malectricasoftware
/
SUnami
mirror of https://github.com/malectricasoftware/SUnami.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
SUnami/README.md

3.5 KiB
Raw Permalink Blame History

SUnami

Struggling with linux privilege escalation? Well then, it's time to cheese it with SUnami.

0 interaction privesc is always desired but not always achievable. For this reason, we have created a tool for the most trivial non-0-interaction privesc in history (with a few drawbacks). This is not an exploit just a cheap but effective trick. The usecase is when you have a shell on a sudoers account but no sudo cred.

It works by manipulating sudo via aliasing in their .bashrc file to prepend a malicious attacker specified command first in the background. This does mean you will need to wait for sudo to be executed.

Flags denoted with -- are required. Flags denoted with - are optional. The -local flag denotes that you want sunami to modify the .bashrc file on the current machine instead of producing output (not suggested for stealth reasons).

Authors

witchdocsec, TheA1ch3m1st

Notice

Using the shells and socket based exfil will throw an error in the targets shell if your listener isn't active. Be sure to clean up after gaining root. For the most stealth with file exfil, we suggest the built-in flask server. Currently our built in listener works best with bash shells. For nc shells using ncs own listener is recommended.

File Exfiltration

I used passwd so as not to leak my hash for this demo but rest assured you can read whatever file you wish. image

Usage

sunami.py [-local {1,0}] exfilfile [--file FILE] [--method {postflask,nc,pysocket}] [--ip IP] [--port PORT]

Root Shell

image

Usage

sunami.py [-local {1,0}] genshell [--ip IP] [--port PORT] [-shell SHELL] [-protocol PROTOCOL] [-listen {1,0}]

Run From Server

image

Usage

sunami.py [-local {1,0}] rfs [-h] --ip IP --port PORT --file FILE [--vars VARS [VARS ...]] [--schema SCHEMA]

Help

SUnami

help        outputs this page

genshell      generates the shell to be edited in the bashrc file as an alias
  --ip      ip to connect to
  --port      port to connect to
  --shelltype   type of shell to use (reverse, bind) - default is reverse
  --shell     type of shell to generate - default is bash
    reverse   bash, nc, nce
    bind    nc
  -protocol   type of protocol, will not affect most shells (tcp, udp) - default is tcp
  -listen     will automatically run a listener after outputting the shell
  usage: sunami.py genshell [-h] [--ip IP] [--port PORT] [--shelltype SHELLTYPE] [--shell SHELL] [-protocol PROTOCOL] [-listen]

exfilfile     exfiltrates files using several methods
  --file      file to exfiltrate
  --method    method to use (postflask, nc, pysocket)
  --ip      ip to send to
  --port      port to send to
  usage: sunami.py exfilfile [-h] [--file FILE] [--method {postflask,nc,pysocket}] [--ip IP] [--port PORT]

rfs         runs flask server serving your sh files to run from the attacker machine
  --ip      ip to run server on
  --port      port to run server on
  --file      file to run on infected machine
  --vars      <key>:<value> - sets variables in the selected script using jinja2 template syntax - default is no variables
  --schema    schema to use (http, https) - default http
  useage: sunami.py rfs [-h] --ip IP --port PORT --file FILE [--vars VARS [VARS ...]] [--schema SCHEMA]