{"id":13539177,"url":"https://github.com/th3xace/sudo_killer","last_synced_at":"2025-05-14T08:07:19.969Z","repository":{"id":38554200,"uuid":"160875594","full_name":"TH3xACE/SUDO_KILLER","owner":"TH3xACE","description":"A tool designed to exploit a privilege escalation vulnerability in the sudo program on Unix-like systems. It takes advantage of a specific misconfiguration or flaw in sudo to gain elevated privileges on the system, essentially allowing a regular user to execute commands as the root user.","archived":false,"fork":false,"pushed_at":"2024-12-28T21:52:09.000Z","size":4934,"stargazers_count":2308,"open_issues_count":0,"forks_count":257,"subscribers_count":50,"default_branch":"V3","last_synced_at":"2025-05-14T08:07:12.248Z","etag":null,"topics":["abuse-sudo","ctf","cve","exploits","linux-exploits","misconfiguration","oscp","oscp-journey","oscp-prep","oscp-tools","pentest","pentest-tool","privilege-escalation","sudo","sudo-exploitation"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TH3xACE.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":"FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"TH3xACE","patreon":"TH3xACE"}},"created_at":"2018-12-07T21:08:02.000Z","updated_at":"2025-05-14T02:40:32.000Z","dependencies_parsed_at":"2023-02-13T23:16:35.109Z","dependency_job_id":"dbb38a60-e313-476c-94f8-c83430672c91","html_url":"https://github.com/TH3xACE/SUDO_KILLER","commit_stats":{"total_commits":77,"total_committers":2,"mean_commits":38.5,"dds":"0.012987012987012991","last_synced_commit":"e66cd6f397f13589d759f99cb67ab6bbb87cc1d4"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TH3xACE%2FSUDO_KILLER","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TH3xACE%2FSUDO_KILLER/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TH3xACE%2FSUDO_KILLER/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TH3xACE%2FSUDO_KILLER/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TH3xACE","download_url":"https://codeload.github.com/TH3xACE/SUDO_KILLER/tar.gz/refs/heads/V3","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254101564,"owners_count":22014908,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abuse-sudo","ctf","cve","exploits","linux-exploits","misconfiguration","oscp","oscp-journey","oscp-prep","oscp-tools","pentest","pentest-tool","privilege-escalation","sudo","sudo-exploitation"],"created_at":"2024-08-01T09:01:21.167Z","updated_at":"2025-05-14T08:07:14.953Z","avatar_url":"https://github.com/TH3xACE.png","language":"Shell","readme":"![Static Badge](https://img.shields.io/badge/Version-3.0.1-blue)\n![GitHub last commit (branch)](https://img.shields.io/github/last-commit/TH3xACE/SUDO_KILLER/V3)\n![Static Badge](https://img.shields.io/badge/Maintain-Yes-purple)\n![Static Badge](https://img.shields.io/badge/Author-TH3xACE-red)\n[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/TH3xACE/SUDO_KILLER/)\n\n:star: Star us on GitHub — to show your support!\n\n\u003cp align=\"left\"\u003e\n    \u003cimg width=\"100%\" src=\"https://github.com/TH3xACE/res/blob/main/SK/sk-logo.gif\" alt=\"logo\"/\u003e\n\u003c/p\u003e\n\n\n[![Twitter](https://img.shields.io/twitter/url/https/twitter.com/cloudposse.svg?style=social\u0026label=%40TH3xACE)](https://twitter.com/th3xace)\n[![LinkedIn](https://img.shields.io/badge/-LinkedIn-black.svg?style=flat-square\u0026logo=linkedin\u0026colorB=blue)](https://www.linkedin.com/in/adblais)\n\n :bulb: Best Viewed in Dark Mode :)\n\n\n- [Contributing](#contributing)\n  - [Stargazers over time](#stargazers-over-time)\n  - [Support](#support)\n  - [Credits](#credits)\n  - [Disclaimer](#disclaimer)\n  - [License](#license)\n\n\u003ca name=\"intro\"\u003e\u003c/a\u003e\n## Introduction\n\n`SUDO_KILLER` is a tool geared towards cyber security practitioners (pentesters, security auditors, system admins, CTF players and Infosec students), facilitating privilege escalation within Linux environments. It focuses on vulnerabilities tied to SUDO usage, including misconfigurations in sudo rules, version-based weaknesses (CVEs and other vulnerabilities), and risky binary deployments (GTFOBINS). These weak points can be exploited to gain ROOT-level privileges or impersonate other users.\n\n`SUDO_KILLER` provides a catalog of potential commands and local exploits for manual privilege elevation. Importantly, it refrains from automated exploitation, requiring users to carry out the exploitation process themselves as per its intended usage.