SUDO_KILLER : A Tool To Identify & Exploit Sudo Rules

SUDO_KILLER is a tool that can be used for privilege escalation on linux environment by abusing SUDO in several ways. The tool helps to identify misconfiguration within sudo rules, vulnerability within the version of sudo being used (CVEs and vulns) and the use of dangerous binary, all of these could be abused to elevate privilege to ROOT.

It will then provide a list of commands or local exploits which could be exploited to elevate privilege. It is worth noting that the tool does not perform any exploitation on your behalf, the exploitation will need to be performed manually and this is intended.

Features

Some of the checks/functionalities that are performed by the tool.

  • Misconfigurations
  • Dangerous Binaries
  • Vulnerable versions of sudo – CVEs
  • Dangerous Environment Variables
  • Credential Harvesting
  • Writable directories where scripts reside
  • Binaries that might be replaced
  • Identify missing scripts

Usage

Example Online mode

./sudo_killer.sh -c -e -r report.txt -p /tmp

Example Offline mode

Run extract.sh on system to be audited/victim machine. Copy the output from /tmp/sk_offline.txt on the system to be audited/victim machine to your host.

  • Note: Three checks are missing in the offline mode, still in dev… coming soon…

Run SK with the below parameter:

./sudo_killer.sh -c -i /path/sk_offline.txt

Optional arguments

  • -c : include CVE checks with respect to sudo version
  • -i : import (offline mode) from extract.sh
  • -e : include export of sudo rules / sudoers file
  • -r : report name (save the output)
  • -p : path where to save export and report
  • -s : supply user password for sudo checks (not recommended ++except for CTF)
  • -h : help

CVEs check

To update the CVE database : run the following script ./cve_update.sh

Providing password (Important)

If you need to input a password to run sudo -l then the script will not work if you don’t provide a password with the argument -s.

How to run SK on the targetted/audited machine

If you are on a machine that has internet connection, just git clone the tool and run it. If you are on a machine that does not have internet, then git clone on your host, compress the tool (tar) then transfert the compressed file via http/smb (apache web server / python simplehttpserver / smb server / nc) then uncompressed the file on the targeted system and enjoy!

Notes

It does not exploit automatically by itself, it was designed like this on purpose but check for misconguration and vulnerabilities and then propose you the following (if you are lucky the route to root is near!) :

  • a list of commands to exploit
  • a list of exploits
  • some description on how and why the attack could be performed

Why is it possible to run “sudo -l” without a password?

By default, if the NOPASSWD tag is applied to any of the entries for a user on a host, he or she will be able to run “sudo -l” without a password. This behavior may be overridden via the verifypw and listpw options.

However, these rules only affect the current user, so if user impersonation is possible (using su) sudo -l should be launched from this user as well.

Sometimes the file /etc/sudoers can be read even if sudo -l is not accessible without password.

Demos

WARNING

It is part of the KILLER project. It is still under development and there might be some issues, please create an issue if you found any. **

Other tool will be added to the KILLER project in the coming months so stay tuned up. Also ideas, bug reports, contributions are more than welcome !

Credits

The script was developed from myself with the help of online resources found on github and in the wild. Credits also to the authors of the exploits related to CVEs. The authors information and links can be found in the exploit and in the notes provided when running the tool. Special kudos to Vincent Puydoyeux, who gave me the idea to develop this tool and Koutto, for helping me with the docker thing and for improving the tool.

R K

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

23 hours ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 day ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

1 day ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

1 day ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

1 day ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

1 day ago