Convert Figma logo to code with AI

TH3xACE logoSUDO_KILLER

A tool designed to exploit a privilege escalation vulnerability in the sudo program on Unix-like systems. It takes advantage of a specific misconfiguration or flaw in sudo to gain elevated privileges on the system, essentially allowing a regular user to execute commands as the root user.

2,185
250
2,185
0

Top Related Projects

15,911

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

6,934

Scripted Local Linux Enumeration & Privilege Escalation Checks

Linux enumeration tool for pentesting and CTFs with verbosity levels

13,197

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

Quick Overview

SUDO_KILLER is a tool designed to identify and exploit sudo rules misconfigurations and vulnerabilities. It aims to assist security professionals and system administrators in auditing sudo configurations to prevent potential privilege escalation attacks. The tool performs various checks and provides detailed reports on potential security issues related to sudo usage.

Pros

  • Comprehensive analysis of sudo configurations
  • Provides detailed reports and recommendations for remediation
  • Regularly updated with new vulnerability checks
  • Useful for both offensive and defensive security teams

Cons

  • Requires root access for full functionality
  • May produce false positives in some scenarios
  • Limited documentation for advanced usage
  • Potential for misuse if not used responsibly

Getting Started

  1. Clone the repository:

    git clone https://github.com/TH3xACE/SUDO_KILLER.git
    
  2. Navigate to the SUDO_KILLER directory:

    cd SUDO_KILLER
    
  3. Make the script executable:

    chmod +x sudo_killer.sh
    
  4. Run the script with root privileges:

    sudo ./sudo_killer.sh
    
  5. Review the generated report in the output directory:

    cat output/sudo_killer_report_[timestamp].txt
    

Note: Always ensure you have proper authorization before running security auditing tools on any system. Use SUDO_KILLER responsibly and only on systems you own or have explicit permission to test.

Competitor Comparisons

15,911

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

Pros of PEASS-ng

  • More comprehensive, covering a wider range of privilege escalation techniques
  • Actively maintained with frequent updates
  • Supports multiple operating systems (Linux, Windows, macOS)

Cons of PEASS-ng

  • Larger codebase, potentially more complex to use and understand
  • May generate more noise in output due to its comprehensive nature

Code Comparison

SUDO_KILLER (bash script):

if [ "$IAMROOT" ]; then
    echo "You are already root !"
    exit
fi

PEASS-ng (Python script):

def check_if_root():
    if os.geteuid() == 0:
        print_2("You are already root!", "red")
        sys.exit()

Both projects aim to identify privilege escalation vulnerabilities, but PEASS-ng offers a more extensive toolkit with support for multiple operating systems. SUDO_KILLER focuses specifically on sudo misconfigurations in Unix-like systems.

PEASS-ng's broader scope and active development make it suitable for a wider range of scenarios, while SUDO_KILLER's targeted approach may be preferable for specific sudo-related assessments. The choice between them depends on the user's needs and the specific environment being tested.

6,934

Scripted Local Linux Enumeration & Privilege Escalation Checks

Pros of LinEnum

  • More comprehensive system enumeration, covering a wider range of potential vulnerabilities
  • Actively maintained with regular updates and contributions from the community
  • Includes colorized output for better readability and easier identification of important information

Cons of LinEnum

  • Less focused on sudo-specific vulnerabilities compared to SUDO_KILLER
  • May produce more verbose output, potentially making it harder to identify critical issues quickly
  • Requires more system resources to run due to its comprehensive nature

Code Comparison

SUDO_KILLER:

if [ "$IAMROOT" -eq 1 ]; then
    echo "You are already root !"
    exit
fi

LinEnum:

if [ "$EUID" -eq 0 ]; then
    echo "You are already root!"
    exit 1
fi

Both projects perform a check to determine if the user is already root, but LinEnum uses the EUID variable, which is more reliable across different systems. SUDO_KILLER uses a custom IAMROOT variable, which may not be as universally applicable.

Linux enumeration tool for pentesting and CTFs with verbosity levels

Pros of linux-smart-enumeration

  • More comprehensive system enumeration, covering a wider range of potential vulnerabilities
  • Regularly updated with new features and improvements
  • Provides color-coded output for better readability and quick identification of important information

Cons of linux-smart-enumeration

  • May be slower to execute due to its more extensive checks
  • Potentially overwhelming output for less experienced users
  • Less focused on sudo-specific vulnerabilities compared to SUDO_KILLER

Code Comparison

SUDO_KILLER:

check_sudo_version(){
    sudo_version=`sudo -V 2>/dev/null| grep "Sudo version" 2>/dev/null`
    if [ "$sudo_version" ]; then
        echo -e "\e[00;33m[+] Sudo version:\e[00m\n$sudo_version"
    fi
}

linux-smart-enumeration:

lse_sudo_version() {
  sudo -V 2>/dev/null | grep "Sudo version" | cut -d' ' -f1-3
}

lse_get_sudo_version() {
  lse_sudo_version | sed -E 's/^Sudo version //g'
}

Both projects aim to gather system information, but SUDO_KILLER focuses specifically on sudo-related vulnerabilities, while linux-smart-enumeration provides a broader system enumeration. The code snippets show how each project retrieves the sudo version, with linux-smart-enumeration offering a more modular approach.

