr/bin/lpr\|\
/usr/bin/lprm\|\
/usr/bin/mount\|\
/usr/bin/newgidmap\|\
/usr/bin/newgrp\|\
/usr/bin/newuidmap\|\
/usr/bin/ntfs-3g\|\
/usr/bin/opieinfo\|\
/usr/bin/opiepasswd\|\
/usr/bin/passwd\|\
/usr/bin/pkexec\|\
/usr/bin/quota\|\
/usr/bin/rlogin\|\
/usr/bin/rsh\|\
/usr/bin/staprun\|\
/usr/bin/su\|\
/usr/bin/sudo\|\
/usr/bin/traceroute6.iputils\|\
/usr/bin/umount\|\
/usr/bin/vmware-user-suid-wrapper\|\
/usr/lib/chromium/chrome-sandbox\|\
/usr/lib/dbus-1.0/dbus-daemon-launch-helper\|\
/usr/lib/eject/dmcrypt-get-device\|\
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache\|\
/usr/libexec/auth/login_chpass\|\
/usr/libexec/auth/login_lchpass\|\
/usr/libexec/auth/login_passwd\|\
/usr/libexec/dbus-1/dbus-daemon-launch-helper\|\
/usr/libexec/dma-mbox-create\|\
/usr/libexec/lockspool\|\
/usr/libexec/ssh-keysign\|\
/usr/libexec/ulog-helper\|\
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic\|\
/usr/lib/openssh/ssh-keysign\|\
/usr/lib/policykit-1/polkit-agent-helper-1\|\
/usr/lib/polkit-1/polkit-agent-helper-1\|\
/usr/lib/snapd/snap-confine\|\
/usr/lib/xorg/Xorg.wrap\|\
/usr/local/bin/Xorg\|\
/usr/local/libexec/dbus-daemon-launch-helper\|\
/usr/sbin/authpf\|\
/usr/sbin/authpf-noip\|\
/usr/sbin/exim4\|\
/usr/sbin/mount.nfs\|\
/usr/sbin/pam_timestamp_check\|\
/usr/sbin/ppp\|\
/usr/sbin/pppd\|\
/usr/sbin/timedc\|\
/usr/sbin/traceroute\|\
/usr/sbin/traceroute6\|\
/usr/sbin/unix_chkpwd\|\
/usr/sbin/userhelper\|\
/usr/sbin/usernetctl\|\
/usr/X11R6/bin/Xorg"

suidB='nmap\|perl\|awk\|find\|bash\|sh\|man\|more\|less\|vi\|emacs\|vim\|nc\|netcat\|python\|ruby\|lua\|irb\|tar\|zip\|gdb\|pico\|scp\|git\|rvim\|script\|ash\|csh\|curl\|dash\|ed\|env\|expect\|ftp\|sftp\|node\|php\|rpm\|rpmquery\|socat\|strace\|taskset\|tclsh\|telnet\|tftp\|wget\|wish\|zsh\|ssh$\|ip$\|arp\|mtr'

sgid="/sbin/pam_extrausers_chkpwd\|\
/sbin/unix_chkpwd\|\
/usr/bin/at\|\
/usr/bin/atq\|\
/usr/bin/atrm\|\
/usr/bin/batch\|\
/usr/bin/bsd-write\|\
/usr/bin/btsockstat\|\
/usr/bin/chage\|\
/usr/bin/crontab\|\
/usr/bin/dotlockfile\|\
/usr/bin/dotlock.mailutils\|\
/usr/bin/expiry\|\
/usr/bin/lock\|\
/usr/bin/lpq\|\
/usr/bin/lpr\|\
/usr/bin/lprm\|\
/usr/bin/mlocate\|\
/usr/bin/mutt_dotlock\|\
/usr/bin/netstat\|\
/usr/bin/screen\|\
/usr/bin/skeyaudit\|\
/usr/bin/skeyinfo\|\
/usr/bin/skeyinit\|\
/usr/bin/ssh-agent\|\
/usr/bin/wall\|\
/usr/bin/write\|\
/usr/lib/emacs/24.5/i686-linux-gnu/movemail\|\
/usr/lib/evolution/camel-lock-helper-1.2\|\
/usr/libexec/auth/login_activ\|\
/usr/libexec/auth/login_crypto\|\
/usr/libexec/auth/login_radius\|\
/usr/libexec/auth/login_skey\|\
/usr/libexec/auth/login_snk\|\
/usr/libexec/auth/login_token\|\
/usr/libexec/auth/login_yubikey\|\
/usr/libexec/dma\|\
/usr/libexec/sendmail/sendmail\|\
/usr/lib/i386-linux-gnu/utempter/utempter\|\
/usr/lib/libvte9/gnome-pty-helper\|\
/usr/lib/mc/cons.saver\|\
/usr/lib/snapd/snap-confine\|\
/usr/lib/x86_64-linux-gnu/utempter/utempter\|\
/usr/lib/xemacs-21.4.22/i686-linux-gnu/movemail\|\
/usr/lib/xorg/Xorg.wrap\|\
/usr/sbin/authpf\|\
/usr/sbin/authpf-noip\|\
/usr/sbin/lpc\|\
/usr/sbin/lpd\|\
/usr/sbin/smtpctl\|\
/usr/sbin/trpt\|\
/usr/sbin/unix_chkpwd\|\
/usr/X11R6/bin/xlock\|\
/usr/X11R6/bin/xterm"

