An offensive bash script which tries to find GENERIC privesc vulnerabilities and issues.
Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
tools
README.md
shotovuln.sh

README.md

shotovuln

An offensive bash script which tries to find GENERIC privilege escalation or privilege changes vulnerabilities and similar issues on *Nix systems. The tool will try to focus only on useful information.

target audience

Pentesters which need accurate and useful information for privilege escalation

the script follow this guidelines

  • non interactive shell
  • stealth, try not to touch drive except if needed, try to run everything in memory
  • do not output useless information, only valid vuln or nothing
  • run as low privilege user
  • show clear path to root if it exists
  • no colors, can be used outside of standard terminals
  • user should pipe output to file for better read
  • try to document the vuln example in comments (ie CVE-xxx CWE weakness)
  • requirement on the compromised box : *nix OS, bash [+ python , pip: for bruteforce]

typical usage: you get a webshell on *nix and you want to elevate

options

Usage: ./shotovuln.sh [currentpassword] [brute] [network] [nosuidaudit] [pupy] [msf]

another audit script for Linux again ? seriously ?

Yes and no. We will try to be attack oriented. Alternative for this script (lynis, upc, ...) are outputing too much unecessary information or information which need to be cross checked. These step slow down pentesters in their tentative to escalate. The script also focuses on the cause of the vulnerability so it might find new ones.