Giter Site home page Giter Site logo

liamg / traitor Goto Github PK

View Code? Open in Web Editor NEW
6.6K 125.0 578.0 4.51 MB

:arrow_up: :skull_and_crossbones: :fire: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sock

License: MIT License

Go 99.91% Makefile 0.09%
gtfobins exploit privesc privilege-escalation hackthebox infosec redteam-tools security-tools cve-2021-3560 dirtypipe

traitor's Introduction

Traitor

Automatically exploit low-hanging fruit to pop a root shell. Linux privilege escalation made easy!

Traitor packages up a bunch of methods to exploit local misconfigurations and vulnerabilities in order to pop a root shell:

  • Nearly all of GTFOBins
  • Writeable docker.sock
  • CVE-2022-0847 (Dirty pipe)
  • CVE-2021-4034 (pwnkit)
  • CVE-2021-3560

Demo

It'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847). More routes to root will be added over time too.

Usage

Run with no arguments to find potential vulnerabilities/misconfigurations which could allow privilege escalation. Add the -p flag if the current user password is known. The password will be requested if it's needed to analyse sudo permissions etc.

traitor -p

Run with the -a/--any flag to find potential vulnerabilities, attempting to exploit each, stopping if a root shell is gained. Again, add the -p flag if the current user password is known.

traitor -a -p

Run with the -e/--exploit flag to attempt to exploit a specific vulnerability and gain a root shell.

traitor -p -e docker:writable-socket

Supported Platforms

Traitor will run on all Unix-like systems, though certain exploits will only function on certain systems.

Getting Traitor

Grab a binary from the releases page, or use go:

CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor

For go1.18:

CGO_ENABLED=0 go install github.com/liamg/traitor/cmd/traitor@latest

If the machine you're attempting privesc on cannot reach GitHub to download the binary, and you have no way to upload the binary to the machine over SCP/FTP etc., then you can try base64 encoding the binary on your machine, and echoing the base64 encoded string to | base64 -d > /tmp/traitor on the target machine, remembering to chmod +x it once it arrives.

In The News

traitor's People

Contributors

lavaicer avatar liamg avatar tedsalmon avatar wanderingeek avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

traitor's Issues

Please add a specific test skip option

Please add an option to skip specific test or add option to force continuation of tests even if you encountered a privesc. In this way, the tool is no longer a tool used only for privesc and becomes a used audit tool as well.

False positive with sudo with targetpw option

If I run this tool with the -p option, it reports a lot of Gtfobins vulnerabilities. However, when I tried to exploit one of them, the output was this:

[+] Assessing machine state...
[+] Checking for opportunities...
[+][gtfobins:gcc] Opportunity found, trying to exploit it...
[+][gtfobins:gcc] Using command '/home/koodi/.nix-profile/bin/gcc'...
[+][gtfobins:gcc] Starting command with pty...
[+][gtfobins:gcc] Setting up terminal...
[+][gtfobins:gcc] Authenticating with sudo...
[+][gtfobins:gcc] Writing payload...
[sudo] root user password: sudo: timeout when reading password
sudo: password needed
[+][gtfobins:gcc] Session complete.
[+] Done.

...and no root prompt.

(Sudo messages manually translated to English from my native language)

My guess is that the tool tries to pass the user password to Sudo, but fails because I have Defaults targetpw line in my sudoers file, and thus it's root password that is needed.

But I think it's not a vulnerability then, and the tool should not report it as one even with the -p option? Or at least fail instantly when trying to exploit instead of waiting for the timeout?

`kernel:CVE-2022-0847` tweak: clarity with affected versions

I ran v0.0.14 on a fully-patched (at least as far as apt permits) Ubuntu 22.04LTS, and got this result:

▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.14
https://github.com/liamg/traitor

[+] Assessing machine state...
[+] Checking for opportunities...
[+][kernel:CVE-2022-0847] Kernel version 5.15.0 is vulnerable!
[+][kernel:CVE-2022-0847] System is vulnerable! Run again with '--exploit kernel:CVE-2022-0847' to exploit it.