\n\n\u003ca name=\"check\"\u003e\u003c/a\u003e\n## Checks\n\nBelow is a list of checks that are perform by `SUDO_KILLER`\n- Misconfigurations\n- Dangerous Binaries (GTFOBINS)\n- Vulnerable versions of sudo - CVEs\n- Sudo vulnerability and misconfiguration related to 3rd party apps\n- Dangerous Environment Variables\n- Credential Harvesting\n- Writable directories where scripts reside\n- Binaries that might be replaced\n- Identify missing scripts\n- ...\n\n\u003e [!WARNING]\n\u003e The check list above is NOT exhaustive.\n\n\u003ca name=\"usage\"\u003e\u003c/a\u003e\n## Usage \n\nTo get started with SUDO_KILLER, you can either git clone or download the zip. If you want to practice and/or test it, there is a vulnerable testing enviroment (using docker). See the related video which provides an overview on how to setup the docker and run SUDO_KILLER. Several scenarios can be setup in the docker environment and can be used for testing different misconfigurations or flaws. Alternatively, you can run it on the system to be audited to check for misconfigurations and/or flaws related to sudo.\n\n```shell\n./SUDO_KILLERv\u003cversion\u003e.sh -c -a -e -r report.txt -p /tmp\n```\n\nOptional arguments:\n\u003c/br\u003e-c : includes CVE checks\u003c/br\u003e\n-a : includes CVEs related to third party apps/devices \u003c/br\u003e\n-i : import (offline mode) from extract.sh \u003c/br\u003e\n-e : include export of sudo rules / sudoers file \u003c/br\u003e\n-r : report name (save the output) \u003c/br\u003e\n-p : path where to save export and report \u003c/br\u003e\n-s : supply user password for sudo checks (If sudo rules is not accessible without current user's password) \u003c/br\u003e\n-h : help\n\n\u003e [!NOTE]\n\u003e It is worth noting that when using the -c argument, two types of check are provided one for which the CVE identified is solely based on the current sudo version being used and another where the requirements are also checked.\n\u003e Very often, a sudo version might be vulnerable but some pre-requisites might be needed for a successful exploitation.\n\n\u003e [!NOTE]\n\u003e Providing password: If a password is needed to run sudo -l then the script will not work if you don't provide a password with the argument -s.\n\n\u003ca name=\"docker\"\u003e\u003c/a\u003e\n### Docker (Vulnerable testing environment)\n\n\u003cp align=\"left\"\u003e\n    \u003cimg width=\"25%\" src=\"https://github.com/TH3xACE/res/blob/main/SK/docker.gif\" alt=\"-dockerlogo\"/\u003e\n\u003c/p\u003e\n\nA range of Docker containers is made available to offer a deliberately vulnerable environment for testing and hands-on experimentation with `SUDO_KILLER` as well as with the vulnerabilities. \n\n```shell\nservice docker start \ndocker pull th3xace/sudo_killer_demo3\ndocker run --rm -it th3xace/sudo_killer_demo3\n```\n```shell\n(This docker is only to test the CVE-2019-18634 (pwfeedback))\nservice docker start \ndocker pull th3xace/sudo_killer_demo2\ndocker run --user 1000 --rm -it th3xace/sudo_killer_demo2\n```\n\n## Why is it possible to run \"sudo -l\" without a password?\n\nBy default, if the NOPASSWD tag is applied to any of the entries for a user on a host, you will be able to run \"sudo -l\" without a password. This behavior may be overridden via the verifypw and listpw options.\n\nHowever, these rules only affect the current user, so if user impersonation is possible (using su), sudo -l should be launched from this user as well.\n\nSometimes the file /etc/sudoers can be read even if sudo -l is not accessible without password.\n\n\n\u003ca name=\"scenarios\"\u003e\u003c/a\u003e\n## Scenarios\n\nTo switch scenario (To prevent conflicts between the different scenarios) on the docker (demo3):\n\n```shell\nswitchScenario \u003cscenario_number\u003e\n\nAvailable scenarios: 0 to 10\nAll Scenarios 0 : Conflict might occur!\nScenario 1: [2,3] CVE - Rules\nScenario 2: [4] Excessive permissions\nScenario 2: [5] Excessive permissions (Authentication required)\nScenario 3: [6] User Impersonation\nScenario 4: [7] Common Misconfiguration (Change owner)\nScenario 4: [8,11] Common Misconfiguration (Wildcard)\nScenario 5: [13] Missing scripts from sudo rules\nScenario 6: [17] Dangerous Environment Variables\nScenario 7: [18] Dangerous binaries (gtfobins)\nScenario 8: [19] Recursive Impersonation test\nScenario 9: [20] Environment Path Hijacking\nScenario 10: [21] App Specific sudo vuln/misconfig\nScenario 11: [5] Excessive permissions (Authentication required)\nScenario 12: [16] Backdooring sudo (Credentials Capture)\n```\n\n\u003ca name=\"videos\"\u003e\u003c/a\u003e\n## Videos - Demo \n\n### Setup and exploitation\nThe playlist can be found here: [https://www.youtube.com/watch?v=Q8iO9mYrfv8\u0026list=PLQPKPAuCA40FMpMKWZLxQydLe7rPL5bml](https://www.youtube.com/watch?v=VjXiLhmOmHs\u0026list=PLQPKPAuCA40ERFDNZ-Ub58SgGHGKAcr26)\n\n\u003e [!IMPORTANT]\n\u003e Quick videos on how to properly do the testing on the provided docker.