facebookincubator · d0n601 · Aug 21, 2024
@@ -0,0 +1,64 @@
+# Identify Privilege Escalation Paths with Linux Smart Enumeration
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue)
+
+This TTP helps identify privilege escalation paths using Linux Smart
+Enumeration, a tool that automates the discovery of local privilege escalation
+vulnerabilities on Linux-based operating systems.
+
+## Arguments
+
+- **escalate_privileges**: A boolean flag indicating whether to run the TTP as
+  root or not. Default is false.
+- **download_link**: The URL to download the latest version of `lse.sh` from
+  GitHub. Default is
+  [https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh](https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh)
+
+## Pre-requisites
+
+1. A Linux-based operating system.
+2. Bash shell.
+
+## Examples
+
+You can run the TTP using the following example (after updating the arguments):
+
+```bash
+ttpforge run forgearmory//privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/identify-privilege-escalation-paths-with-lse.yaml \
+  --arg escalate_privileges=true
+```
+
+## Steps
+
+1. **ensure-root-user-if-required**: This step checks if the TTP needs to be run
+   as root and ensures that it is being executed as the root user.
+2. **download-and-run-lse**: This step downloads the latest version of `lse.sh`
+   from GitHub and executes it with bash.
+
+## Manual Reproduction Steps
+
+```
+# Escalate privileges to root (optional - being root gives you more info)
+sudo su
+
+# Download and run lse
+curl -sL https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh | bash
+```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+  - TA0003 Execution
+  - TA0007 Discovery
+- **Techniques**:
+  - T1059 Command and Scripting Interpreter
+  - T1087 Account Discovery
+  - T1083 File and Directory Discovery
+  - T1057 Process Discovery
+  - T1069 Permission Groups Discovery
+  - T1518 Software Discovery
+  - T1082 System Information Discovery
+  - T1033 System Owner/User Discovery
+  - T1007 System Service Discovery
+- **Subtechniques**:
+  - T1059.004 Command and Scripting Interpreter Unix Shell
@@ -0,0 +1,57 @@
+---
+api_version: 2.0
+uuid: 11b1b974-d720-4ab0-80c5-e539c103d0fd
+name: identify-privilege-escalation-paths-with-lse
+description: Downloads latest Linux Smart Enumeration from Github and executes it with bash
+requirements:
+  platforms:
+    - os: linux
+args:
+  - name: escalate_privileges
+    default: false
+  - name: download_link
+    default: https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh
+mitre:
+  tactics:
+    - TA0003 Execution
+    - TA0007 Discovery
+  techniques:
+    - T1059 Command and Scripting Interpreter
+    - T1087 Account Discovery
+    - T1083 File and Directory Discovery
+    - T1057 Process Discovery
+    - T1069 Permission Groups Discovery
+    - T1518 Software Discovery
+    - T1082 System Information Discovery
+    - T1033 System Owner/User Discovery
+    - T1007 System Service Discovery
+  subtechniques:
+    - T1059.004 Command and Scripting Interpreter Unix Shell
+steps:
+  - name: setup
+    inline: |
+      if ! command -v curl &> /dev/null; then
+          echo "Error: curl is not installed on the current system, cannot download lse."
+          exit 1
+      fi
+  - name: ensure-root-user-if-required
+    inline: |
+      echo "{{ .Args.escalate_privileges }}"
+      if [[ {{ .Args.escalate_privileges }} -ne 0 ]]; then
+        if [[ "${EUID}" -ne 0 ]]; then
+            echo "error: TTP must be run as root."
+            exit 1
+        fi
+      else
+        echo "No need to run as root."
+      fi
+  - name: download-and-run-lse
+    inline: |
+      curl -sL https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh | bash
+      execution_status=$?
+      if [[ "${execution_status}" == 0 ]]; then
+        echo "TTP Ran Successfully"
+        exit 0
+      else
+        exit 1
+      fi