Unix-Privesc-Check - Empire Module
This page contains detailed information about how to use the python/privesc/linux/unix_privesc_check Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Unix-Privesc-Check
Module: python/privesc/linux/unix_privesc_check
Source code:
empire/server/modules/python/privesc/linux/unix_privesc_check.yaml
MITRE ATT&CK:
T1166
Language: Python
Needs admin: No
OPSEC safe: Yes
Background: No
The unix_privesc_check module is intended to be executed locally ona Linux box to enumerate basic system info, and search for commonprivilege escalation vectors with a all in one shell script.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the unix_privesc_check module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the unix_privesc_check module:
Agent
Agent to run on.
Ip
IP to curl script from (Default is local webserver inside agent).
Default value: 127.0.0.1.
Port
Port to setup server and curl from (Default is 8089).
Default value: 8089.
PrivSetting
Setting to run unix-privesc-check with (standard or detailed).
Default value: standard.
ServeCount
Value to set GET request count of webserver (Can be helpful if multiple agents, only host webserver once).
URL
http://<IP>:<Port>/.
Unix_privesc_check Example Usage
Here's an example of how to use the unix_privesc_check module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/multi/bash) > usemodule python/privesc/linux/unix_privesc_check
Author @Killswitch_GUI
@pentestmonkey
Background False
Comments For full comments and code: http://pentestmonkey.net/tools/audit/unix-
privesc-check
Description This script is intended to be executed locally ona Linux box to
enumerate basic system info, and search for commonprivilege escalation
vectors with a all in one shell script.
Language python
Name python/privesc/linux/unix_privesc_check
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1166
,Record Options-----------,----------,-------------------------------------,
| Name | Value | Required | Description |
|-------------|-----------|----------|-------------------------------------|
| Agent | | True | Agent to run on. |
|-------------|-----------|----------|-------------------------------------|
| Ip | 127.0.0.1 | True | IP to curl script from (Default is |
| | | | local webserver inside agent). |
|-------------|-----------|----------|-------------------------------------|
| Port | 8089 | True | Port to setup server and curl from |
| | | | (Default is 8089). |
|-------------|-----------|----------|-------------------------------------|
| PrivSetting | standard | True | Setting to run unix-privesc-check |
| | | | with (standard or detailed). |
|-------------|-----------|----------|-------------------------------------|
| ServeCount | 1 | True | Value to set GET request count of |
| | | | webserver (Can be helpful if |
| | | | multiple agents, only host |
| | | | webserver once). |
|-------------|-----------|----------|-------------------------------------|
| URL | | True | http://<IP>:<Port>/ |
'-------------'-----------'----------'-------------------------------------'
(Empire: usemodule/python/privesc/linux/unix_privesc_check) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/python/privesc/linux/unix_privesc_check) > set Ip 127.0.0.1
[*] Set Ip to 127.0.0.1
(Empire: usemodule/python/privesc/linux/unix_privesc_check) > set Port 8089
[*] Set Port to 8089
(Empire: usemodule/python/privesc/linux/unix_privesc_check) > set PrivSetting standard
[*] Set PrivSetting to standard
(Empire: usemodule/python/privesc/linux/unix_privesc_check) > set ServeCount value
[*] Set ServeCount to value
(Empire: usemodule/python/privesc/linux/unix_privesc_check) > set URL value
[*] Set URL to value
(Empire: usemodule/python/privesc/linux/unix_privesc_check) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/python/privesc/linux/unix_privesc_check.yaml
- http://pentestmonkey.net/tools/audit/unix-privesc-check
- http://attack.mitre.org/techniques/T1166
- http://pentestmonkey.net/tools/unix-privesc-check
See Also
Check also the following modules related to this module:
- python/privesc/linux/linux_priv_checker
- powershell/privesc/privesccheck
- powershell/privesc/powerup/allchecks
- powershell/exfiltration/egresscheck
- python/collection/linux/sniffer
- python/collection/linux/hashdump
- python/collection/linux/xkeylogger
- python/collection/linux/pillage_user
- python/collection/linux/mimipenguin
- python/collection/linux/keylogger
- python/privesc/multi/bashdoor
- python/privesc/multi/sudo_spawn
- python/privesc/osx/piggyback
- python/privesc/osx/dyld_print_to_file
- python/privesc/windows/get_gpppasswords
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
