Mastering Persistence: Using an Apache2 Rootkit for Stealth and Defense Evasion

HackerSploit · Intermediate ·🔐 Cybersecurity ·1y ago

Key Takeaways

The video demonstrates the process of establishing persistence and evading defenses on Linux using an Apache2 rootkit, with a focus on cybersecurity and intermediate level techniques.

Full Transcript

hey guys hack exploit here back again with another video and I know it's been a while but a lot of exciting stuff to go uh to get into now um in this video what we're going to be doing is uh taking a look at um how to leverage an Apache to root kit uh during your red team off specifically for persistence and uh defense evasion now uh the screen you currently seeing is um sort of an older version of this guide that I'd worked on previously if you remember and uh the problem with that if you remember um or if you can recall was that you sort of had to set up your own environment to do this now what I've been working on um doing as I mentioned you know a while back in a couple of other videos was um you know sort of revamping the way I thought of delivering uh this type of training because again in order for you to get the best or the most out of uh what I you know demonstrate or what I go through in videos you should be able to again get into an environment that's already ready for you to go and unfortunately some of the other platforms just weren't cutting it uh in that I couldn't you know create the advanced environments that I required however um as you remember a few videos back when I published the um the first pen testing diary series which will be continuing on um I I utilized the Cyber Rangers platform and was actually able to build uh this particular lab uh the Apache 2 rootkit uh lab and it's currently on the Cyber ranges platform so if you're not familiar with this platform um I'd mentioned it a few videos back in the first episode of pentesting Diaries it's uh again a cyber range as the name suggests you can access it via the URL app. cyber rangers.com uh link to this will be in the description section as well as a direct link to the lab the lab can be played uh absolutely for free um it's under the Community free section so red team tradecraft you can see that right over here so this is completely free to play um and I just added this one for now I'll be looking to Port some of uh pretty much all of the uh the previously um you know used uh Labs or setups or configurations that you know you had to set up locally onto the platform um so do stay tuned for that there's also quite a bit of other you know quite a bit of stuff um apart from this particular series that'll be on here um but yeah so you can just register for an account on app. Cyber rangers.com um if you haven't already uh it's free and uh these particular labs are free we also have the adversary emulation playlist of labs which we're actually going to be going through really excited about that um in December um and there's also some of the cve labs um actually this one was already ported a while back uh there's a video I had um a while back on the dirty pipe vulnerability where I actually you know developed um I would say a pretty good um exploit for this U you know you can check that video the GitHub repo is pretty much based on this anyway so the focus of this video is going to be again a continuation of the red team series but now taking uh moving into tradecraft and you know the actual operations um so this is a an update of this particular walkth through here that I have on the ha exploit blog and you'll actually see the improvements made where now it's sort of contextualized placed in a more realistic environment um so you again you can just start up the lab just takes a few seconds to start up um and you'll be provided with access to a you know preconfigured Cali Linux system pretty much everything you need um so the scenario or um yeah the the scenario in in question is uh again all based on what you're likely to find uh in the real world that's sort of the objective for the uh the r uh the red team tradecraft series and uh what we're going to be doing is uh you can go through the introduction but um the objective here is um you know why would you need to use this particular root kit and as you can see based on the title it's mainly on defense evasion and I'll explain why in addition to defense evasion you can also use this rootkit um for persistence uh specifically on Linux it goes without saying um and uh yeah so I'll just start it up here and uh we have the intro right over here so I'm just going to go through the intro really quickly because there's quite a bit of stuff that um I've sort of included now in the in the update here so um this scenario serves as a guide on how to set up and maintain uh upsc during red team operations in the case of this scenario we'll be exploring how this can be achieved in instances where initial access has been obtained on a public facing web server running Apache now as you may or may not know maintaining upsc during red team operations is extremely important and is something that needs to be factored into your decision making before and after initial access has been obtained you know compromising public facing a public facing web server does not Mark the end of your activity on the target system or host uh you must ensure that you've establish persistence and mask uh your activity which you know is inclusive of network traffic you know the commands you're executing Etc masking your activity uh will require an