3 ways to become root by exploiting the .bashrc file

You did it! You have discovered a vulnerability and successfully exploited it. Congratulations, you have gained access to the server. However, as your current user rights do not permit you to make significant changes to the machine, this is where the real investigation begins.

How to achieve root access?

There are numerous methods to achieve this, some of which may be effective, while others may not work or may have already been patched. Today, I will present three techniques for exploiting the .bashrc file to become root.

Before getting into the technical details, let me briefly explain what the .bashrc file is.

The .bashrc file is a bash script that is executed when a user logs in to a Linux machine. The file contains various configurations for the terminal session, such as setting up or enabling: coloring, completion, shell history, command aliases, and more.

It is therefore possible to exploit this file by inserting malicious functions and, for example, escalating privileges.

Technique 1: sudo-telegram.sh

The first script will steal the sudo password when the sudo command itself is used. The script will be triggered when the owner of the machine uses the sudo command, it will actually use a modified sudo command which aims to retrieve the password entered and send a Telegram notification to the attacker with the password. Of course, the owner of the account won't see anything suspicious as the script is designed to behave as the real sudo command.

Here is a PoC video of the script:

Funny isn't it?

Technique 2: adduser-telegram.sh

This second technique has a different behavior from the first script, this time we wait for the server owner to use the sudo command but instead to receive the sudo password it will secretly create a new user with the sudo privilege in the machine and then send the new user account information to the attacker via Telegram. So we are now free to ssh the machine anytime with the new account!

Technique 3: ssh-telegram.sh

Finally, the 3rd script aims to add the attacker public ssh key in the ~/.ssh/authorization file when the sudo command is used. As for the two previous techniques, we will wait for the owner of the machine to use the sudo command to copy our public ssh key in the authorization file. Once the attacker public key usefully added, the attacker will receive confirmation message via Telegram. From there, the attacker can connect to the machine with the sudo privilege using his own private key!

As usual the 3 scripts presented are open source and available on GitLab at the following address:

https://gitlab.com/0xSamy/Bashrc-Backdoors

Oh, and I forget to mention but I plan to add two more techniques later 😈. Probably for a next article!

Thanks for reading :)

Did you enjoy reading this article? You might also like this one. Are professional hackers also excellent magicians?

https://samy.link/blog/are-professional-hackers-also-excellent-magicians