MCPcopy
hub / github.com/liamg/traitor

github.com/liamg/traitor @v0.0.14 sqlite

repository ↗ · DeepWiki ↗ · release v0.0.14 ↗
97 symbols 286 edges 32 files 2 documented · 2%
README

Traitor

Automatically exploit low-hanging fruit to pop a root shell. Linux privilege escalation made easy!

Traitor packages up a bunch of methods to exploit local misconfigurations and vulnerabilities in order to pop a root shell:

  • Nearly all of GTFOBins in order to pop a root shell.
  • Writeable docker.sock
  • CVE-2022-0847 (Dirty pipe)
  • CVE-2021-4034 (pwnkit)
  • CVE-2021-3560

Demo

It'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847). More routes to root will be added over time too.

Usage

Run with no arguments to find potential vulnerabilities/misconfigurations which could allow privilege escalation. Add the -p flag if the current user password is known. The password will be requested if it's needed to analyse sudo permissions etc.

traitor -p

Run with the -a/--any flag to find potential vulnerabilities, attempting to exploit each, stopping if a root shell is gained. Again, add the -p flag if the current user password is known.

traitor -a -p

Run with the -e/--exploit flag to attempt to exploit a specific vulnerability and gain a root shell.

traitor -p -e docker:writable-socket

Supported Platforms

Traitor will run on all Unix-like systems, though certain exploits will only function on certain systems.

Getting Traitor

Grab a binary from the releases page, or use go:

CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor

If the machine you're attempting privesc on cannot reach GitHub to download the binary, and you have no way to upload the binary to the machine over SCP/FTP etc., then you can try base64 encoding the binary on your machine, and echoing the base64 encoded string to | base64 -d > /tmp/traitor on the target machine, remembering to chmod +x it once it arrives.

In The News

Extension points exported contracts — how you extend this code

Vulnerability (Interface)
(no doc) [5 implementers]
pkg/exploits/types.go
Exploit (Interface)
(no doc) [5 implementers]
pkg/exploits/types.go
ShellDropper (Interface)
(no doc) [5 implementers]
pkg/exploits/types.go
Disclosure (Interface)
(no doc)
pkg/exploits/types.go

Core symbols most depended-on inside this repo

registerGTFOBinsExploit
called by 114
pkg/exploits/gtfobins.go
Printf
called by 83
pkg/logger/logger.go
fail
called by 9
internal/cmd/setuid.go
Flush
called by 7
internal/pipe/pipe.go
WaitForString
called by 7
internal/pipe/pipe.go
IsPackageInstalled
called by 6
pkg/state/packages.go
register
called by 5
pkg/exploits/registration.go
timeDbusCommand
called by 3
pkg/exploits/cve20213560/exploit.go

Shape

Method 45
Function 33
Struct 11
Interface 4
TypeAlias 4

Languages

Go100%

Modules by API surface

pkg/exploits/cve20213560/exploit.go11 symbols
pkg/exploits/dockersock/exploit.go10 symbols
pkg/exploits/types.go8 symbols
pkg/exploits/gtfobins.go7 symbols
pkg/exploits/cve20220847/exploit.go7 symbols
pkg/exploits/cve20214034/exploit.go6 symbols
pkg/state/sudoers.go5 symbols
pkg/logger/logger.go5 symbols
pkg/backdoor/traitor.go5 symbols
internal/pipe/pipe.go5 symbols
pkg/exploits/registration.go4 symbols
pkg/state/state.go3 symbols

Dependencies from manifests, versioned

github.com/creack/ptyv1.1.11 · 1×
github.com/liamg/tmlv0.3.0 · 1×
golang.org/x/cryptov0.0.0-2019060512303 · 1×
golang.org/x/sysv0.0.0-2019112015594 · 1×

For agents

$ claude mcp add traitor \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact