search

TH3xACE / SUDO_KILLER

A tool designed to exploit a privilege escalation vulnerability in the sudo program on Unix-like systems. It takes advantage of a specific misconfiguration or flaw in sudo to gain elevated privileges on the system, essentially allowing a regular user to execute commands as the root user.
MIT License
2.22k stars 254 forks source link

Automation Improvement (Checking for Missing scripts from sudoers) #13

Closed b0x-Protector closed 4 years ago

b0x-Protector commented 4 years ago

I suppose that the line 484-486 should look like that:

touch /tmp/script_list #for compatibility with future checks
if [ "$sudonopassuser" ] || [ "$sudoauth" ]; then
  if [ "$sudonopassuser" ]; then
    echo "" |sudo -S -l -k | grep "NOPASSWD" | sed 's/(root) //g' | sed 's/NOPASSWD: //g' | sed 's/,/\n/g'  | sed -e 's/  *$//' | awk '$1=$1' | cut -d " " -f 1 | grep .sh  >> /tmp/script_list
  fi
  if [ "$sudoauth" ]; then
    echo $userpassword |sudo -S -l -k | grep "NOPASSWD" | sed 's/(root) //g' | sed 's/NOPASSWD: //g' | sed 's/,/\n/g'  | sed -e 's/  *$//' | awk '$1=$1' | cut -d " " -f 1 | grep .sh  >> /tmp/script_list
  fi
  echo -e "${BOLD}${GREEN}[+] The script/s found in sudoers can be found at: /tmp/script_list ${RESET}"
fi

This will allow user to not manually enter the password again, as well as increase the speed of the script.

Line 484-486 (Original)

sudo -S -l -k | grep "NOPASSWD" | sed 's/(root) //g' | sed 's/NOPASSWD: //g' | sed 's/,/\n/g'  | sed -e 's/  *$//' | awk '$1=$1' | cut -d " " -f 1 | grep .sh  > /tmp/script_list
echo -e "${BOLD}${GREEN}[+] The script/s found in sudoers can be found at: /tmp/script_list  ${RESET}"
TH3xACE commented 4 years ago

I am not sure for this one... what is the objective behind ?? what do you mean with for compatibility with future checks ?

b0x-Protector commented 4 years ago

(1) what is the objective behind ?? - If SK is designed to automate checks, why would a user enter a password three times manually? Moreover, if such checks were performed earlier.

(2) what do you mean with for compatibility with future checks ? - Next, there will be three blocks of code that use this file. It would be possible to add checks there, but in these blocks the file "groups" is also checked, which is in no way connected with the last one. If I'm not mistaken.

TH3xACE commented 4 years ago

I did a check with your proposed code.... I think the idea behind is a good one... but I am having some regression bug... the missing script section is provided 3 times with the one that is detected.

to test in the testing environment do as follow:

install docker

apt-get install docker.io

start service -> I am on kali might be different on other distro

service docker start

pull the image

docker pull th3xace/sudo_killer_demo

create a container where [path] is where SK is on your host < this will allow you to mod on your host / git clone... etc

docker run -v [path]:/opt/sk -it --name dev-sk th3xace/sudo_killer_demo

the docker will launch > cd /opt/sk

SK will be there..... the scenarios will already be there... next time you want to run docker

service docker start docker start -i dev-sk

b0x-Protector commented 4 years ago

I had tested SK v1.4.2_edited in docker and I didn't see any errors. Everything looks great.

b0x-Protector commented 4 years ago

It may even be better to replace $sudonopassuser with $sudoperms. Also add check for /tmp/script_list and add some addititionals types of script. In the result this block of code should look like this:

echo -e "${BOLD}${YELLOW}============ Checking for Missing scripts from sudoers ================== ${RESET} \n"
current_user="$(whoami)"

groups > /tmp/groups.txt

touch /tmp/script_list
if [ "$sudoperms" ] || [ "$sudoauth" ]; then
  if [ "$sudoperms" ]; then
    echo "" |sudo -S -l -k | grep "NOPASSWD" | sed 's/(root) //g' | sed 's/NOPASSWD: //g' | sed 's/,/\n/g' | sed -e 's/ *$//' | awk '$1=$1' | cut -d " " -f 1 | grep -Eo ".sh|.pl|.py|.rb|.php" >> /tmp/script_list
  fi
  if [ "$sudoauth" ]; then
    echo $userpassword |sudo -S -l -k | grep "NOPASSWD" | sed 's/(root) //g' | sed 's/NOPASSWD: //g' | sed 's/,/\n/g' | sed -e 's/ *$//' | awk '$1=$1' | cut -d " " -f 1 | grep -Eo ".sh|.pl|.py|.rb|.php" >> /tmp/script_list
  fi
fi

if [ -s "/tmp/script_list" ]; then
  echo -e "${BOLD}${GREEN}[+] The script/s found in sudoers can be found at: /tmp/script_list ${RESET}"
fi

# issue #10 > missing check on NOPAASWD
#sudo -S -l -k | grep "NOPASSWD" | sed 's/(root) //g' | sed 's/NOPASSWD: //g' | sed 's/,/\n/g'  | sed -e 's/  *$//' | awk '$1=$1' | cut -d " " -f 1 | grep .sh  > /tmp/script_list
#echo -e "${BOLD}${GREEN}[+] The script/s found in sudoers can be found at: /tmp/script_list  ${RESET}"
TH3xACE commented 4 years ago

Hi b0x-Protector,

I have released the first version of Version 2. I think, the issue should be solved ...

b0x-Protector commented 4 years ago

Hi TH3xACE !

It looks like you have taught SK to fly... and quite quickly :)

TH3xACE commented 4 years ago

Hi b0x-Protector,

Yeah a bit... thanks to you :) who helped me get into the code again and to look at the issues.

I am on discord if one day, you want to have a chat. I use the same username. TH3xACE#0453