traitor

Traitor is a command-line tool written in Go that checks a Linux system for common misconfigurations and known vulnerabilities that could let a regular user escalate to root, meaning gaining full administrative control of the machine. It is intended for security testers and penetration testers who already have limited access to a Linux system and want to find out whether a path to higher privileges exists.

The tool covers a wide range of escalation routes. It checks nearly all entries from GTFOBins, a public reference list of Unix binaries that can be misused when a user has been granted sudo permissions for them. It also checks for a writable Docker socket, which is a common misconfiguration on servers running Docker, and it tests for three specific published vulnerabilities: Dirty Pipe (CVE-2022-0847), pwnkit (CVE-2021-4034), and CVE-2021-3560. If exploitable conditions are found, Traitor can automatically attempt to use them to open a root shell.

Usage is straightforward from the command line. Running it with no flags scans for potential issues and reports them. Adding the -a flag makes it try each found issue in sequence and stop if it succeeds in getting a root shell. A specific exploit can also be targeted directly with the -e flag. A -p flag tells it the current user's password is known, which lets it analyze sudo permissions that would otherwise be inaccessible.

Pre-built binaries are available on the releases page, or you can compile it yourself with the Go toolchain. The README also describes a method for transferring the binary to an air-gapped machine using base64 encoding when direct downloads are not possible.