Design principles and sudo killers
GNU/Linux was built as a multi-user operating system from the start with two important principles:
The Least Privilege principle states that any entity, user or otherwise, should only be granted the minimum amount of privileges required to do its job and no more.
The second, equally important principle, is Isolation. This is implemented in user separation. The activities of one user should not be allowed to affect other users, and data belonging to one user should not be accessible to another user unless specifically allowed.
Most GNU/Linux distributions create a non-privileged user account for daily use, but one can use sudo
or download an
and install an app to do things as administrator in desktop applications. With the users’ password!
While the sudo system does not give unbridled root permissions, if an attacker has a limited shell that has access to certain programs using the command sudo he/she might be able to abuse sudo to escalate privileges.
The sudo killer tool helps to identify misconfiguration within sudo rules, vulnerability within the version of sudo being used
(CVEs and vulns) and the uses of dangerous binary, all of these could be abuse to elevate privilege to root
.
The tool will provide a list of commands or local exploits which could be exploited to elevate privilege.
It does not perform any exploitation on your behalf, the exploitation will need to be performed manually and this is intended. Both red and blue team can use it to their benefit.
Installation
Preferably on a kali machine.
To pull from docker:
service docker start
docker pull th3xace/sudo_killer_demo
docker run –rm -it th3xace/sudo_killer_demo
To build locally using the Dockerfile:
service docker start
git clone https://github.com/TH3xACE/SUDO_KILLER.git
cd SUDO_KILLER
docker build -t th3xace/sudo_killer_demo .
docker run –rm -it th3xace/sudo_killer_demo
Download: https://github.com/TH3xACE/SUDO_KILLER
Command usage
./sudo_killer.sh -c -r report.txt -e /tmp/
Arguments:
k : Keywords
e : export location (export /etc/sudoers)
c : include CVE checks with respect to sudo version
s : supply user password for sudo checks (not recommended ++except for CTF)
r : report name (save the output)
h : help
If you need to input a password to run sudo -l
then the script will not work if you don’t provide a password with the
argument -s
.
sudo_killer does not exploit automatically by itself, it was designed to check for misconguration and vulnerabilities and then offer:
a list of commands to exploit
a list of exploits
some description on how and why the attack could be performed
CVEs check
To update the CVE database:
./cve_update.sh
Disclaimer
This script is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that TH3xACE is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs.