3 ways to become root by exploiting the .bashrc file

You just did it! You found a vulnerability and you well exploit it. Congratulations, you just put a foot in the server. But as your user rights don't allow you to do much on the machine then this is where the big investigation begins.

How to become root!?

Well, there is an impressive number of methods to achieve this, some will work, some will not, and some will simply not work anymore because has been patched. But today I will present 3 techniques to become root by exploiting the .bashrc file.

Before getting into the technicalities, let me quickly explain what the .bashrc file is.

The .bashrc file is a script bash that is executed when a user login to a Linux machine. The file itself contains a different configurations for the terminal session. This includes setting up or enabling: coloring, completion, shell history, command aliases, and more...

It is therefore possible to exploit this file to insert malicious functions, and for example escalate privileges.

Technique 1: sudo-telegram.sh

The first script will steal the sudo password when the sudo command itself is used. The script will be triggered when the owner of the machine uses the sudo command, it will actually use a modified sudo command which aims to retrieve the password entered and send a Telegram notification to the attacker with the password. Of course, the owner of the account won't see anything suspicious as the script is designed to behave as the real sudo command.

Here is a PoC video of the script:

Funny isn't it?

Technique 2: adduser-telegram.sh

This second technique has a different behavior from the first script, this time we wait for the server owner to use the sudo command but instead to receive the sudo password it will secretly create a new user with the sudo privilege in the machine and then send the new user account information to the attacker via Telegram. So we are now free to ssh the machine anytime with the new account!

Technique 3: ssh-telegram.sh

Finally, the 3rd script aims to add the attacker public ssh key in the ~/.ssh/authorization file when the sudo command is used. As for the two previous techniques, we will wait for the owner of the machine to use the sudo command to copy our public ssh key in the authorization file. Once the attacker public key usefully added, the attacker will receive confirmation message via Telegram. From there, the attacker can connect to the machine with the sudo privilege using his own private key!

As usual the 3 scripts presented are open source and available on GitLab at the following address:

https://gitlab.com/0xSamy/Bashrc-Backdoors

Oh, and I forget to mention but I plan to add two more techniques later 😈. Probably for a next article!

Thanks for reading :)

Did you enjoy reading this article? You might also like this one. Are professional hackers also excellent magicians?

https://samy.link/blog/are-professional-hackers-also-excellent-magicians