SUDO KILLER : A Tool To Identify & Exploit Sudo Rules’ Misconfigurations & Vulnerabilities Within Sudo

SUDO KILLER is a tool which help to abuse SUDO in different ways and with the main objective of performing a privilege escalation on Linux environment.

The tool helps to identify misconfiguration within sudo rules, vulnerability within the version of sudo being used (CVEs and vulns) and the used of dangerous binary, all of these could be abuse to elevate privilege to ROOT.

SUDO KILLER will then provide a list of commands or local exploits which could be exploited to elevate privilege.

SUDO KILLER does not perform any exploitation on your behalf, the exploitation will need to be performed manually and this is intended.

Default Usage

Example: ./sudo_killer.sh -c -r report.txt -e /tmp/

Also Read – DIE : Program For Determining Types Of Files For Windows, Linux & MacOS

Arguments

  • k : Keywords
  • e : export location (export /etc/sudoers)
  • c : include CVE checks with respect to sudo version
  • s : supply user password for sudo checks (not recommended ++except for CTF)
  • r : report name (save the output)
  • h : help

CVEs check

To update the CVE database : run the following script ./cve_update.sh

IMPORTANT !!!

If you need to input a password to run sudo -l then the script will not work if you don’t provide a password with the argument -s.

**NOTE : sudo_killer does not exploit automatically by itself, it was designed like this on purpose but check for misconguration and vulnerabilities and then propose you the following (if you are lucky the route to root is near!) :

  • a list of commands to exploit
  • a list of exploits
  • some description on how and why the attack could be performed

Why is it possible to run “sudo -l” without a password?

By default, if the NOPASSWD tag is applied to any of the entries for a user on a host, he or she will be able to run “sudo -l” without a password. This behavior may be overridden via the verifypw and listpw options.

However, these rules only affect the current user, so if user impersonation is possible (using su) sudo -l should be launched from this user as well.

Sometimes the file /etc/sudoers can be read even if sudo -l is not accessible without password.

To pull from docker

service docker start 
docker pull th3xace/sudo_killer_demo 
docker run –rm -it th3xace/sudo_killer_demo

To build locally using the Dockerfile

service docker start 
git clone https://github.com/TH3xACE/SUDO_KILLER.git 
cd SUDO_KILLER 
docker build -t th3xace/sudo_killer_demo . 
docker run –rm -it th3xace/sudo_killer_demo

And it will spawn a interactive shell with low user privileges.

Credits

The script was written by myself but with the help of a lot of online ressources found on github and in the wild, I thanks those people who inspire me. The credits and the links are shown when their exploits/decriptions are used when running the script.

Special kudos to Vincent Puydoyeux 🙂 who gave me the idea to develop this tool.

Disclaimer

This script is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (TH3xACE) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of the script is not my responsibility.

R K

Recent Posts

Configure a Static IP Address on Ubuntu 18.04: Netplan Guide

Setting a static IP address on your server is a smart move. It ensures your…

36 minutes ago

Install Xrdp on Ubuntu 18.04: Remote Desktop Setup Guide

Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP). It lets you access…

58 minutes ago

Add and Delete Users on Ubuntu 18.04: A Practical Guide

Managing user accounts is one of the most basic system administration tasks on any Linux…

1 hour ago

Install Wine on Ubuntu 18.04: Run Windows Apps on Linux

Wine (short for "Wine Is Not an Emulator") is a compatibility layer that lets you run…

1 hour ago

Install KVM on Ubuntu 18.04: Setup, Network, and Create VMs

KVM (Kernel-based Virtual Machine) is an open-source virtualization technology built into the Linux kernel. It lets…

1 hour ago

Upgrade to Ubuntu 20.04 LTS: Prepare, Update, and Confirm

Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…

1 day ago