Checking the installed kernel version, I get this:

$ cat /proc/version_signature
Ubuntu 5.15.0-25.25-generic 5.15.30

According to the vendor (see https://ubuntu.com/kernel for details), the mainline kernel release is the 5.15.30 part. According to NIST (see https://nvd.nist.gov/vuln/detail/CVE-2022-0847), the CVE details state that 5.15.0 to 5.15.24 are affected, with 5.15.25 and newer not affected.

Given that Ubuntu LTS is a relatively popular choice among server operating systems – and 22.04 is the most recent LTS cut – it might be worth clarifying what kernel versions are affected by CVE-2022-0847 at a patch release level instead of minor release branch.

Thanks for your consideration.

Exploit CVE-2022-0847 terminates with error

Hi,

I am using the command: ./traitor --exploit kernel:CVE-2022-0847

It seem to work, but terminates with an error: [+][error] Exploit failed: invalid password (see below).

In /etc/passwd: traitor4242:x:1001:1001:CVE-2021-3560,,,:/home/traitor4242:/bin/bash
In /etc/shadow: traitor4242:!:19092:0:99999:7:::
In /etc/group: sudo:x:27:thomas,traitor4242

Is there a reason, why it terminates with an error ?
Thanks for help
Thomas

▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.0
https://github.com/liamg/traitor

[+] Assessing machine state...
[+] Checking for opportunities...
[+][kernel:CVE-2022-0847] Kernel version 5.13.0 is vulnerable!
[+][kernel:CVE-2022-0847] Opportunity found, trying to exploit it...
[+][kernel:CVE-2022-0847] Attempting to set root password...
[+][kernel:CVE-2022-0847] Opening '/etc/passwd' for read...
[+][kernel:CVE-2022-0847] Creating pipe...
[+][kernel:CVE-2022-0847] Determining pipe size...
[+][kernel:CVE-2022-0847] Pipe size is 65536.
[+][kernel:CVE-2022-0847] Filling pipe...
[+][kernel:CVE-2022-0847] Draining pipe...
[+][kernel:CVE-2022-0847] Pipe drained.
[+][kernel:CVE-2022-0847] Splicing data...
[+][kernel:CVE-2022-0847] Writing to dirty pipe...
[+][kernel:CVE-2022-0847] Write of '/etc/passwd' successful!
[+][kernel:CVE-2022-0847] Starting shell...
[+][kernel:CVE-2022-0847] Please exit the shell once you are finished to ensure the contents of /etc/passwd is restored.
[+][kernel:CVE-2022-0847] Setting up tty...
[+][kernel:CVE-2022-0847] Attempting authentication as root...
[+][kernel:CVE-2022-0847] Restoring contents of /etc/passwd...
[+][kernel:CVE-2022-0847] Opening '/etc/passwd' for read...
[+][kernel:CVE-2022-0847] Creating pipe...
[+][kernel:CVE-2022-0847] Determining pipe size...
[+][kernel:CVE-2022-0847] Pipe size is 65536.
[+][kernel:CVE-2022-0847] Filling pipe...
[+][kernel:CVE-2022-0847] Draining pipe...
[+][kernel:CVE-2022-0847] Pipe drained.
[+][kernel:CVE-2022-0847] Splicing data...
[+][kernel:CVE-2022-0847] Writing to dirty pipe...
[+][kernel:CVE-2022-0847] Write of '/etc/passwd' successful!
[+][error] Exploit failed: invalid password
[+] Continuing to look for opportunities
[+] Nothing found to exploit.
thomas@thomas-ThinkPad-E15:~/traitor$

Docker exploit mitigation

(Note: I would ask this in a discussion but those haven't been setup yet- so another vote for enabling those: #70)

Sorry if this is the wrong place to ask this question - but I searched these issues, and I searched the web, and I can't find anything good on it.

Having docker.sock writable by the docker group is extremely handy/useful. However, I don't want to allow that as it results in this root exploit.

Is there any way to have docker.sock writable but without enabling this exploit? Is it a fundamental problem with Docker's design? Seems like a big deal...

Please add more explanations, maybe a way to test

I ran the app (release v0.0.1, AMD) on Kubuntu 20.10. Without "-p", it finds nothing. With "-p", everything in bin at least is flagged as exploitable. I am left wondering what any of this means, and what I do/don't need to fix in my system.

I tried adding a dangerous file with 777 and SUID permissions to my /bin directory; traitor without "-p" didn't flag it as dangerous.

Perhaps you could add to the README: run without "-p", then if no threats found, create file SOMETHING with permissions NNN and run again without "-p", see it reported as a threat. Or some other simple example of a deliberate threat.

Perhaps you could add to each exploitable case: some brief indication of what is wrong. For example, when run with "-p", it says "man" is exploitable on my machine, and pops a root shell. But I am left with no reason why, or how to fix it. /bin/man seems to have proper permissions on my machine. Is the vulnerability elsewhere ? How do I fix it ? Is there any vulnerability at all ?

Thanks.

Supported operating systems?

It would be great for the README to have a list of supported operating systems. Does this only work on Linux or can I also run it on BSD systems?

Discussions

Hey @liamg let's open up Discussions on this repo (Under Settings). Some of the issues that come by are not really tangible things to write code and submit pull-requests for 😅

Run the program without checking exp

image
I run the program on several different computers, but there is no test vulnerability information, as shown in the figure. Is it because I don't have an exp。
Or because the server does not have vulnerabilities

Examples of how to misconfigure boxes

The tool looks neat, but I tried running it on a fresh Vagrant instance as an unprivileged user and didn't se emuch:

image

Of course, it's a stock install and there are no services running on the box, but I think it would be neat if there were some instructions on example misconfigurations that could be made on a throwaway VM for Traitor to exploit.

If you're willing to give me a list, I'd be happy to add some examples into the README and submit a PR!

Exploit failed: stat /bin/phNS9hpK_xJfOc: no such file or directory

Brandon-Ross-MacBook-Pro:Desktop bros$ CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor
Brandon-Ross-MacBook-Pro:Desktop bros$ traitor


 888                    d8b 888                    
 888                    Y8P 888                    
 888                        888                    
 888888 888d888 8888b.  888 888888 .d88b.  888d888 
 888    888P"      "88b 888 888   d88""88b 888P"   
 888    888    .d888888 888 888   888  888 888     
 Y88b.  888    888  888 888 Y88b. Y88..88P 888     
  "Y888 888    "Y888888 888  "Y888 "Y88P"  888     
    v0.0.0 | https://github.com/liamg/traitor 
 
[+] Assessing machine state...
[+] Checking for opportunities...
[+][docker:writable-socket] Docker socket at /var/run/docker.sock is writable!
[+][docker:writable-socket] System is vulnerable! Run again with '--exploit docker:writable-socket' to exploit it.
Brandon-Ross-MacBook-Pro:Desktop bros$ traitor --exploit docker:writable-socket


 888                    d8b 888                    
 888                    Y8P 888                    
 888                        888                    
 888888 888d888 8888b.  888 888888 .d88b.  888d888 
 888    888P"      "88b 888 888   d88""88b 888P"   
 888    888    .d888888 888 888   888  888 888     
 Y88b.  888    888  888 888 Y88b. Y88..88P 888     
  "Y888 888    "Y888888 888  "Y888 "Y88P"  888     
    v0.0.0 | https://github.com/liamg/traitor 
 
