Ausnahme gefangen: SSL certificate problem: certificate is not yet valid ๐Ÿ“Œ SUDO_KILLER - A Tool To Identify And Exploit Sudo Rules' Misconfigurations And Vulnerabilities Within Sudo

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š SUDO_KILLER - A Tool To Identify And Exploit Sudo Rules' Misconfigurations And Vulnerabilities Within Sudo


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: feedproxy.google.com


Linux Privilege Escalation through SUDO abuse.
If you like the tool and for my personal motivation so as to develop other tools please a +1 star *
The tool can be used by pentesters, system admins, CTF players, students, System Auditors and trolls :).


INTRO
**WARNING: SUDO_KILLER is part of the KILLER project. SUDO_KILLER is still under development and there might be some issues, please create an issue if you found any. **
Other tool will be added to the KILLER project in the coming months so stay tuned up. Also ideas, bug reports, contributions are more than welcome !
** Stay tuned : Follow me on twitter @ https://twitter.com/TH3xACE **


Overview
SUDO_KILLER is a tool that can be used for privilege escalation on linux environment by abusing SUDO in several ways. The tool helps to identify misconfiguration within sudo rules, vulnerability within the version of sudo being used (CVEs and vulns) and the use of dangerous binary, all of these could be abused to elevate privilege to ROOT.
SUDO_KILLER will then provide a list of commands or local exploits which could be exploited to elevate privilege. It is worth noting that the tool does not perform any exploitation on your behalf, the exploitation will need to be performed manually and this is intended.


Features

Some of the checks/functionalities that are performed by the tool.
  • Misconfigurations
  • Dangerous Binaries
  • Vulnerable versions of sudo - CVEs
  • Dangerous Environment Variables
  • Credential Harvesting
  • Writable directories where scripts reside
  • Binaries that might be replaced
  • Identify missing scripts

What version 2 of SK includes:
  • New checks and/or scenarios
    1. CVE-2019-14287 - runas
    2. No CVE yet - sudoedit - absolute path
    3. CVE-2019-18634 - pwfeedback
    4. User Impersonation
    5. list of users in sudo group
  • Performance improved
  • Bugs corrected (checks, export, report,...)
  • Continous improvement of the way output presented
  • New videos will be added soon
  • Annonying password input several time removed
  • New functionality: offline mode - ability to extract the required info from audited system and run SK on host.
  • Testing environment : A docker to play with the tool and different scenarios, you can also train on PE.


Usage

Example Online mode
./sudo_killer.sh -c -e -r report.txt -p /tmp

Example Offline mode
Run extract.sh on system to be audited/victim machine. Copy the output from /tmp/sk_offline.txt on the system to be audited/victim machine to your host.
  • Note: Three checks are missing in the offline mode, still in dev... coming soon...
Run SK with the below parameter:
./sudo_killer.sh -c -i /path/sk_offline.txt

Optional arguments
  • -c : include CVE checks with respect to sudo version
  • -i : import (offline mode) from extract.sh
  • -e : include export of sudo rules / sudoers file
  • -r : report name (save the output)
  • -p : path where to save export and report
  • -s : supply user password for sudo checks (not recommended ++except for CTF)
  • -h : help

CVEs check
To update the CVE database : run the following script ./cve_update.sh


Providing password (Important)
If you need to input a password to run sudo -l then the script will not work if you don't provide a password with the argument -s.


How to run SK on the targetted/audited machine
If you are on a machine that has internet connection, just git clone the tool and run it. If you are on a machine that does not have internet, then git clone on your host, compress the tool (tar) then transfert the compressed file via http/smb (apache web server / python simplehttpserver / smb server / nc) then uncompressed the file on the targeted system and enjoy!


Notes
**NOTE : sudo_killer does not exploit automatically by itself, it was designed like this on purpose but check for misconguration and vulnerabilities and then propose you the following (if you are lucky the route to root is near!) :
  • a list of commands to exploit
  • a list of exploits
  • some description on how and why the attack could be performed


Why is it possible to run "sudo -l" without a password?
By default, if the NOPASSWD tag is applied to any of the entries for a user on a host, he or she will be able to run "sudo -l" without a password. This behavior may be overridden via the verifypw and listpw options.
However, these rules only affect the current user, so if user impersonation is possible (using su) sudo -l should be launched from this user as well.
Sometimes the file /etc/sudoers can be read even if sudo -l is not accessible without password.


Docker - Vulnerable testing environment
**IMPORTANT: The recommended way to test the tool is to use the docker image created on purpose for the testing. The image contained several vulnerabilities and misconfigurations related to the usage of SUDO.
Everything is tested from the Docker container available on Docker Hub !**

A Docker image is available on Docker Hub and automatically re-built at each update: https://hub.docker.com/r/th3xace/sudo_killer_demo . It is initially based on official debian:jessie Docker image (debian:jessie).
  1. Pull SUDO_KILLER_DEMO Docker Image from the docker hub (This version maybe a bit more up-to-date):
    service docker start
    docker pull th3xace/sudo_killer_demo
    docker run --rm -it th3xace/sudo_killer_demo
  2. Build locally from Dockerfile :
    service docker start
    git clone https://github.com/TH3xACE/SUDO_KILLER.git
    cd SUDO_KILLER
    docker build -t th3xace/sudo_killer_demo .
    docker run --rm -it th3xace/sudo_killer_demo
Note: It is important to note that the docker is just an environment that can be used to play with the tool since it contains several vulns to exploit. The tool is meant to be used on its own.


Demos
Several videos are provided below with different scenarios of exploitation.


Credits
The script was developed from myself with the help of online resources found on github and in the wild. Credits also to the authors of the exploits related to CVEs. The authors information and links can be found in the exploit and in the notes provided when running the tool. Special kudos to Vincent Puydoyeux, who gave me the idea to develop this tool and Koutto, for helping me with the docker thing and for improving the tool.


Disclaimer
This script is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (TH3xACE) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of the script is not my responsibility.


...



๐Ÿ“Œ SUDO_KILLER - A Tool To Identify And Exploit Sudo Rules Misconfigurations And Vulnerabilities Within Sudo


๐Ÿ“ˆ 123.82 Punkte

๐Ÿ“Œ SUDO_KILLER - A Tool To Identify And Exploit Sudo Rules' Misconfigurations And Vulnerabilities Within Sudo


๐Ÿ“ˆ 123.82 Punkte

๐Ÿ“Œ Exploit Sudo & Become a Superuser with SUDO_KILLER [Tutorial]


๐Ÿ“ˆ 48.14 Punkte

๐Ÿ“Œ Electronegativity - Tool To Identify Misconfigurations And Security Anti-Patterns In Electron Applications


๐Ÿ“ˆ 37.86 Punkte

๐Ÿ“Œ SpinSPM for Salesforce identifies misconfigurations within SaaS applications


๐Ÿ“ˆ 30.54 Punkte

๐Ÿ“Œ dazzleUP - A Tool That Detects The Privilege Escalation Vulnerabilities Caused By Misconfigurations And Missing Updates In The Windows OS


๐Ÿ“ˆ 29.86 Punkte

๐Ÿ“Œ Nginxpwner - Tool to look for common Nginx misconfigurations and vulnerabilities


๐Ÿ“ˆ 29.86 Punkte

๐Ÿ“Œ pyWhat - Identify Anything. Easily Lets You Identify Emails, IP Addresses, And More...


๐Ÿ“ˆ 26.75 Punkte

๐Ÿ“Œ BeRoot- A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS


๐Ÿ“ˆ 25.02 Punkte

๐Ÿ“Œ What is The Difference Between Vulnerabilities and Misconfigurations? | UpGuard


๐Ÿ“ˆ 24.49 Punkte

๐Ÿ“Œ StackRox Releases Open Source Tool for Finding Kubernetes Misconfigurations


๐Ÿ“ˆ 23.95 Punkte

๐Ÿ“Œ Misconfigurations, Vulnerabilities Found in 95% of Applications


๐Ÿ“ˆ 23.42 Punkte

๐Ÿ“Œ SSRF vulnerabilities caused by SNI proxy misconfigurations


๐Ÿ“ˆ 23.42 Punkte

๐Ÿ“Œ Organizations should fear misconfigurations more than vulnerabilities


๐Ÿ“ˆ 23.42 Punkte

๐Ÿ“Œ YSK : Do not use 'sudo vim/nano/emacs..' to edit a file. Instead, set your $EDITOR and use sudoedit or sudo -e.


๐Ÿ“ˆ 21.07 Punkte

๐Ÿ“Œ Sudo has a mascot, and it is a BLT sandwich https://www.sudo.ws/


๐Ÿ“ˆ 21.07 Punkte

๐Ÿ“Œ Office 365 Mail Forwarding Rules (and other Mail Rules too), (Thu, Aug 20th)


๐Ÿ“ˆ 20.96 Punkte

๐Ÿ“Œ Legitify - Detect And Remediate Misconfigurations And Security Risks Across All Your GitHub Assets


๐Ÿ“ˆ 20.71 Punkte

๐Ÿ“Œ NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations


๐Ÿ“ˆ 20.71 Punkte

๐Ÿ“Œ NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations


๐Ÿ“ˆ 20.71 Punkte

๐Ÿ“Œ Terrier - A Image And Container Analysis Tool To Identify And Verify The Presence Of Specific Files According To Their Hashes


๐Ÿ“ˆ 20.36 Punkte

๐Ÿ“Œ What is the point of Sudo, I mean if you're signed in why do you have to enter Sudo?


๐Ÿ“ˆ 20 Punkte

๐Ÿ“Œ sudo up to 1.8.6 sudoers /var/db/sudo/lectured privilege escalation


๐Ÿ“ˆ 20 Punkte

๐Ÿ“Œ Todd Miller sudo up to 1.8.3p1 src/sudo.c sudo_debug format string


๐Ÿ“ˆ 20 Punkte

๐Ÿ“Œ sudo bis 1.8.6 sudoers /var/db/sudo/lectured erweiterte Rechte


๐Ÿ“ˆ 20 Punkte

๐Ÿ“Œ Putin: Whoever Rules AI Rules the World


๐Ÿ“ˆ 19.89 Punkte

๐Ÿ“Œ He Who Rules The Data, Rules The World: A Brief History Of Data Governance


๐Ÿ“ˆ 19.89 Punkte

๐Ÿ“Œ Learn The Rules, Break The Rules


๐Ÿ“ˆ 19.89 Punkte

๐Ÿ“Œ Medium CVE-2020-7609: Node-rules project Node-rules


๐Ÿ“ˆ 19.89 Punkte

๐Ÿ“Œ To Keep Trump From Violating Its Rules...Facebook Rewrote the Rules


๐Ÿ“ˆ 19.89 Punkte

๐Ÿ“Œ Sparrowโ€™s new solutions and features help users identify vulnerabilities in source code and web applications


๐Ÿ“ˆ 19.83 Punkte











matomo