understanding of how the compromise system is utilized how it is managed and more importantly whether it is being monitored for the sake of authenticity and realism in this scenario you will commence um we will commence our operations by obtaining initial access um on the target web server or to the Target web server we will then perform some local enumeration on the compromised web server after which we'll leverage the legitimate Services running on the web server um or the server to establish persistence via an Apache 2 rootkit what about you know being stealthy in evading detection well well well the Apache 2 rootkit in question is built to be stealthy and can be configured to blend activity uh with legitimate traffic so with that being said we are ready to get started um or if you are ready to get started you can just navigate to the wiki section um where there's a walk through um that sort of breaks down um all of the phases that we'll be going through so initial access post compromise and then configuring and deploying the rootkit and then of course testing the rootkit right over here so if you're not familiar with the Cyber Rangers platform if you click on the servers tab you can see the systems that you can interact with uh you have the C2 server that's running Cali um this you you can access via your browser or in your browser via RDP so you also have SSH access so you don't need to connect uh via VPN and then we have the target web server that has the services exposed right over here so if I just click on the RDP uh the RDP button right over here you can see it's going to open up a new tab and uh uh there we go just going to load it up here just uh hopefully uh actually let me probably need to exit full screen just give me a second all right there we go and um you know the um the Apache rootkit has already been s uh been saved on your desktop don't worry we'll get to that shortly uh I'm not going to go through the walkthrough in the wiki that is for your perusal all uh but we know the target IP that's the target web server that's running on 182 168 125 100 so let's get cracking here and I'm just going to navigate onto my desktop and we'll start off with the basics you know the standard stuff so pseudo uh n map and uh if I can type correctly we're going to um actually hold on we're going to we're not going to Ping we're just going to run a sin scan and um you know we're also going to do a service version detection scan um you know T4 speed it up a little bit uh all ports TCP ports that is 125 100 and uh why not save the results here so we're just going to say Ox um and we're going to call this a web server um I just say nmap uh web server um and all TCP do XML all right so this will not really sure how much time this will take um we said don't ping uh it's going to do the out ping anyway um actually hold on we probably also want to disable DNS uh resolution we don't really need that taking too much of our time uh there we are much better much better actually that's a quick tip um if you want to save a you know quite a bit of time I should say and we're just I'm just going to wait for this to complete and then uh we can you know take a look at what we have running on uh the target web server and remember the objective as I've laid it out in the in the wiki section um is we're firstly going to establish or obtain initial access as clandestinely is possible and then we're going to move on to configuring the rootkit and hopefully this will make sense um you know given that uh this this particular updated uh guide um is built to sort of mimic what you're likely to find uh on you know a standard web server so there we are we can see that on the target we have SSH um we have Port 80 running a Apache web server that gives us uh you know we have a banner there for the dro and then on Port 10,000 we have a webmin server running um so why don't we open up um Firefox here trusty Firefox and um let's see what we have on the on Port 80 so 192 168 125 Point 100 that'll open up Port 80 and uh there we are this uh let's see what we get in this particular case h interesting uh this uh pretty much should give us the uh the public facing website uh but you know why not uh let's check what's running on Port 10,000 like so uh not 1,000 but 10,000 uh there we are we have webman and um this is still loading very interesting probably trying to fetch uh some libraries and stuff uh given yeah this is it's making quite a few lookups here um but that should uh should actually stop in a while um if I go in here uh any protection uh no anyway that's supposed to be the public facing website um it's not being displayed but there is just a standard boilerplate uh landing page the bottom line is we're not targeting the public facing website U you know it's running Apache web server which is what we're going to use um you know for uh to establish persistence uh I should say stealthy persistence with the Apache 2 rootkit our my our main initial access Vector is going to be webmin okay so if we take a look at the nend map scan we can see that it's running webmin 1920 okay now I'm going to switch over really quickly into the the wiki and uh there's a good reason for that so I've sort of outlined exactly what I did over here and you can see what the landing page looks like now um the augmentation or the Improvement that I made to the guide is to include initial access right so first things first and I've sort of outlined why this is important uh you can see it right over here before we get ahead of ourselves we