\n\n\u003cdetails open\u003e\n\u003csummary\u003e\n     (click to expand) Usage : How to setup and use the provided testing environment (docker)\n\u003c/summary\u003e \u003cbr /\u003e\n    \n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/Q8iO9mYrfv8\"\u003e  \n      \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide1.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n   \u003ca href=\"https://youtu.be/VjXiLhmOmHs\"\u003e  \n      \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide2.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003c/p\u003e    \n\u003c/details\u003e\n\n\u003e [!WARNING]\n\u003e The video list below is not exhaustive, to have access to all the videos, please check the playlist link.\n\n\u003cdetails open\u003e\n\u003csummary\u003e\n     Several videos are provided below with different scenarios of exploitation.\n\u003c/summary\u003e \u003cbr /\u003e\n    \n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/rg6FxPuP8sQ\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide3.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n   \u003ca href=\"https://youtu.be/BBtoBrZdAKk\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide9.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/XiLsS9v3hy8\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide10.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/eBfIotMsDiI\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide11.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/a68dAmgeJnA\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide12.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/CILd01m2GBs\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide13.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/4xectsHBfCQ\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide14.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/11q5pzGJxvk\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide15.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/BbPBxXy4rKY\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide16.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/sfkxoR2a99o\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide17.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/SV2KPd4CA8A\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide18.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/6Lt-wKZmH9c\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide19.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n    \n\u003c/details\u003e\n\n\u003ca name=\"CVEs\"\u003e\u003c/a\u003e\n## CVEs\n\n\u003cdetails open\u003e\n\u003csummary\u003e\n  (click to expand) CVEs related to SUDO that SUDO_KILLER detects (including pre-requisites): \n\u003c/summary\u003e \u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/THS_bn4MOQY\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide4.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/6VkZaj3FDiE\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide5.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/LhqbExt5oq0\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide7.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/AJSSRrGt-Dw\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide8.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/elwGRlN7aCI\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide6.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n\u003c/p\u003e \n\n\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n\u003csummary\u003e\n  (click to expand) Recent CVEs of 3rd party apps/devices related to sudo that SUDO_KILLER detects (including pre-requisites): \n\u003c/summary\u003e \u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/CP0S_7aZHxA\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide27.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \n\u003c/p\u003e \n\n\n\n\u003c/details\u003e\n\n\n\u003ca name=\"sk-tools\"\u003e\u003c/a\u003e\n## SK-Tools\nVersion 3 of `SUDO_KILLER` now includes a list of tools that can be used to achieve several tasks. The scripts are located at `SUDO_KILLERv3/SUDO_KILLER/SK-Tools/`\n\n- $\\color{#f0a015}\\large{\\textsf{SK-ImperBruteForce-NoPwd.sh:}}$ Perform an impersonation bruteforce using users from /etc/passwd, starting from user with uid 1000.\n- $\\color{#f0a015}\\large{\\textsf{SK-credHarvest2.sh:}}$ Perform a credential capture by creating a fake sudo via alias then re-direct to real sudo.\n- $\\color{#f0a015}\\large{\\textsf{SK-app-check.sh:}}$ Perform check of sudo vulnerabilities related to a specifc third-party app or device or programming lang [still in progress].\n- $\\color{#f0a015}\\large{\\textsf{SK-ttyInject.sh:}}$ Abusing TTY pushback so that if the user root su - on a controlled user we make him run an arbitrary command.\n- $\\color{#f0a015}\\large{\\textsf{SK-recursive-impersonate.sh:}}$ Perform identification of recursive impersonation with a default depth of 3.\n- $\\color{#f0a015}\\large{\\textsf{SK-alias-report.sh:}}$ Perform search on alias with different criteria.\n- $\\color{#f0a015}\\large{\\textsf{SK-csuid-with-sudo.sh:}}$ Perform identification of custom suid binary then check whether sudo command is run without full path.\n- $\\color{#f0a015}\\large{\\textsf{SK-su-BruteForce.sh:}}$ Perform password bruteforce or password spray for a specific user via sudo.\n- $\\color{#f0a015}\\large{\\textsf{SK-search-sudoers.sh:}}$ Perform an identification of possible sudoers backup files on the current host.\n\n\n\u003cdetails open\u003e\n\u003csummary\u003e\n     (click to expand) Usage : SK-Tools\n\u003c/summary\u003e \u003cbr /\u003e\n    \n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/Oc1yuploiME\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide20.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/aoofrCyb6KA\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide21.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/gUDuZVwVWyU\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide22.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/7VqNCgYvEa0\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide23.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/AG1o6s4dEF0\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide24.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/woF68JmJ33c\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide25.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://youtu.be/R3_u-G5AyUw\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide26.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u0026nbsp;\n    \u003ca href=\"https://youtu.be/Vpr00SxIVgo\"\u003e  \n     \u003cimg width=\"39%\" src=\"https://github.com/TH3xACE/res/blob/main/SK3/Slide28.JPG\" alt=\"apis\"/\u003e\n   \u003c/a\u003e\n\u003c/p\u003e \n\n\u003c/details\u003e\n\n\u003c/br\u003e\n\n### Capturing Credentials via sudo redirect (SK-credHarvest2.sh)\nThe script SK-credHarvest2.sh from SK-Tools allow to perform a credential capture by creating a fake sudo via alias then re-direct to real sudo. Actually works only for bash (not working/implemented for ZSH or else for now)configured linux.\n\nThe displayed message when asking for credential when using sudo differs from the version being used. It is possible to choose between two options (differ based on OS version).\nExample of the displayed message (new and old)\n\n\u003e [!TIP]\n\u003e (new) [sudo] password for user: \u003cbr /\u003e\n\u003e (old) Password: \n\nFor All Users (auser):\nWhen you have root privilege or excessive rights on users' home and you want an easy way to gather credentials:\n```shell\n./SK-credHarvest2.sh auser \u003cnew|old\u003e ; source /home/*/.bashrc\n```\nFor the currrent user (cuser):\n```shell\n./SK-credHarvest2.sh cuser \u003cnew|old\u003e ; source /home/\u003ccurrentuser\u003e/.bashrc\n```\n\u003e [!CAUTION]\n\u003e TO STOP the credential harvesting: run the same script again with same argument\n\noutput: the log /tmp/sk-crds.log will contains the credentials\n\n\n### Alias' Audit (SK-alias-report.sh)\nYou will either need root privilege, access to a backup of sudoers or read access to /etc/sudoers.\n\n```shell\nUsage: ./SK-alias-sudoers.sh -p \u003csudoers_path\u003e -k \u003ckeyword\u003e [-u] [-r] [-m] [-c] | [-a]\n  where -u: user | -r: runas | -m: host | -c: command | -a: all\n```\n\n### Bruteforce/Password Spray via su (SK-su-BruteForce.sh) \nUsing su to bruteforce password and password spray with concurrency, timeout and sleep. \n\n```shell\nUsage: ./SK-su-BruteForce.sh [-h|--help] [-m|--module MODULE] [-u|--user USER|-uf|--userfile USERFILE] [-p|--password PASSWORD|-pf|--pwdfile PASSFILE] [-c|--concurrent CONCURRENT] [-s|--sleep SLEEP] [-t|--timeouts TIMEOUTS]\n\nModule: Password Bruteforce : pwdbf\nExample: ./SK-su-BruteForce.sh -m \"pwdbf\" -u user -pf password.txt -c 5 -s 0.005 -t 0.9\n\nModule: Password Spray : pwdspr\nExample: ./SK-su-BruteForce.sh -m pwdspr -uf users.txt -p password -c 5 -s 0.005 -t 0.9 \n\nModule: User:Password Bruteforce : usrpwdbf\nExample: ./SK-su-BruteForce.sh -m usrpwdbf -uf users-pwd.txt  -c 5 -s 0.005 -t 0.9 \n```\n\n### Search for backup of the file sudoers (SK-search-sudoers.sh)\nFind possible sudoers backup files in /mnt/ /opt/ /etc/ /etc/ /home/ /app*/  and any additional one parse as argument\n\n```shell\nUsage: ./SK-search-sudoers.sh /tmp/\n```\n\n### Update dangerous bins - GTFOBINS (SK_dbins_update.sh) \nTo update the dangerous bins, go to dbins/update and run ./SK_dbins_update.sh. Make sure you have internet connection.\n\n```shell\nUsage: ./SK_dbins_update.sh\n```\n\n### Binary Relative Path (SK-relative-path.sh)\nLooking for binaries with relative path that be abused! if there is no secure_path set.\n\n```shell\nsudo -l\n\u003c..snip..\u003e\n(root) SETENV: NOPASSWD: /opt/support/purge.sh\n\u003c..snip..\u003e\n\nUsage: ./SK-relative-path.sh /opt/support/purge.sh\n```\n\n\n\u003ca name=\"contribute\"\u003e\u003c/a\u003e\n# Contributing\n\n`SUDO_KILLER` is an open-source project and highly appreciate any contributions. Whether you are helping us fix bugs, proposing new features, improving our documentation or spreading the word - we would love to have you as a contributor. Please reach me on twitter or Linkedin if you have any suggestions, feedback or want to contribute, you can also create a Pull Request. I am looking for contribution on the sudo CVEs related to 3rd party (I have a list of about 175) and any help would be appreciated.\n\n- Bug Report: If you see an error message or run into an issue while using `SUDO_KILLER`, please create a [bug report](https://github.com/TH3xACE/SUDO_KILLER/issues/new?assignees=\u0026labels=type%3A+bug\u0026template=bug.yaml\u0026title=%F0%9F%90%9B+Bug+Report%3A+).\n\n- Feature Request: If you have an idea or you're missing a capability that would make development easier and more robust, please submit a [feature request](https://github.com/TH3xACE/SUDO_KILLER/issues/new?assignees=\u0026labels=type%3A+feature+request\u0026template=feature.yml).\n\n\u003ca name=\"stars\"\u003e\u003c/a\u003e\n## Stargazers over time \n\nThank you all for your support!\n\n[![Stargazers over time](https://starchart.cc/TH3xACE/SUDO_KILLER.svg?variant=adaptive)](https://starchart.cc/TH3xACE/SUDO_KILLER)\n\n\n\n\u003ca name=\"support\"\u003e\u003c/a\u003e\n## Support\n\n\u003ca href=\"https://www.patreon.com/TH3xACE\"\u003e\n\t\u003cimg src=\"https://c5.patreon.com/external/logo/become_a_patron_button@2x.png\" width=\"160\"\u003e\n\u003c/a\u003e\n\n\u003ca name=\"credits\"\u003e\u003c/a\u003e\n## Credits\n\nI crafted the script independently, leveraging online resources from GitHub and other sources in the wild. Acknowledgments are also due to the creators/publishers of exploits associated with the CVEs. You can trace back their details and references in the exploit itself, as well as in the accompanying notes when the tool is executed. Notable recognition extends to Vincent Puydoyeux, whose inspiration spurred the development of this tool, and Koutto, for invaluable assistance in handling Docker intricacies and enhancing the tool's functionality. Additionally, a heartfelt thank you goes out to Emilio Pinna (norbemi) and Andrea Cardaci (cyrus_and) for their invaluable contributions to GTFO Bins, which significantly influenced this project's development.\n\n\u003ca name=\"disclaimer\"\u003e\u003c/a\u003e\n## Disclaimer\n\nThis script is for educational purpose ONLY. Do not use it without permission of the owner of the system you are running it in. The usual disclaimer applies, especially the fact that me (TH3xACE) is not liable for any damages caused by direct or indirect use of the information or functionality provided by this project. The author (TH3xACE) or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of the script is not the author responsibility.\n\n\u003ca name=\"license\"\u003e\u003c/a\u003e\n## License\n\n`SUDO_KILLER` is licensed under the MIT license, proper credits is expected whenever used. Please consider to donate for any commercial use.\n","funding_links":["https://github.com/sponsors/TH3xACE","https://patreon.com/TH3xACE","https://www.patreon.com/TH3xACE"],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["\u003ca id=\"41ae40ed61ab2b61f2971fea3ec26e7c\"\u003e\u003c/a\u003e漏洞利用"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fth3xace%2Fsudo_killer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fth3xace%2Fsudo_killer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fth3xace%2Fsudo_killer/lists"}