SUDO KILLER : A Tool To Identify & Exploit Sudo Rules’ Misconfigurations & Vulnerabilities Within Sudo

SUDO KILLER is a tool which help to abuse SUDO in different ways and with the main objective of performing a privilege escalation on Linux environment.

The tool helps to identify misconfiguration within sudo rules, vulnerability within the version of sudo being used (CVEs and vulns) and the used of dangerous binary, all of these could be abuse to elevate privilege to ROOT.

SUDO KILLER will then provide a list of commands or local exploits which could be exploited to elevate privilege.

SUDO KILLER does not perform any exploitation on your behalf, the exploitation will need to be performed manually and this is intended.

Default Usage

Example: ./sudo_killer.sh -c -r report.txt -e /tmp/

Also Read – DIE : Program For Determining Types Of Files For Windows, Linux & MacOS

Arguments

  • k : Keywords
  • e : export location (export /etc/sudoers)
  • c : include CVE checks with respect to sudo version
  • s : supply user password for sudo checks (not recommended ++except for CTF)
  • r : report name (save the output)
  • h : help

CVEs check

To update the CVE database : run the following script ./cve_update.sh

IMPORTANT !!!

If you need to input a password to run sudo -l then the script will not work if you don’t provide a password with the argument -s.

**NOTE : sudo_killer does not exploit automatically by itself, it was designed like this on purpose but check for misconguration and vulnerabilities and then propose you the following (if you are lucky the route to root is near!) :

  • a list of commands to exploit
  • a list of exploits
  • some description on how and why the attack could be performed

Why is it possible to run “sudo -l” without a password?

By default, if the NOPASSWD tag is applied to any of the entries for a user on a host, he or she will be able to run “sudo -l” without a password. This behavior may be overridden via the verifypw and listpw options.

However, these rules only affect the current user, so if user impersonation is possible (using su) sudo -l should be launched from this user as well.

Sometimes the file /etc/sudoers can be read even if sudo -l is not accessible without password.

To pull from docker

service docker start 
docker pull th3xace/sudo_killer_demo 
docker run –rm -it th3xace/sudo_killer_demo

To build locally using the Dockerfile

service docker start 
git clone https://github.com/TH3xACE/SUDO_KILLER.git 
cd SUDO_KILLER 
docker build -t th3xace/sudo_killer_demo . 
docker run –rm -it th3xace/sudo_killer_demo

And it will spawn a interactive shell with low user privileges.

Credits

The script was written by myself but with the help of a lot of online ressources found on github and in the wild, I thanks those people who inspire me. The credits and the links are shown when their exploits/decriptions are used when running the script.

Special kudos to Vincent Puydoyeux 🙂 who gave me the idea to develop this tool.

Disclaimer

This script is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (TH3xACE) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of the script is not my responsibility.

R K

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

17 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

17 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

2 days ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

3 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

3 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

3 days ago