must ask ourself the question or ourselves the question I should say what exactly is webman now this is a very important question to ask yourself why um the reason this is an important question to ask yourself is because it's always a good idea or a good um thing to do uh you know or a good step to take before you you know you actually move on to exploiting a particular service so always understand what a service or application or web application does how it works and what technologies and or libraries it uses before you start attacking or testing it so that begs the question what is webmin and what does it uh what does it do or what is it used for well webmin is a free open-source web-based control panel that allows system administrators to manage um Unix servers um Unix like servers um you know essentially configuring um operating systems um users can configure operating system internals such as users dis quoters Etc modifying and controlling open source app so users can modify and control open source apps such as bind um bind DNS that is Apache you know PHP my SQL actually starts to make sense why someone would be or why the target organization actually set up webmin um the bottom line is that webmin is a useful tool for system administrators because it simplifies the process of managing a Linux or Unix system it provides an intuitive user interface that's accessible through a web browser allowing users to manage a server from anywhere now that brings us to targeting webmin so we know what version of webmin we're running so let's go back in here into the Cali Linux system or our C2 server um has the web app here yeah there we are it's actually loaded took a while but you can see this is the target organization's website we're not going to Target this cuz again we want to be as clandestine as possible and not do anything foolish so no file or direct Brute Force Let's uh try and assess what we have running on the Target first so we'll you know just perform a quick search sploit query here for webmin and you know we can actually specify the exact version so webmin uh 1 19 um 1920 like so and there we are so um in this particular case it looks like we have two metlo modules uh there we are so we have um the second and the third one the first um you know also applies but that's a shell script um we'll get to that shortly uh we then have this one right over here which um you know 1920 unauthenticated uh remote uh code execution met exploit and RPC CGI remote code execution uh all affecting the same version this one the final one here affects any version prior to 1920 and um the best thing to do now is to sort of understand uh what these particular exploits are exploiting so firstly within the version of webman um you know 1920 what exactly is causing the vulnerability and what do these exploits do or how do they exploit the vulnerability now lucky for us have sort of uh shortened this uh this process and um I've sort of summarized it right of here in the wiki so the bottom line is from the preceding screenshot you know search exploit here which we just performed um we can also extrapolate um you know the two of the exploits are accessible in the form of Metasploit modules and one of the exploit is in the form of a shell script so hold your horses while you may be tempted to fire a medlo and give these modules a go to see if they work we still do not know much about what vulnerabilities these modules exploit as I just said so we must perform some additional rigorous research and due diligence to learn more about the vulnerability what causes it and more importantly how the exploit modules referenced above in this particular screenshot or in the search exploit scan exploit the vulnerability now um as said I've sort of summarized the research and I have a vulnerability analysis section here but what becomes apparent if you know if you perform a quick Google search is that this vulnerability actually had a cve code or identify assigned to it so cve 20191 15107 okay and you can see the description here um an issue was discovered in webmin versions lower um or older than 1920 the parameter old in password change. CGI contains a command injection vulnerability so let's move into the vulnerability analysis section so now that we're armed with a cve identifier you know or code we can narrow down um our research and locate any public advisories that could potentially shed some light on what causes the vulnerability and uh indeed we did so I've actually linked the ADI a link to the advisory right over here on vas.com great website by the way which pretty much provides us with all the key info that we need to understand in terms of you know what causes the vulnerability so this is extrapolated directly from vas.com hence the reference here but we can see the name um you know webman you know 1920 unauthenticated that's sort of the key thing here which is what we want remote command execution the severity is critical by the way all credits to the author um we can see this right over here a vulnerable to unauthenticated uh remote command uh execution and we can see that uh V this is via the parameter old in password change. CGI so something to do with resetting or changing passwords uh successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands with root privileges now nice so we get root privileges the remediation is obviously to upgrade and we can see the CVSs score 9.8 so pretty pretty good um or bad uh depending on what side uh of the fence you're on now you know as shown in the preceding