Bash Scripting part 15

7 min readJan 13, 2025

Welcome back, only 2 more chapters to go with the bash book, then it is the process of repeating it and then scare the pants off the pentagon.

Persistence, it is a term most widely used in the self help world with examples of, “i won’t give up till i succeed” along those lines. In this world though persistence has the same definition but within a different context, according to the book “you could plant code on a compromised server that reestablishes your access. Or you could discover virtual private network credentials in a configuration file on GitHub that someone accidentally pushed to a public repository to connect remotely to a network.”

Bash is a useful tool to gain persistence such as modifying scripts that are used to start system services and interact with authentication modules, harvesting creds by hooking executed commands, packaging and distributing malicious scripts, hijacking system utilities, and more.

As much as persistence can be used, it can also be stopped:

Ephemeral environments- short-lived envs such as running containers, container orchestration platforms and sys admins might spin containers up and down and if the system is slow the container may scale down automatically and if the container you had access to is scaled down then goodbye access.

Mature security practices- if an org is really sec resilient as they should be, it can be difficult to maintain or compromise access to their systems. Some spare no expense as they review their systems everyday for anomalies, harden their infrastructure, scan their env for possible intrusion attempts and threat hunting. They may even have a dedicated red team to test the effectiveness of the controls even, talk about a challenge.

Network and endpoint security controls- network is fine-tuned and endpoint securitu across the organization. A mature blue team will implement a defense in depth network strategy to compensate for any control failures.

Asset life-cycle management and inventory hygiene- assets being decommissioned, solid patch management could introduce fixes to the vulnerable software, its better to find grip points..additional assets to persist on, so this doesn’t become your situation.

Modifying service configurations

modifying a script or create one to start a system service. you will have to exploit system V and systems, these are system mechanisms that manage services and control the start sequence of prcoesses. System v is older.

System V

system v’s etc/init.d direcotry contains shell scripts called init scripts that are resposnible for starting services, whether they’re networked ones such as SSH, sheduling such as cron or services reponsible for setting up a server’s hardware clock. malicious logic can still be written by using init scripts.

yeah, this is the wrong place to put the payload..no wonder its not going thorough

it’s not working for me, i’m just going to move on

Hooking into pluggable authentication modules

PAMs provide high-level APIs for low level authentication schemes, and application can use them to authenticate users. PAM configuration files live in the /etc/pam.d directory. PAM has the capability to call external scripts at certain points during an authentication flow by using the pam_exec.so library. so, by using modifying configurations, pam can be made to call the script whenever a user logs into a system and take nay action from there.

removed pam_umask.so to add pam_exec according to the book

exercise 19:Coding a Malicious pam_exec Bash Script

Generating Rogue SSH Keys

if you have ssh access to a server you can use your cryptographic key instead of your password to log in. when a ssh key pair is generated it must be appended for the public key to a file named authorised_keys under the user’s home directory, any public key in this file is authorized to authenticate to the system but only when using the account for which the key exists. More than one key can be used to authenticate using a rogue ssh key to create a backdoor is easy as adding a public key to the file.

To generate a ssh key as follows: ssh-keygen -t rsa -C “”

Repurposing Default System Accounts

systems come with other built-in accounts other than root, such as nobody, sys, sync, bin, games, and man. these are service accounts since they are used for running specific tasks. Separating tasks into different accounts will enforce a least-privilege model, as these accounts aren’t meant for users to log in to, etc/passwsd usually has no shell or password set. A hardening practice like that ensures scheduling tasks such as cron can’t happen if compromised.
so, let’s say you’ve compromised a machine..grrrrreat for you not for the victim… so you can go through the steps of crafting a backdoor mechanism that can be hidden like so in the image below

creating a new account that looks similar to a service account
modifying an existing service account by adding a shell and password to it.

Poisoning Bash Environment Files

when bash is invoked as an interactive login shell, it will read from /etc/profile(that is if it exists) before reading user-level environment files such as ~/.bash_profile, ~bash_login, and ~/.profile. when bash is invoked as a nonlogin interactive shell, it reads the global bashrc file before the local one.

Exercise 20 Intercepting Data via Profile Tampering

Credential stealing

if you can get the credential, or the keyboard actions done(key-logger), incase the password is reset and you can intercept that, access can be maintained(only if someone discovers the game is afoot). so how can yo capture this info?

trojanizing commands(replace with malicious binaries or inject malicious logic)

Hooking a text editor

I will be honest never really liked vim, but the book is saying its prevalent so gotta now learn it well and i found a short 1hr explanation, link is in the references in case you in my position too.

Streaming Executed Commands

History files keep a record of commands executed by users for and allow for an access, audit, and replay of previously executed commands. History files update whenever new commands are executed, it could be interesting to stream the history files over the network to a listener providing a live record of command-execution events to a server and capture any credentials they enter via the command line.

Forging a Not-so-innocent sudo

sudo can be compromised in a malicious way, by replacing it with a malicious version. creating a fake sudo script as the one below

Exercise 21 Hijacking password utilities

Distributing Malicious Packages

Linux systems use packages such as Debian and RPM, they let you package your own files, and may be able to backdoor a malicious system if someone installs it.

Understanding DEB Packages

DEB packages are archive files and contain three files: Debian-binary, the control archive and the data archive. The debian-binary file is a text file containing the packages version no. The control archive is a compressed file containing scripts and metadata information. The data archive contains the files the package should install.