Jump to content
Michael Weinstein

bushingsBlueTurtle: A little patience = reverse HTTPS as root on Mac and Linux

Recommended Posts

Taking the idea (again, mad props to sudoBackdoor) a bit further with some python scripting, I scared myself (and unintentionally pwned myself a few times as well) with this thing.

How it works:

The user's .bash_profile or .bashrc gets tweaked to point to ~/.config/sudo

A python script called sudo is installed there.  [Patience is required here, as you need to wait for the user to sudo some command now] This will take their password, validate it by running its own sudo command (literally just echoing something) and seeing if it works

Once it confirms a good password, it stores the password for later retrieval and executes the intended sudo command in a subshell that the user shouldn't even notice a difference in

After executing their command, it will use the password to sudo open up a reverse https meterpreter session on the machine.  It will do this every time sudo is run.

I unintentionally self pwned a few times, because the meterpreter session is being run as root, and one must sudo kill to get rid of it.  Sudo killing it will get rid of the existing session as expected, but then will open up a shiny new session as its last step (unless the python script is gone).

Because antivirus tends to recognize the base64-encoded meterpreter payload as malicious, I also wrote a script called "shellSmuggler.py" to go with it.  If you use the msfvenom command I supply here, you should be able to pipe the output to the shellSmuggler and scramble the payload enough that antivirus doesn't alert on/block it anymore.  You will need to know your listening machine's IP and listening port (obviously).

  • Like 2

Share this post


Link to post
Share on other sites

I'm thinking of putting in an additional feature where it will take over /bin/sudo (or wherever it's supposed to be for that specific machine) with my wrapper so that you could get anybody who sudos after.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...