First, let’s consider a Backdoor – a malicious program, and sometimes a loophole intentionally left in the code of a legitimate program, which provides access to the device for unauthorized actions. A backdoor is exactly what its name says (from the English back door – “backdoor”): it secretly lets an attacker into the system, granting administrator rights. Backdoors are related to official utilities for remote administration, but their functionality is usually wider. In addition to directly controlling processes at the system level and even Bios, backdoors can steal personal user data, download and send files over the network, open access for viruses and worms, connect to remote hosts, turn the computer into a “zombie”, making it part of a botnet, but all this is invisible.
Next up is LUA and SSH. LUA is a programming language based on scripts. It is called script. Used to create utility business logic. Belongs to multiparadigm.SSH is a protocol that uses a client-server model to authenticate remote systems and provide encryption of data that is exchanged within the framework of remote access. By default, the TCP-22 port is used for the protocol: on it, the server (host) waits for an incoming connection and, after receiving the command and performing authentication, organizes the launch of the client, opening the shell chosen by the user. If necessary, the user can change the port used. To create an SSH connection, the client must initiate a connection with the server, providing a secure connection and confirming its identity (the identity is checked against the previous records stored in the RSA file and the user’s personal data required for authentication. Connecting to the laboratory via VPN It is recommended not to connect from a work computer or from a host where there is important data for you, because you are entering a private network with people who know something about IT.
1.First of all, we scan open ports. Since it takes a long time to scan all ports with nmap, I will first do it with masscan. We scan all TCP and UDP ports from the tun0 interface at 500 packets per second. Example command and result the scans are shown in Screenshot 1 and Screenshot 2.
2. To get more detailed information about the services running on the ports, let’s run a scan with the -A option. (Screenshot 3. and Screenshot 4.)
3. SSH service and web server are running on the host. When we go to the web server, we will not find anything except a message. (Screenshot 5.)
4. But we pay attention to something interesting in the source code. (Screenshot 6.)
5.Search for this line in Google and go to this github page. (Screenshot 7. and Screenshot 8.)
1. Going through these files, we determine that the smevk.php file was uploaded to the server. (Screenshot 1.) After that, in the initial code on Github, we find the default credentials and log in. (Screenshot 2. and Screenshot 3.)
2.In the next step, we will generate a PHP shell and launch the listner. (Screenshot 4. and Screenshot 5.)
3. Now let’s load the shell and turn to it. We get the meterpreter session. (Screenshot 6. and Screenshot 7.)
1.In the user’s home directory, we find files and a note to them.
2.You can also run a lua script on behalf of the sysadmin user. (Screenshot 2.)
2.Start the shell. (Screenshot 3.) For convenience, let’s throw in an SSH key.
3. Let’s connect using closed and take the flag. (Screenshot 4.)
1. Let’s run the LinPEAS base list script. And in the report we will find interesting files for recording. (Screenshot 1. and Screenshot 2.)
3. Now we will immediately connect and see the reverse connection to our host. (Screenshot 5.)