Persistent Backdoor in Linux Environment
So you have hacked a linux box. Next step should be leave a persistent backdoor so in case, it is rebooted, you have to repeat all those steps again and again.
There are multiple methods available to create a persistent backdoor. Today I’m going to explain how you can create a backdoor in webservers.
Tools needed
- socat
- weevely
- some common sense
Installing Tools
weevely
Install weevely if you don’t have it. Its written in Python. Availabe in Kali Linux by default.
If you don’t have Kali Linux installed, just clone the repository and install it.
|
|
If you don’t have RUST installed, you can install weevely as
|
|
socat
Install socat for your OS. You can grab binaries from here.
|
|
Creating backdoor
With weevely we are going to create a backdoor.
|
|
Replace some_password with some memorable password.
If you get errors like no weevely found, go to git repository and run weevely.py with python.
|
|
Push backdoor to web server
Now we have our backdoor created, next job is to push it to webserver. Copy it to webserver’s root.
|
|
Executing our backdoor
You can execute your backdoor with weevely like this:
|
|
Replace some_password with the password you entered while creating this backdoor.
Execute ls
and you will get a shell.
You can use :help to get other weevely options.
Just type : and press TAB to get auto complete options.
Extending our backdoor
This backdoor will give you a normal user access. You can extend it. Lets do it.
Creating SUID executable
In your local machine, create a new file with these contents:
|
|
Compile it, change permissions and set suid.
|
|
Push SUID bit executable to victim
Now push this executable to victim system as root.
|
|
Push socat to victim
If victim system doesn’t have socat, push socat from local system or download binary from Github as stated above.
|
|
Or in victim system run this:
|
|
Getting root shell
On your local machine, run:
|
|
Using weevely get a non-privileged shell. And run this:
|
|
You will get a shell. Now execute mysuid we copied earlier.
|
|
You will get a root shell.
Thanks for reading.