intfol="/etc/\|/root/\|/home/\|/var/log\|/mnt/\|/usr/local/sbin\|/usr/sbin\|/sbin\|/usr/local/bin\|/usr/bin\|/bin\|/usr/local/games\|/usr/games\|/usr/lib"


if [ "$(/usr/bin/id -u)" -eq "0" ]; then printf $B"[*] "$RED"YOU ARE ALREADY ROOT!!! (nothing is going to be executed)\n"$NC; exit; fi

rm -rf $file
echo "File: $file"

echo "[+]Gathering system information..."
printf $B"[*] "$RED"BASIC SYSTEM INFO\n"$NC >> $file 
echo "" >> $file
printf $Y"[+] "$RED"Operative system\n"$NC >> $file
(cat /proc/version || uname -a ) 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"PATH\n"$NC >> $file
echo $PATH 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Date\n"$NC >> $file
date 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Sudo version\n"$NC >> $file
sudo -V 2>/dev/null| grep "Sudo ver" >> $file
echo "" >> $file

printf $Y"[+] "$RED"selinux enabled?\n"$NC >> $file
sestatus 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Useful software?\n"$NC >> $file
which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Capabilities\n"$NC >> $file
getcap -r / 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Environment\n"$NC >> $file
(set || env) 2>/dev/null | grep -v "suidG\|suidB\|sgid\|intfol" >> $file
echo "" >> $file

printf $Y"[+] "$RED"Cleaned proccesses\n"$NC >> $file
ps aux 2>/dev/null | grep -v "\[" | sed "s,root,${C}[31m&${C}[0m," >> $file
echo "" >> $file

printf $Y"[+] "$RED"Binary processes permissions\n"$NC >> $file
ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Services\n"$NC >> $file
(/usr/sbin/service --status-all || /sbin/chkconfig --list || /bin/rc-status) 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Different processes executed during 1 min (HTB)\n"$NC >> $file
if [ "`ps -e --format cmd`" ]; then for i in {1..121}; do ps -e --format cmd >> $file.tmp1; sleep 0.5; done; sort $file.tmp1 | uniq | grep -v "\[" | sed '/^.\{500\}./d' >> $file; rm $file.tmp1; fi
echo "" >> $file

printf $Y"[+] "$RED"Proccesses binary permissions\n"$NC >> $file
ps aux 2>/dev/null | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Scheduled tasks\n"$NC >> $file
crontab -l 2>/dev/null >> $file
ls -al /etc/cron* 2>/dev/null >> $file
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root /var/spool/anacron 2>/dev/null | grep -v "^#" >> $file
echo "" >> $file

printf $Y"[+] "$RED"Any sd* disk in /dev?\n"$NC >> $file
ls /dev 2>/dev/null | grep -i "sd" >> $file
echo "" >> $file

printf $Y"[+] "$RED"Storage information\n"$NC >> $file
df -h 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Unmounted file-system?\n"$NC >> $file
cat /etc/fstab 2>/dev/null | grep -v "^#" >> $file
echo "" >> $file

printf $Y"[+] "$RED"Printer?\n"$NC >> $file
lpstat -a 2>/dev/null >> $file
echo "" >> $file

echo "" >> $file
echo "[+]Gathering network information..."
printf $B"[*] "$RED"NETWORK INFO\n"$NC >> $file 
echo "" >> $file
printf $Y"[+] "$RED"Hostname, hosts and DNS\n"$NC >> $file
cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" >> $file
dnsdomainname 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Networks and neightbours\n"$NC >> $file
cat /etc/networks 2>/dev/null >> $file
(ifconfig || ip a) 2>/dev/null >> $file
iptables -L 2>/dev/null >> $file
ip n 2>/dev/null >> $file
route -n 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Ports\n"$NC >> $file
(netstat -punta || ss -t; ss -u) 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Can I sniff with tcpdump?\n"$NC >> $file
timeout 1 tcpdump >> $file 2>&1
echo "" >> $file

echo "" >> $file
echo "[+]Gathering users information..."
printf $B"[*] "$RED"USERS INFO\n"$NC >> $file 
echo "" >> $file
printf $Y"[+] "$RED"Me\n"$NC >> $file
(id || (whoami && groups)) 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Sudo -l without password\n"$NC >> $file
echo '' | sudo -S -l -k 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Do I have PGP keys?\n"$NC >> $file
gpg --list-keys 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Superusers\n"$NC >> $file
awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Login\n"$NC >> $file
w 2>/dev/null >> $file
last 2>/dev/null | tail >> $file
echo "" >> $file