analysis here or code block uh this one right over here or the whole thing I should say which was extrapolated from The Advisory referenced earlier we have identified the following information about the vulnerability so the description which I read out and what uh the impact so you know what this um gives us or what successful exploitation of the vulnerability provides us as an attacker and of course the Privileges required this is something very important so unauthenticated which means we pretty much don't need anything and the Privileges gained root so you know this should almost be uh rated or ranked 10 in terms of the C CVSs score so anyway we've got some key information now based on the info we have gathered we can deduce that successful exploitation of this vulnerability potentially allows for the execution of arbitary commands yes okay so before we actually run the exploit um it's always ideal to check if the web application or service is vulnerable and that's what the shell script um you know listed here in the search exploit scan does for us so why don't we go ahead and copy it so copy user sham um exploit DB exploits um Linux web apps and the uh this is 47293 47293 Dosh I'll just copy it to the desktop here and let's open it up here with Vim let's see what it does so uh we can see that um this script essentially checks if a Target webmin server is indeed vulnerable so the script sends a flag by an echo command then GPS it if if matches if there's a match the Target is vulnerable so in essence what this script does it makes a request um to the password chain CGI um script if you will and based on the response you know the server either going to be vulnerable or not vulnerable so we can see it's being made with curl uh where the target URI that's the variable there uh for/ password change CGI so it looks like one of the prerequisites for this um you know for this exploit to work or for vulnerability is the fact that webmin um needs to be configured to allow or needs to have the password change functionality enabled is what I'm guessing here um and we can see the parameter being injected is old uh that's why we have the ID command here which is a system command um and then of course we have the cookie and all of that good stuff here and then you can see that uh if uh the result equal zero vulnerable well actually not the result what is this referring to right over here um let's see so you one flag flag yeah um so if the where is that actually being reference that's very interesting uh but yeah the bottom line is the result is you know if the result I'm assuming equals zero um vulnerable not vulnerable okay quite interesting we can actually probably take this script and sort of see what it's doing or what the response looks like in fact before we actually run it I'm going to fire up wi shark here and um can I search for wire shock there we are we actually have it good stuff so um we'll get that running and we'll start a capture on ethernet zero quite a bit of traffic so CH mod um we'll say 472 93 and then um let's I think we need to specify some parameters obviously wait a minute it's h checking do we need to modify that that's weird is uh Target is not vulnerable I didn't specify a Target so where do we need to specify the UR ah so it's first parameter um so that means nothing else just specify the target there um so this right over here just copy that very nice uh hit enter wait a minute what on Earth am I doing here oh boy uh yeah save for and uh we'll just hit enter there there we go wait a minute Target is not vulnerable huh oh there we are vulnerable uh we can probably improve the script here uh to sort of Gator for escape characters but uh there we go it is indeed vulnerable now I wanted to see what the response was in y shock so I'm just going to stop the capture here and uh can I actually zoom in I can all right excellent let me just zoom out I went a bit crazy there um IP do destination is going to be um equal to 192 168 125 100 so uh might be yeah we sent some stuff there uh let's see what was actually uh there we are post uh we have it there let me just drag this here so that was the request there we can actually see this here and uh then we change this to us the IP of the Cali Linux system and uh we say um ip. source is equal to the web server to see what it sent back uh 125 100 let's see that there um we should see a response here uh let's see line based text wait a minute I think that's uh did we do that right now also change hyper text transfer protocol there we are um let's see let's see um okay status code yeah so it's just checking for the response anyway uh we can actually keep one shark running cuz we might need it in a few seconds so bottom the bottom line is we can pretty much just fire up Metasploit and uh then um you know exploit webman and keep it moving all right there we go all right so um I just going to search for webman here and uh the exploit in question is uh number 10 so we can actually say use 10 right over here here and uh we are going to uh we can keep the payload I don't think we need to change that at the moment and you say show options uh set Global our hosts to 192 168 125.00 the IP address of the uh web server and uh set Global lhost to the Cali Linux IP which is static so it'll be the same for you guys okay and we just hit enter let's show the options here um so there we are we have that we can leave it the standard 444 4444 Target URI nothing special we know it's running on the root of the web server so no under no directory