How to Steal Ubuntu & MacOS Sudo Passwords Without Any Cracking

How to Steal Ubuntu & MacOS Sudo Passwords Without Any Cracking

With a simple social engineering trick, sudo passwords can be captured in seconds without the target's knowledge. The passwords can then be saved to a file or exfiltrated to another computer on the network.


After exploiting a system, penetration tester's and hackers will often begin privilege escalation (privesc) attacks. Such attacks include kernel exploitation and password phishing. The featured attack here takes a social engineering approach by utilizing Bash functions to emulate the functionality of the sudo command.


How Sudo Is Supposed to Work


Let's use the following whoami and id commands as an example. If we enter whoami into a terminal, it will return the current username.


~$ whoami tokyoneon

With the id command, it will return the user's uid (-u), a unique identifier assigned to each user on the system. By default, in Debian and Ubuntu systems, a normal user (non-root user) is assigned the uid of 1000 (shown below). Similarly, in macOS, a normal user is assigned the 501 uid.


~$ id -u 1000

When prepended, sudo elevates and executes the provided command with root (uid 0) privileges. This is all standard and normal behavior for sudo and Unix systems.


~$ sudo id -u 0

The type command can be used to identify how the supplied command is interpreted by the shell.


~$ type sudo sudo is /usr/bin/sudo

In this case, sudo is interpreted as /usr/bin/sudo. This is also standard behavior. When someone executes the sudo command (e.g., sudo whoami), they're essentially doing ..

Support the originator by clicking the read the rest link below.