13,197

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

Pros of lynis

  • Comprehensive system auditing and security scanning tool
  • Actively maintained with regular updates and community support
  • Extensive documentation and reporting capabilities

Cons of lynis

  • Requires root access for full functionality
  • May generate false positives in some scenarios
  • Steeper learning curve for advanced customization

Code comparison

SUDO_KILLER:

#!/bin/bash
# SUDO_KILLER main script
if [ "$EUID" -ne 0 ]; then
    echo "Please run as root"
    exit
fi

lynis:

#!/bin/sh
# Lynis main script
PROGRAM_VERSION="3.0.8"
PROGRAM_DATE="2023-03-21"
PROGRAM_AUTHOR="CISOfy"
PROGRAM_COPYRIGHT="Copyright 2007-2023 - CISOfy"
PROGRAM_LICENSE="GPL-3.0"

The code snippets show that both tools are shell scripts, but lynis provides more detailed version and licensing information. SUDO_KILLER focuses specifically on sudo vulnerabilities, while lynis is a more comprehensive system auditing tool. Both require root access for full functionality, but lynis offers a wider range of security checks and system hardening recommendations.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Static Badge GitHub last commit (branch) Static Badge Static Badge License

:star: Star us on GitHub — to show your support!

logo

Twitter LinkedIn

:bulb: Best Viewed in Dark Mode :)

Introduction

SUDO_KILLER is a tool geared towards cyber security practitioners (pentesters, security auditors, system admins, CTF players and Infosec students), facilitating privilege escalation within Linux environments. It focuses on vulnerabilities tied to SUDO usage, including misconfigurations in sudo rules, version-based weaknesses (CVEs and other vulnerabilities), and risky binary deployments (GTFOBINS). These weak points can be exploited to gain ROOT-level privileges or impersonate other users.

SUDO_KILLER provides a catalog of potential commands and local exploits for manual privilege elevation. Importantly, it refrains from automated exploitation, requiring users to carry out the exploitation process themselves as per its intended usage.

Checks

Below is a list of checks that are perform by SUDO_KILLER

  • Misconfigurations
  • Dangerous Binaries (GTFOBINS)
  • Vulnerable versions of sudo - CVEs
  • Sudo vulnerability and misconfiguration related to 3rd party apps
  • Dangerous Environment Variables
  • Credential Harvesting
  • Writable directories where scripts reside
  • Binaries that might be replaced
  • Identify missing scripts
  • ...

[!WARNING] The check list above is NOT exhaustive.

Usage

To get started with SUDO_KILLER, you can either git clone or download the zip. If you want to practice and/or test it, there is a vulnerable testing enviroment (using docker). See the related video which provides an overview on how to setup the docker and run SUDO_KILLER. Several scenarios can be setup in the docker environment and can be used for testing different misconfigurations or flaws. Alternatively, you can run it on the system to be audited to check for misconfigurations and/or flaws related to sudo.

./SUDO_KILLERv<version>.sh -c -a -e -r report.txt -p /tmp

Optional arguments:
-c : includes CVE checks
-a : includes CVEs related to third party apps/devices
-i : import (offline mode) from extract.sh
-e : include export of sudo rules / sudoers file
-r : report name (save the output)
-p : path where to save export and report
-s : supply user password for sudo checks (If sudo rules is not accessible without current user's password)
-h : help

[!NOTE] It is worth noting that when using the -c argument, two types of check are provided one for which the CVE identified is solely based on the current sudo version being used and another where the requirements are also checked. Very often, a sudo version might be vulnerable but some pre-requisites might be needed for a successful exploitation.

[!NOTE] Providing password: If a password is needed to run sudo -l then the script will not work if you don't provide a password with the argument -s.

Docker (Vulnerable testing environment)

-dockerlogo

A range of Docker containers is made available to offer a deliberately vulnerable environment for testing and hands-on experimentation with SUDO_KILLER as well as with the vulnerabilities.

service docker start 
docker pull th3xace/sudo_killer_demo3
docker run --rm -it th3xace/sudo_killer_demo3
(This docker is only to test the CVE-2019-18634 (pwfeedback))
service docker start 
docker pull th3xace/sudo_killer_demo2
docker run --user 1000 --rm -it th3xace/sudo_killer_demo2

Why is it possible to run "sudo -l" without a password?

