1

I am currently making a honeypot which will record all user input once they login successfully through SSH.

Here's how it works: I have my honeypot user admin's default shell set to a bash script:

admin:x:1001:1001::/home/admin:/home/admin/HoneyPot/spawner.sh

The spawner.sh script will go ahead and launch an except script and record the output using script.

#!/bin/bash
cd /home/admin/HoneyPot/template/

pwd
script -c "./script.exp" -t 2> timing.log -a output.session #start recording session, execute except script
echo "we should not get here"

Here are the first few lines of script.exp:

#!/usr/bin/expect -f
#
# This Expect script was generated by autoexpect on Mon Oct  5 13:55:35 
# boilerplate comments and code:

set force_conservative 0  ;# set to 1 to force conservative mode even if
              ;# script wasn't run conservatively originally
if {$force_conservative} {
    set send_slow {1 .1}
    proc send {ignore arg} {
        sleep .1
        exp_send -s -- $arg
    }
}


start of my code


set timeout -1
spawn emulator #emulator is a simh emulator executable. not a shell script.
...
interact

When I run the script using ./template.sh as admin using bash, the script runs perfectly fine. However, when I login using su, this happens:

austin@ubuntu:~$ su admin
Password: 
/home/admin/HoneyPot/template
Script started, file is output.session
/home/admin/HoneyPot/template
Script started, file is output.session
/home/admin/HoneyPot/template
Script started, file is output.session
/home/admin/HoneyPot/template
Script started, file is output.session
/home/admin/HoneyPot/template
Script started, file is output.session
/home/admin/HoneyPot/template
...

Why is my bash script not working with the user's shell set to it? There are no recursive calls inside my script, and the script command should be blocking!

And just in case anyone is worried, this machine has no outgoing network connectivity. It can only receive SSH connections. Yes, I know that a user can break out of this. This is being ran in a VM.

Saustin
  • 113

1 Answers1

1

I think you are using a script without a shebang somewhere.

See this answer:

If the execl() function fails due to an error equivalent to the [ENOEXEC] error defined in the System Interfaces volume of POSIX.1-2008, the shell shall execute a command equivalent to having a shell invoked with the pathname resulting from the search as its first operand, with any remaining arguments passed to the new shell, except that the value of "$0" in the new shell may be set to the command name. If the executable file is not a text file, the shell may bypass this command execution. In this case, it shall write an error message, and shall return an exit status of 126.

in your spawner.sh add echo "$@" to get more hints.

OK, so the answer is more complicated but this should help. In spawner.sh add this a the top:

if [[ $1 == -c ]]; then
    exec bash "$@"
fi
laktak
  • 5,946
  • When I run spawner.sh manually from bash shell, that echo statement returns a blank line. When I run it via logging in, it returns "-c ./script.exp". Gah! – Saustin Oct 05 '20 at 18:41
  • Thanks for the update. This works perfectly. – Saustin Oct 05 '20 at 18:51