printf $Y"[+] "$RED"Users with console\n"$NC >> $file
cat /etc/passwd 2>/dev/null | grep "sh$" >> $file
echo "" >> $file

printf $Y"[+] "$RED"All users\n"$NC >> $file
cat /etc/passwd 2>/dev/null | cut -d: -f1 >> $file
echo "" >> $file

echo "" >> $file
echo "[+]Gathering files information..."
printf $B"[*] "$RED"INTERESTING FILES\n"$NC >> $file 
echo "" >> $file
printf $Y"[+] "$RED"SUID\n"$NC >> $file
find / -perm -4000 2>/dev/null | sed "s,$suidB,${C}[31m&${C}[0m," | sed "s,$suidG,${C}[32m&${C}[0m," >> $file
echo "" >> $file

printf $Y"[+] "$RED"SGID\n"$NC >> $file
find / -perm -g=s -type f 2>/dev/null | sed "s,$sgid,${C}[32m&${C}[0m," >> $file
echo "" >> $file

printf $Y"[+] "$RED"Files inside \$HOME (limit 20)\n"$NC >> $file
ls -la $HOME 2>/dev/null | head -n 20 >> $file
echo "" >> $file

printf $Y"[+] "$RED"20 First files of /home\n"$NC >> $file
find /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER | head -n 20 >> $file
echo "" >> $file

printf $Y"[+] "$RED"Files inside .ssh directory?\n"$NC >> $file
find  /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; >> $file
echo "" >> $file

printf $Y"[+] "$RED"*sa_key* files\n"$NC >> $file
find / -type f -name "*sa_key*" -ls 2>/dev/null -exec ls -l {} \; >> $file
echo "" >> $file

printf $Y"[+] "$RED"Mails?\n"$NC >> $file
ls -alh /var/mail/ /var/spool/mail/ 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"NFS exports?\n"$NC >> $file
cat /etc/exports 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Hashes inside /etc/passwd? Readable /etc/shadow or /etc/master.passwd?\n"$NC >> $file
grep -v '^[^:]*:[x]' /etc/passwd 2>/dev/null >> $file
cat /etc/shadow /etc/master.passwd 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Readable /root?\n"$NC >> $file
ls -ahl /root/ 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Inside docker or lxc?\n"$NC >> $file
dockercontainer=`grep -i docker /proc/self/cgroup  2>/dev/null; find / -name "*dockerenv*" -exec ls -la {} \; 2>/dev/null`
lxccontainer=`grep -qa container=lxc /proc/1/environ 2>/dev/null`
if [ "$dockercontainer" ]; then echo "Looks like we're in a Docker container" >> $file; fi
if [ "$lxccontainer" ]; then echo "Looks like we're in a LXC container" >> $file; fi
echo "" >> $file

printf $Y"[+] "$RED"*_history, profile, bashrc, httpd.conf\n"$NC >> $file
find / -type f \( -name "*_history" -o -name "profile" -o -name "*bashrc" -o -name "httpd.conf" \) -exec ls -l {} \; 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"All hidden files (not in /sys/) (limit 100)\n"$NC >> $file
find / -type f -iname ".*" -ls 2>/dev/null | grep -v "/sys/" | head -n 100 >> $file
echo "" >> $file

printf $Y"[+] "$RED"What inside /tmp, /var/tmp, /var/backups\n"$NC >> $file
ls -a /tmp /var/tmp /var/backups 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Interesting writable Files\n"$NC >> $file
USER=`whoami`
HOME=/home/$USER
find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs'| sort | uniq | sed "s,$intfol,${C}[31m&${C}[0m," >> $file
for g in `groups`; do find / \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME | grep -v '/sys/fs' | sed "s,$intfol,${C}[31m&${C}[0m,"; done >> $file
echo "" >> $file

printf $Y"[+] "$RED"Web files?(output limited)\n"$NC >> $file
ls -alhR /var/www/ 2>/dev/null | head >> $file
ls -alhR /srv/www/htdocs/ 2>/dev/null | head >> $file
ls -alhR /usr/local/www/apache22/data/ 2>/dev/null | head >> $file
ls -alhR /opt/lampp/htdocs/ 2>/dev/null | head >> $file
echo "" >> $file

printf $Y"[+] "$RED"Backup files?\n"$NC >> $file
find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*back*" -o -name "*bck*" \) 2>/dev/null >> $file
echo "" >> $file

printf $Y"[+] "$RED"Find IPs inside logs\n"$NC >> $file
grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq >> $file
echo "" >> $file

printf $Y"[+] "$RED"Find 'password' or 'passw' string inside /home, /var/www, /var/log, /etc\n"$NC >> $file
grep -lRi "password\|passw" /home /var/www /var/log 2>/dev/null | sort | uniq >> $file
echo "" >> $file

printf $Y"[+] "$RED"Sudo -l (you need to puts the password and the result appear in console)\n"$NC >> $file
sudo -l