Skip to content

liamg/traitor

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2 branches 14 tags
Code

Latest commit

@liamg
liamg Create antispam.yml (#113)
0d221ba Mar 7, 2023
Create antispam.yml (#113)
0d221ba

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github
 
 
cmd
 
 
internal
 
 
pkg
 
 
vendor
 
 
.gitignore
 
 
LICENSE
 
 
Makefile
 
 
README.md
 
 
demo.gif
 
 
go.mod
 
 
go.sum
 
 
polkit.png
 
 
Traitor Usage Supported Platforms Getting Traitor In The News

README.md

Traitor

Automatically exploit low-hanging fruit to pop a root shell. Linux privilege escalation made easy!

Traitor packages up a bunch of methods to exploit local misconfigurations and vulnerabilities in order to pop a root shell:

  • Nearly all of GTFOBins
  • Writeable docker.sock
  • CVE-2022-0847 (Dirty pipe)
  • CVE-2021-4034 (pwnkit)
  • CVE-2021-3560

Demo

It'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847). More routes to root will be added over time too.

Usage

Run with no arguments to find potential vulnerabilities/misconfigurations which could allow privilege escalation. Add the -p flag if the current user password is known. The password will be requested if it's needed to analyse sudo permissions etc.

traitor -p

Run with the -a/--any flag to find potential vulnerabilities, attempting to exploit each, stopping if a root shell is gained. Again, add the -p flag if the current user password is known.

traitor -a -p

Run with the -e/--exploit flag to attempt to exploit a specific vulnerability and gain a root shell.

traitor -p -e docker:writable-socket

Supported Platforms

Traitor will run on all Unix-like systems, though certain exploits will only function on certain systems.

Getting Traitor

Grab a binary from the releases page, or use go:

CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor

For go1.18:

CGO_ENABLED=0 go install github.com/liamg/traitor/cmd/traitor@latest

If the machine you're attempting privesc on cannot reach GitHub to download the binary, and you have no way to upload the binary to the machine over SCP/FTP etc., then you can try base64 encoding the binary on your machine, and echoing the base64 encoded string to | base64 -d > /tmp/traitor on the target machine, remembering to chmod +x it once it arrives.

In The News

About

⬆️ ☠️ 🔥 Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sock

Topics

exploit infosec privilege-escalation security-tools privesc hackthebox gtfobins redteam-tools cve-2021-3560 cve-2022-0847 dirtypipe

Resources

Readme

License

MIT license

Stars

5.9k stars

Watchers

119 watching

Forks

474 forks
Report repository

Releases 14

Release v0.0.14 Latest
Mar 9, 2022
+ 13 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Used by 2

Contributors 4

Languages