so we don't uh you know this is unauthenticated and obviously we can show the info here um so this module exploits a back door actually this is the back door one but this should work as well I think uh actually let's try this module um yeah this was the back door exploit but this should work nonetheless cuz it's still the same version affects the same version uh we don't need to provide anything else um do we have to set the target uh do we have any other targets set Target ah Unix uh Linux it's automatic at the moment so let's trust the module so we'll just hit exploit Yep looks like it's working does it send the stage successfully hopefully let's see there we are we get a command shell session we can confirm that we have root indeed we do okay so um let's put this in the background and let's upgrade that really quickly to um interpreter session so we have some stable uh or assemblance of stable axis on the target so there we go um we should get a interpret session no problem indeed we do okay so sessions uh sessions two and uh CIS info all right so Bon to 1804 uh good stuff verify that there we go very nice what we're currently in the webmin directory okay confirm that so use a local webmin no okay excellent excellent uh so now what we are going to need to do is um you know there's a couple of requirements um or environmental requirements for the rootkit to work we obviously need an Apache web server but more importantly uh we actually need uh the Apache to Dev uh package installed which is the development kid you know um which I think I mentioned in the wiki right over here so this is this deals with getting initial access if we go to post compromise I believe I mentioned uh what this package does so yeah there we are this package provides development headers and the apxs to Binary for the Apache 2 um web server um and the reason why we require it is because this particular rootkit the Apache uh rootkit uh pretty much is an Apache module and you'll actually see how it works um I think I mentioned it over here um let's see uh yeah so there we are so we can we can uh leverage the ability to load Apache 2 modules to load our own rootkit module that'll provide us with the ability to perform command injection attacks on the web server and consequently spawn a reverse shell whenever we require and the reason for this you know in terms of persistent is we never want to rely on an exploit uh to you know um as a form of uh access cuz um this vulnerability the webman vulnerability may be patched so we want something that is clandestine that uh sort of works with what is already on the server in this case the Apache server the Apache web server that's hosting the public facing website and we want it to be uh you know just blend in with stuff um so this this is the link to the rootkit now um I think this rootkit was removed from GitHub recently but the good thing is it is available within this lab so I I don't I'll try and see if there's a mirror that's hosting it if you want to you know try it out for yourself but you know I've used it for very long time um but yeah so you know in order for us to compile this uh we we're actually going to uh require um the apxs um utility which I also mentioned over here but the bottom line is there's a couple of important things I want to mention so on the C Linux system there's the Apache rootkit directory that's stored on the desktop that essentially contains the source files now we cannot perform the compilation on the C Linux system we need to do it on the target system um so why don't we check and see whether we have the Apache 2 um I'll just open up a shell session here bin uh bash I and we can then use dpkg and list out the packages and then just grap and uh match exactly for Apache to Dev and see whether we have that if we do then we're game and indeed we do have it obviously I would know about that but uh what we now need to do is I'm just going to go back into interpreter right over here and um I'll open up a new tab on the Cali system right over here and you you can see that on the desktop we have the Apache rootkit folder so there we go and uh we have the make file mod. uh mod o G.C this is the the actual um module um this is the source code for the module and in here the way it works is um as a module it essentially sets up a specific Handler or a Handler with a specific name uh and this this specific Handler works you know with Apache so that means when you access the Handler in this case the Handler name is just org you can actually change this before you compile it but this Handler allows us to utilize the uh let's see if we actually have it in here um yeah so if we take a look at the logic uh the logic you can see um right over here apog to table are uh get so org uh if you know string compare are hand offg return declined so um what happens here is uh apog to table or get so get request over here the set content type text HTML um right over here the bottom line is if we make a request to this and include a parameter and then you know we just need to include a parameter and then the value being the system command we want to execute it'll be executed uh you know um under the um under the context of the web server or the Privileges or the user that the web server is uh running um is running with so most likely it's going to be dubd dub data which means as a form of persistence we would uh lose our you know lose the root privileges but that's not really the objective for this particular video demonstration anyway what we need to do is uh