By default, if the NOPASSWD tag is applied to any of the entries for a user on a host, you will be able to run "sudo -l" without a password. This behavior may be overridden via the verifypw and listpw options.

However, these rules only affect the current user, so if user impersonation is possible (using su), sudo -l should be launched from this user as well.

Sometimes the file /etc/sudoers can be read even if sudo -l is not accessible without password.

Scenarios

To switch scenario (To prevent conflicts between the different scenarios) on the docker (demo3):

switchScenario <scenario_number>

Available scenarios: 0 to 10
All Scenarios 0 : Conflict might occur!
Scenario 1: [2,3] CVE - Rules
Scenario 2: [4] Excessive permissions
Scenario 2: [5] Excessive permissions (Authentication required)
Scenario 3: [6] User Impersonation
Scenario 4: [7] Common Misconfiguration (Change owner)
Scenario 4: [8,11] Common Misconfiguration (Wildcard)
Scenario 5: [13] Missing scripts from sudo rules
Scenario 6: [17] Dangerous Environment Variables
Scenario 7: [18] Dangerous binaries (gtfobins)
Scenario 8: [19] Recursive Impersonation test
Scenario 9: [20] Environment Path Hijacking
Scenario 10: [21] App Specific sudo vuln/misconfig
Scenario 11: [5] Excessive permissions (Authentication required)
Scenario 12: [16] Backdooring sudo (Credentials Capture)

Videos - Demo

Setup and exploitation

The playlist can be found here: https://www.youtube.com/watch?v=Q8iO9mYrfv8&list=PLQPKPAuCA40FMpMKWZLxQydLe7rPL5bml

[!IMPORTANT] Quick videos on how to properly do the testing on the provided docker.

(click to expand) Usage : How to setup and use the provided testing environment (docker)

apis   apis

[!WARNING] The video list below is not exhaustive, to have access to all the videos, please check the playlist link.

Several videos are provided below with different scenarios of exploitation.

apis   apis

apis   apis

apis   apis

apis   apis

apis   apis

apis   apis

CVEs

(click to expand) CVEs related to SUDO that SUDO_KILLER detects (including pre-requisites):

apis   apis

apis   apis

apis  

(click to expand) Recent CVEs of 3rd party apps/devices related to sudo that SUDO_KILLER detects (including pre-requisites):

apis  

SK-Tools

Version 3 of SUDO_KILLER now includes a list of tools that can be used to achieve several tasks. The scripts are located at SUDO_KILLERv3/SUDO_KILLER/SK-Tools/

  • $\color{#f0a015}\large{\textsf{SK-ImperBruteForce-NoPwd.sh:}}$ Perform an impersonation bruteforce using users from /etc/passwd, starting from user with uid 1000.
  • $\color{#f0a015}\large{\textsf{SK-credHarvest2.sh:}}$ Perform a credential capture by creating a fake sudo via alias then re-direct to real sudo.
  • $\color{#f0a015}\large{\textsf{SK-app-check.sh:}}$ Perform check of sudo vulnerabilities related to a specifc third-party app or device or programming lang [still in progress].
  • $\color{#f0a015}\large{\textsf{SK-ttyInject.sh:}}$ Abusing TTY pushback so that if the user root su - on a controlled user we make him run an arbitrary command.
  • $\color{#f0a015}\large{\textsf{SK-recursive-impersonate.sh:}}$ Perform identification of recursive impersonation with a default depth of 3.
  • $\color{#f0a015}\large{\textsf{SK-alias-report.sh:}}$ Perform search on alias with different criteria.
  • $\color{#f0a015}\large{\textsf{SK-csuid-with-sudo.sh:}}$ Perform identification of custom suid binary then check whether sudo command is run without full path.
  • $\color{#f0a015}\large{\textsf{SK-su-BruteForce.sh:}}$ Perform password bruteforce or password spray for a specific user via sudo.
  • $\color{#f0a015}\large{\textsf{SK-search-sudoers.sh:}}$ Perform an identification of possible sudoers backup files on the current host.
(click to expand) Usage : SK-Tools

apis   apis

apis   apis

apis   apis

apis   apis


Capturing Credentials via sudo redirect (SK-credHarvest2.sh)

The script SK-credHarvest2.sh from SK-Tools allow to perform a credential capture by creating a fake sudo via alias then re-direct to real sudo. Actually works only for bash (not working/implemented for ZSH or else for now)configured linux.

