Michael Weinstein Posted October 12, 2017 Share Posted October 12, 2017 Taking the idea (again, mad props to sudoBackdoor) a bit further with some python scripting, I scared myself (and unintentionally pwned myself a few times as well) with this thing. How it works: The user's .bash_profile or .bashrc gets tweaked to point to ~/.config/sudo A python script called sudo is installed there. [Patience is required here, as you need to wait for the user to sudo some command now] This will take their password, validate it by running its own sudo command (literally just echoing something) and seeing if it works Once it confirms a good password, it stores the password for later retrieval and executes the intended sudo command in a subshell that the user shouldn't even notice a difference in After executing their command, it will use the password to sudo open up a reverse https meterpreter session on the machine. It will do this every time sudo is run. I unintentionally self pwned a few times, because the meterpreter session is being run as root, and one must sudo kill to get rid of it. Sudo killing it will get rid of the existing session as expected, but then will open up a shiny new session as its last step (unless the python script is gone). Because antivirus tends to recognize the base64-encoded meterpreter payload as malicious, I also wrote a script called "shellSmuggler.py" to go with it. If you use the msfvenom command I supply here, you should be able to pipe the output to the shellSmuggler and scramble the payload enough that antivirus doesn't alert on/block it anymore. You will need to know your listening machine's IP and listening port (obviously). 2 Quote Link to comment Share on other sites More sharing options...
Michael Weinstein Posted October 12, 2017 Author Share Posted October 12, 2017 https://github.com/michael-weinstein/bashbunny-payloads/tree/bushingsBlueTurtle/payloads/library/credentials/bushingsBlueTurtle 1 Quote Link to comment Share on other sites More sharing options...
Michael Weinstein Posted October 13, 2017 Author Share Posted October 13, 2017 I'm thinking of putting in an additional feature where it will take over /bin/sudo (or wherever it's supposed to be for that specific machine) with my wrapper so that you could get anybody who sudos after. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.