[+] Assessing machine state...
[+] Checking for opportunities...
[+][docker:writable-socket] Docker socket at /var/run/docker.sock is writable!
[+][docker:writable-socket] Opportunity found, trying to exploit it...
[+][docker:writable-socket] Building malicious docker image...
[+][docker:writable-socket] Creating evil container...
[+][docker:writable-socket] Starting evil container...
[+][docker:writable-socket] Backdooring host at /bin/phNS9hpK_xJfOc from guest...
[+][docker:writable-socket] Checking permissions...
[+][error] Exploit failed: stat /bin/phNS9hpK_xJfOc: no such file or directory
[+] Continuing to look for opportunities
[+] Nothing found to exploit.

how do you run this script?

i dont know how you run or install this as there is no clear documentation, all help is greatly appreciated

Hardening advice

If/when exploits are found you're left to your own devices. It'd be really useful if there was a catalogue of advice somewhere about resolving these exploits, perhaps in this project's wiki?

Report Format Standard

Does exist any kind of Report Format Standard for the results that could be used for monitoring?

`polkit:CVE-2021-3560` tweak: clarity with affected versions

Firstly, thank you creating and maintaining traitor, it's excellent.

I ran v0.0.8 on a fully-patched (at least as far as apt permits) Ubuntu 20.04LTS, and got this result:

$ /opt/traitor/traitor


▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.8
https://github.com/liamg/traitor

[+] Assessing machine state...
[+] Checking for opportunities...
[+][polkit:CVE-2021-3560] Polkit version is vulnerable!
[+][polkit:CVE-2021-3560] System is vulnerable! Run again with '--exploit polkit:CVE-2021-3560' to exploit it.

Looking at d3db221 where detection for CVE-2021-3560 was added, v0.105-26 is considered vulnerable:

vulnerable, err := version.NewVersion("0.105-26") // vuln was introduced in 0.105-26

Looking at https://ubuntu.com/security/notices/USN-4980-1, where Ubuntu 20.04LTS is concerned, that same version number is not vulnerable…and it's actually listed as being the version which addresses CVE-2021-3560.

Given that Ubuntu LTS is a relatively popular choice among server operating systems – and 20.04 is the most recent LTS cut – it might be worth clarifying what versions are affected by CVE-2021-3560 in this case.

Thanks for your consideration.

Build instructions incorrect?

Hi, I'd like to install following these instructions from the README but am not sure how to get the binary built:

CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor

This creates a go/pkg folder with a bunch of subfolders, but I have no idea where the built binary is.

Any help greatly appreciated! Using go 1.16.8.

Maybe add good old TTY privilege escalation?

What about adding the good old TTY privilege escalation? http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/

Most of the users aren't aware of it, since it has been discussed a decade ago and most of the distributions have set it on WONTFIX and without re-configuring sudo, this will remain a problem on all major distributions.

Just try it from root:

# su -l tobwen
$ id
uid=1001(tobwen) gid=1001(tobwen) groups=1001(tobwen)
$ ls -l /proc/$$/fd
total 0
lrwx------ 1 tobwen tobwen 64 Mar  6 20:15 0 -> /dev/pts/0
lrwx------ 1 tobwen tobwen 64 Mar  6 20:15 1 -> /dev/pts/0
lrwx------ 1 tobwen tobwen 64 Mar  6 20:15 2 -> /dev/pts/0
lrwx------ 1 tobwen tobwen 64 Mar  6 20:15 255 -> /dev/pts/0

Whoops, you're doomed.

go get and master vs main

When I try to go get, I get # cd .../src/github.com/liamg/traitor; git checkout master. No such branch exists.

I'm on go 1.4.

License

Hi there 🙂

I'm packaging this for the AUR and can't find a license. On what terms is this software made available?

Cheers!

sudo: wheel NOPASSWD false positive

Hello, I have sudo with permissive line:
%wheel ALL=(ALL) NOPASSWD: ALL

traitor reports false positive on all vulnerable test cases, and even pops a shell. But it can't exploit anything if the line is removed.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.