The displayed message when asking for credential when using sudo differs from the version being used. It is possible to choose between two options (differ based on OS version). Example of the displayed message (new and old)

[!TIP] (new) [sudo] password for user:
(old) Password:

For All Users (auser): When you have root privilege or excessive rights on users' home and you want an easy way to gather credentials:

./SK-credHarvest2.sh auser <new|old> ; source /home/*/.bashrc

For the currrent user (cuser):

./SK-credHarvest2.sh cuser <new|old> ; source /home/<currentuser>/.bashrc

[!CAUTION] TO STOP the credential harvesting: run the same script again with same argument

output: the log /tmp/sk-crds.log will contains the credentials

Alias' Audit (SK-alias-report.sh)

You will either need root privilege, access to a backup of sudoers or read access to /etc/sudoers.

Usage: ./SK-alias-sudoers.sh -p <sudoers_path> -k <keyword> [-u] [-r] [-m] [-c] | [-a]
  where -u: user | -r: runas | -m: host | -c: command | -a: all

Bruteforce/Password Spray via su (SK-su-BruteForce.sh)

Using su to bruteforce password and password spray with concurrency, timeout and sleep.

Usage: ./SK-su-BruteForce.sh [-h|--help] [-m|--module MODULE] [-u|--user USER|-uf|--userfile USERFILE] [-p|--password PASSWORD|-pf|--pwdfile PASSFILE] [-c|--concurrent CONCURRENT] [-s|--sleep SLEEP] [-t|--timeouts TIMEOUTS]

Module: Password Bruteforce : pwdbf
Example: ./SK-su-BruteForce.sh -m "pwdbf" -u user -pf password.txt -c 5 -s 0.005 -t 0.9

Module: Password Spray : pwdspr
Example: ./SK-su-BruteForce.sh -m pwdspr -uf users.txt -p password -c 5 -s 0.005 -t 0.9 

Module: User:Password Bruteforce : usrpwdbf
Example: ./SK-su-BruteForce.sh -m usrpwdbf -uf users-pwd.txt  -c 5 -s 0.005 -t 0.9 

Search for backup of the file sudoers (SK-search-sudoers.sh)

Find possible sudoers backup files in /mnt/ /opt/ /etc/ /etc/ /home/ /app*/ and any additional one parse as argument

Usage: ./SK-search-sudoers.sh /tmp/

Update dangerous bins - GTFOBINS (SK_dbins_update.sh)

To update the dangerous bins, go to dbins/update and run ./SK_dbins_update.sh. Make sure you have internet connection.

Usage: ./SK_dbins_update.sh

Binary Relative Path (SK-relative-path.sh)

Looking for binaries with relative path that be abused! if there is no secure_path set.

sudo -l
<..snip..>
(root) SETENV: NOPASSWD: /opt/support/purge.sh
<..snip..>

Usage: ./SK-relative-path.sh /opt/support/purge.sh

Contributing

SUDO_KILLER is an open-source project and highly appreciate any contributions. Whether you are helping us fix bugs, proposing new features, improving our documentation or spreading the word - we would love to have you as a contributor. Please reach me on twitter or Linkedin if you have any suggestions, feedback or want to contribute, you can also create a Pull Request. I am looking for contribution on the sudo CVEs related to 3rd party (I have a list of about 175) and any help would be appreciated.

  • Bug Report: If you see an error message or run into an issue while using SUDO_KILLER, please create a bug report.

  • Feature Request: If you have an idea or you're missing a capability that would make development easier and more robust, please submit a feature request.

Stargazers over time

Thank you all for your support!

Stargazers over time

Support

Credits

I crafted the script independently, leveraging online resources from GitHub and other sources in the wild. Acknowledgments are also due to the creators/publishers of exploits associated with the CVEs. You can trace back their details and references in the exploit itself, as well as in the accompanying notes when the tool is executed. Notable recognition extends to Vincent Puydoyeux, whose inspiration spurred the development of this tool, and Koutto, for invaluable assistance in handling Docker intricacies and enhancing the tool's functionality. Additionally, a heartfelt thank you goes out to Emilio Pinna (norbemi) and Andrea Cardaci (cyrus_and) for their invaluable contributions to GTFO Bins, which significantly influenced this project's development.

Disclaimer

This script is for educational purpose ONLY. Do not use it without permission of the owner of the system you are running it in. The usual disclaimer applies, especially the fact that me (TH3xACE) is not liable for any damages caused by direct or indirect use of the information or functionality provided by this project. The author (TH3xACE) or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of the script is not the author responsibility.

License

SUDO_KILLER is licensed under the MIT license, proper credits is expected whenever used. Please consider to donate for any commercial use.