we we need to actually transfer this onto the target so um my bad let me just uh take a step back here and we're going to say tar um uh we need to create one so uh let's say CV ZF and Apache we're just going to call it rootkit uhar do gzip and then uh the we want to compress Apache root kit like so there we go okay now we can leverage um MPR inbuilt upload functionality we're going to upload this in the temp folder um okay so we're just going to say upload it's stored on the desktop so you know Apache rootkit uh sorry not Apache root kit I'm losing my mind here it's root kit we called it there we go excellent so um we can actually open up a shell um and then of course we need some form of functional shell so we'll just get a bash session there we go and then tar xzvf uh rootkit just um forgot no job control there tar um t. gzip and just extract that there and in here now uh you know Apache rootkit uh let's see what we have in here yeah so mod of Jeep and now we can utilize the apxs um the apxs command or utility um which is Again part of the Apache 2 Dev toolkit so we can just say apxs compile IM mode of G.C um so we can do that right now so AP um AP XS um and uh mod o G.C and uh we can hit enter and what this is going to do by the way this needs um you do require root privileges but the bottom line is what this will do is it'll compile um the module um or the shared object I should say and it's going to save it in the default Apache 2 modules directory so you can see uh actually right over your libraries have been installed um shared library has been installed in the following directory and uh now we actually need to add uh a configuration to the default Apache 2 configuration so uh given that we don't have any job control in this bash session we can actually uh utilize maters um I believe it's the edit command and we say um sorry edit Etsy Apache 2 um let's see Apache 2.on um yeah that should work very nice and we need to copy in a specific configuration we can just add it to the top of the file this configuration is specified right over here so we're essentially telling Apache uh within the default configuration to load this specific module because it's copied to the modules directory but we actually need to tell Apache to load it and to actually use it and then the location this is sort of the Handler or the endpoint through which we'll access it and this needs to match um what uh the uh the the name of the Handler I think I'm actually pretty sure it does the name of the Handler uh that was specified in the actual source code before you compile it so if you use something else make sure you change it here now the Handler obviously in terms of Defense evasion and persistence or continued persistence needs to be something that blends in with the traffic because if someone's monitoring the traffic and they're seeing a huge number of requests being made to org and org is so out of this world crazy and out of the ordinary uh they'll probably investigate it so you want to go for something like contact or um you know index or something like this something that blends into the standard or or normal traffic you know other resources or pages that individuals are accessing so we just need to copy this in here and um I'll just paste this in here unfortunately it doesn't look like I can uh can I actually um no probably not let me undo that uh do I need to paste it or let's see uh I'll just go open up this here no it's not that's very weird let me just copy it just give me a second all right there we go um copy that in there uh let me just uh make sure it's good yeah there we are and we write in quit and then we can say system um actually hold on we probably need a shell there um so bin bash I and uh there we are so we can now say system CTL restart Apache because we obviously need to do that and then we can check these status um status Apache Apache 2 right and we can see loaded active no issues okay so now the way to access the rootkit is again via the Handler name so org like so and then we can say um command is equal to ID uh now what am I doing this is the web server not the web Min um so we can say yeah or G like so we can see it's working so I believe it's c is the actual parameter name and then we say ID there we are and we can see we now have a command injection and the cool thing is is again this is not a webshell or there's not you know any PHP file that's processing this it's actually baked into Apache at this point so um you know I think we should be able to um with W shock if we start a new capture um actually hold on before I do that um I'll just change the destination IP here to the IP of the web server so we can actually see what we're sending now the web server is not running with an SSL set which means you know it'll be intercepted but I just want to show you what the traffic uh would look like um and you'll actually see the get request being made um and this is why you should probably change it but um if we go in here and I uh you know I list out for example you know who am I for example like so uh let's see what we have in y shock so we can actually see that in here um wait a minute uh that's the destination yeah um let's see where is this being sent um now we we probably also want the response which is actually no we can actually see that here there we are so that's pretty much um you know how it works and I said you you probably want to make this as clandestine as possible um actually is anything being displayed here um let's go ahead and try this one more time just