Traitor simplifies Linux privilege escalation by automating the exploitation of common vulnerabilities and misconfigurations. It can target issues like GTFOBins, writable docker.sock, and various CVEs to provide an easy path to gaining root access. Designed for quick and efficient usage, Traitor runs on Unix-like systems and continually evolves with new methods.
Traitor is a powerful tool designed to streamline the exploitation of local misconfigurations and vulnerabilities on Linux systems, making privilege escalation efficient and straightforward. By leveraging a variety of methods, Traitor enables users to gain root access through the exploitation of low-hanging fruit, including:
- Comprehensive methods from all known GTFOBins
- Writable
docker.sock - CVE-2022-0847 (Dirty Pipe)
- CVE-2021-4034 (PwnKit)
- CVE-2021-3560
With Traitor, users can easily exploit most sudo privileges listed in GTFOBins, as well as take advantage of critical vulnerabilities like the writable docker.sock and the recent dirty pipe vulnerability. Additional routes to root access are continuously being developed and integrated into the tool.
Usage
To discover potential vulnerabilities or misconfigurations that may allow privilege escalation, simply run:
traitor
If the current user's password is known, the -p flag can be added for a more detailed analysis of sudo permissions:
traitor -p
To attempt exploitation of each identified vulnerability until a root shell is obtained, use the -a or --any flag while including the -p flag if the password is available:
traitor -a -p
For targeting a specific vulnerability, execute:
traitor -p -e docker:writable-socket
Supported Platforms
Traitor operates on all Unix-like systems, although certain exploits may only function on specific systems.
Getting Traitor
To download the binary, visit the releases page, or use Go to fetch it directly:
CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor
For Go version 1.18 and above, installation can be done via:
CGO_ENABLED=0 go install github.com/liamg/traitor/cmd/traitor@latest
In scenarios where the target machine cannot access GitHub for the binary, base64 encoding the binary on a local machine and transferring it via terminal echo commands is a viable option:
echo "<base64_encoded_string>" | base64 -d > /tmp/traitor
chmod +x /tmp/traitor
In The News
- 20/06/21: Console 58 - Highlights innovative tools and beta releases for developers.
- 28/04/21: Intigriti Bug Bytes #120 - Features recommended tools.
- 09/03/21: Hacker News thread - Discusses Traitor in the context of security tools.
No comments yet.
Sign in to be the first to comment.