malectricasoftware
/
SUnami
mirror of https://github.com/malectricasoftware/SUnami.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

made readme cleaner

main
alchemist 2023-08-09 19:38:18 +03:00
parent b0f34b08e7
commit 6e882174f3
1 changed files with 37 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
README.md
View File

@ -1,54 +1,55 @@
# SUnami # SUnami
Struggling with linux priveledge escelation? well then its time to cheese it with SUnami. Struggling with linux privilege escalation? Well then, it's time to cheese it with SUnami.
0 interaction privesc is always recommended but not always achievable. For this reason we have created a tool for the most trivial priv esc in history (with a few drawbacks).
This is not an exploit just a cheap but effective trick. The usecase is when you have a shell on a sudoers account but no sudo cred. 0 interaction privesc is always desired but not always achievable. For this reason, we have created a tool for the most trivial non-0-interactin priv esc in history (with a few drawbacks). This is not an exploit just a cheap but effective trick. The usecase is when you have a shell on a sudoers account but no sudo cred.
It works by manipulating sudo via aliasing in their .bashrc file to prepend a malicious attacker specified command first in the background.
This does mean you will need to wait for sudo to be executed. It works by manipulating sudo via aliasing in their .bashrc file to prepend a malicious attacker specified command first in the background. This does mean you will need to wait for sudo to be executed.
flags denoted with -- are required. with - optional.
the -local flag denotes that you want sunami to modify the .bashrc file on the current machine instead of producing output (not suggested for stealth reasons). Flags denoted with -- are required. Flags denoted with - are optional. The -local flag denotes that you want sunami to modify the .bashrc file on the current machine instead of producing output (not suggested for stealth reasons).
# Authors # Authors
witchdocsec, TheA1ch3m1st witchdocsec, TheA1ch3m1st
# Notice # Notice
using the shells and socket based exfil will throw an error in the targets shell if your listener isn't active. be sure to clean up after gaining root. For the most stealth with file exfil we suggest the built in flask server. Currently our built in listener works best with bash shells. for nc shells using ncs own listener is recommended. using the shells and socket based exfil will throw an error in the targets shell if your listener isn't active. be sure to clean up after gaining root. For the most stealth with file exfil we suggest the built in flask server. Currently our built in listener works best with bash shells. for nc shells using ncs own listener is recommended.
# File Exfiltration # File Exfiltration
I used passwd so as not to leak my hash for this demo but rest assured you can read whatever file you wish I used passwd so as not to leak my hash for this demo but rest assured you can read whatever file you wish.
![image](https://github.com/witchdocsec/SUnami/assets/107813117/a7f26322-5fca-4030-9725-13dc5a02ac44) ![image](https://github.com/witchdocsec/SUnami/assets/107813117/a7f26322-5fca-4030-9725-13dc5a02ac44)
## useage: ## Usage
sunami.py [-local {1,0}] exfilfile [--file FILE] [--method {postflask,nc,pysocket}] [--ip IP] [--port PORT] sunami.py [-local {1,0}] exfilfile [--file FILE] [--method {postflask,nc,pysocket}] [--ip IP] [--port PORT]
# Root Shell # Root Shell
![image](https://github.com/witchdocsec/SUnami/assets/107813117/06000a59-b7da-45f3-8258-89618aa02a1f) ![image](https://github.com/witchdocsec/SUnami/assets/107813117/06000a59-b7da-45f3-8258-89618aa02a1f)
## useage: ## Usage
sunami.py [-local {1,0}] genshell [--ip IP] [--port PORT] [-shell SHELL] [-protocol PROTOCOL] [-listen {1,0}] sunami.py [-local {1,0}] genshell [--ip IP] [--port PORT] [-shell SHELL] [-protocol PROTOCOL] [-listen {1,0}]
# Run From Server # Run From Server
![image](https://github.com/witchdocsec/SUnami/assets/107813117/91127128-64e1-4493-bf85-068bc3a04972) ![image](https://github.com/witchdocsec/SUnami/assets/107813117/91127128-64e1-4493-bf85-068bc3a04972)
## useage ## Usage
sunami.py [-local {1,0}] rfs [-h] --ip IP --port PORT --file FILE [--vars VARS [VARS ...]] [--schema SCHEMA] sunami.py [-local {1,0}] rfs [-h] --ip IP --port PORT --file FILE [--vars VARS [VARS ...]] [--schema SCHEMA]
# help # Help
genshell generates the shell to be edited in the bashrc file as an alias genshell generates the shell to be edited in the bashrc file as an alias
--ip ip to connect to --ip ip to connect to
--port port to connect to --port port to connect to
--shelltype type of shell to use (reverse, bind) - default is reverse --shelltype type of shell to use (reverse, bind) - default is reverse
--shell type of shell to generate - default is bash --shell type of shell to generate - default is bash
reverse bash, nc, nce reverse bash, nc, nce
bind nc bind nc
-protocol type of protocol, will not affect most shells (tcp, udp) - default is tcp -protocol type of protocol, will not affect most shells (tcp, udp) - default is tcp
-listen will automatically run a listener after outputting the shell (1, 0) -listen will automatically run a listener after outputting the shell (1, 0)
usage: sunami.py genshell [-h] [--ip IP] [--port PORT] [--shelltype SHELLTYPE] [--shell SHELL] [-protocol PROTOCOL] [-listen] usage: sunami.py genshell [-h] [--ip IP] [--port PORT] [--shelltype SHELLTYPE] [--shell SHELL] [-protocol PROTOCOL] [-listen]
exfilfile exfiltrates files using several methods exfilfile exfiltrates files using several methods
--file file to exfiltrate --file file to exfiltrate
--method method to use (postflask, nc, pysocket) --method method to use (postflask, nc, pysocket)
--ip ip to send to --ip ip to send to
--port port to send to --port port to send to
usage: sunami.py exfilfile [-h] [--file FILE] [--method {postflask,nc,pysocket}] [--ip IP] [--port PORT] usage: sunami.py exfilfile [-h] [--file FILE] [--method {postflask,nc,pysocket}] [--ip IP] [--port PORT]
rfs runs flask server serving your sh files to run from the attacker machine
--ip ip to run server on
--port port to run server on
--file file to run on infected machine
--vars <key>:<value> - sets variables in the selected script using jinja2 template syntax - default is no variables
--schema schema to use (http, https) - default http
useage: sunami.py rfs [-h] --ip IP --port PORT --file FILE [--vars VARS [VARS ...]] [--schema SCHEMA]
rfs runs flask server serving your sh files to run from the attacker machine
--ip ip to run server on
--port port to run server on
--file file to run on infected machine
--vars <key>:<value> - sets variables in the selected script using jinja2 template syntax - default is no variables
--schema schema to use (http, https) - default http
usage: sunami.py rfs [-h] --ip IP --port PORT --file FILE [--vars VARS [VARS ...]] [--schema SCHEMA]