want to see what this looks like um let URL in COD yeah it did work okay so it's working very very well um now there we go we can see that there um and uh we can actually see that very nice okay so um that's uh pretty much the gist of it now in the um in the wiki I also mention now how you can sort of you know instead of making continuous requests you probably want something approximate to a shell or a pseudo shell and that's where a tool Like Comics comes into play that automates command injection so the way this will work is you know if we say uh the IP of the Target and then we say or G um C is equal to you know ID for example um there way it's going to test uh there way it's going to say the parameter C is indeed vulnerable do you want to prompt for a pseudo terminal shell yes I do thank you very much and now we have a pseudo terminal shell that you know is not perfect but it gives us what we want um and uh there we are you can actually see uh if I say who am I it still be dub dub dub data so you know we lose the root privileges but this is the best way of establishing you know um very stealthy um form of persistence you know I know this video is pretty much uh titled defensive asion and it is because again this is uh leveraging you know from the perspective of red team operations this is um living off the land you're using what the system already has you're not downloading anything new apart from the rootkit of course um you're not transferring anything M um uh you you're not making too many changes you're not installing much obviously if the web server did uh does not have um you know the the Apache 2 development kit then you'd need to install it um the reason it was pre-installed in the lab environment is because the lab environment is not connected to the internet um anyway um in the original guide on my blog um hack expo.org um at the end here which um you know this one is much shorter not not really as detailed uh but uh you I also listed out a way you know you can actually upload a PHP back door which I don't recommend really um because again you're transferring stuff in that uh is quite easy to detect but uh for example you can generate a PHP shell with not a web shell sorry just a you know another PHP back door you can generate a PHP shell um and then uh you just in this case The Listener would be through Metasploit you can actually upload a shell with um with comic so you can utilize the file right command uh or you know the the yeah the the file right Command right over here and uh in essence you know if I just copy this here uh you can actually see how this will work um so I'll open up a new tab here uh one second let me just uh for um we can actually um I'll just open up a new terminal here um uh by the way do we have any web shells user share web shells uh let's see which PHP ones cuz this is an web server sorry my bad there we are reverse shell back door PHP back door I think we'll we'll upload this so I'll just um there we are just copy this um to the desktop here the Cali Linux system and uh we'll just uh rename this to just uh um bd. PHP um very nice okay so we can now say Comics uh use there we are and uh sorry not use a URL um we can say file uh right and um that'll be equal to we need to specify the absolute path so home range uh range admin uh desktop um and uh we just bd. PHP I believe it's called and then we would need to specify the file destination so where we want it saved on the web server which would just be the web root for Apache VAR um HTML um and we'll save it as backd door. PHP um yeah I think that pretty much should work yeah let's go ahead and H enter trying to write huh did that work who knows um only way to find out is to find out so we saved on the root of the web server so bd. PHP huh did not work very interesting um I make a mistake with my uh file right home range admin uh desktop and that's where we are bd. PHP file destination VAR dbdbdb HTML uh bd. PHP is that actually the um if I just check the Linux server cuz u i did add SSH access so you can actually access the the Target web server um if required uh so I sa our dubdub dub HTML yes indeed that's that is the web rout um not sure why that did not upload uh but that should have uploaded uh let's see uh what have we I'm not really sure whether that is uh Final Destination yeah that looks like the correct command there uh file right um let's change this to maybe shell not really really sure what's causing the issue here no interesting that's that's very strange it should have actually saved it no it doesn't interesting this is very interesting I have to say unless I'm making a mistake here um let's see yeah file right H yeah file destination that's what I did and I'm assuming there's no difference yeah all HTML and we do have permission data is the owner there this is very interesting what if we just say yeah it doesn't seem to work anyway um that was part of the older guide uh but uh you can sort of extend access if required um yeah so definitely give this lab a uh a tryy out um as I said I'll put a link to the to this specific lab uh on the Cyber Rangers platform in the description section let me know what you think uh there'll be others following of course there's uh you can try out the cve labs uh the dirty pipe being one of the primary ones uh and then we'll be we'll also be uh leveraging this one right over here this playlist of lives for the adversary emulation series again coming um this month um but uh yeah uh registration is free um if I just uh log out here um you know just uh need to very easily register the link is app. cyber rangers.com anyway thank you guys very much for watching and apologies for for the long sabatical from my end uh but now I think we're you know pretty much geared and good to go uh content wise and uh with that being said thank you very much uh for watching let me know what you guys think in the comments I'd love to hear your feedback and with that being said that's going to be it from my end uh everyone take care and I'll see you in the next video

Original Description

In this video, I demonstrate the process of establishing persistence and evading defenses on Linux through the use of an Apache2 rootkit. The lab used in this video can be accessed for free on the CYBER RANGES platform. The links to the platform and lab are listed below: // CYBER RANGES CYBER RANGES: https://app.cyberranges.com SQL Injection Lab: https://app.cyberranges.com/scenario/67474e64a3907f65136f1a6d //LINKS Apache2 Rootkit: https://github.com/ChristianPapathanasiou/apache-rootkit //PLATFORMS BLOG ►► https://bit.ly/3qjvSjK FORUM ►► https://bit.ly/39r2kcY ACADEMY ►► https://bit.ly/39CuORr //SOCIAL NETWORKS TWITTER ►► https://bit.ly/3sNKXfq DISCORD ►► https://bit.ly/3hkIDsK INSTAGRAM ►► https://bit.ly/3sP1Syh LINKEDIN ►► https://bit.ly/360qwlN PATREON ►► https://bit.ly/365iDLK MERCHANDISE ►► https://bit.ly/3c2jDEn //BOOKS Privilege Escalation Techniques ►► https://amzn.to/3ylCl33 Docker Security Essentials (FREE) ►► https://bit.ly/3pDcFuA //SUPPORT THE CHANNEL NordVPN Affiliate Link (73% Off) ►► https://bit.ly/3DEPbu5 Get $100 In Free Linode Credit ►► https://bit.ly/3yagvix //CYBERTALK PODCAST Spotify ►► https://spoti.fi/3lP65jv Apple Podcasts ►► https://apple.co/3GsIPQo //WE VALUE YOUR FEEDBACK We hope you enjoyed the video and found value in the content. We value your feedback, If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms. //THANK YOU! Thanks for watching! Благодарю за просмотр! Kiitos katsomisesta Danke fürs Zuschauen! 感谢您观看 Merci d'avoir regardé Obrigado por assistir دیکھنے کے لیے شکریہ देखने के लिए धन्यवाद Grazie per la visione Gracias por ver شكرا للمشاهدة ----------------------------------------------------------------------------------- #Pentesting#Cybersecurity
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from HackerSploit · HackerSploit · 0 of 60

← Previous Next →
1 How To Install Kali Linux 2.0 On Virtual Box
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
2 100 Subscriber Q&A! - How I Learned Ethical Hacking
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
3 BlackArch Linux Review - Better Than Kali Linux?
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
4 How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
5 Wireshark Tutorial for Beginners - Installation
Wireshark Tutorial for Beginners - Installation
HackerSploit
6 Wireshark Tutorial for Beginners - Overview of the environment
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
7 Wireshark Tutorial for Beginners - Capture options
Wireshark Tutorial for Beginners - Capture options
HackerSploit
8 Wireshark Tutorial for Beginners - Filters
Wireshark Tutorial for Beginners - Filters
HackerSploit
9 Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
10 Complete Ethical Hacking Course #2 - Installing Kali Linux
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
11 Parrot OS 3.5 Review | The Best Kali Linux Alternative
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
12 Nmap Tutorial For Beginners - 1 - What is Nmap?
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
13 Katoolin | How To Install Pentesting Tools On Any Linux Distro
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
14 Nmap Tutorial For Beginners - 2 - Advanced Scanning
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
15 Nmap Tutorial For Beginners - 3 - Aggressive Scanning
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
16 Zenmap Tutorial For Beginners
Zenmap Tutorial For Beginners
HackerSploit
17 How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
18 How To Setup Proxychains In Kali Linux - #2 - Change Your IP
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
19 How To Change Mac Address In Kali Linux | Macchanger
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
20 How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
21 Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
22 VPN And DNS For Beginners | Kali Linux
VPN And DNS For Beginners | Kali Linux
HackerSploit
23 Tails OS Installation And Review - Access The Deep Web/Dark Net
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
24 Steganography Tutorial - Hide Messages In Images
Steganography Tutorial - Hide Messages In Images
HackerSploit
25 The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
26 Best Linux Distributions For Penetration Testing
Best Linux Distributions For Penetration Testing
HackerSploit
27 Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
28 Gaining Access - Web Server Hacking - Metasploitable - #1
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
29 Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
30 How To Install Kali Linux On VMware  - Complete Guide 2018
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
31 Q&A #1 - Best Cyber-security Certifications?
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
32 Terminator - Kali Linux - Multiple Terminals
Terminator - Kali Linux - Multiple Terminals
HackerSploit
33 Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
34 Q&A #2 - Mr Robot?
Q&A #2 - Mr Robot?
HackerSploit
35 Metasploit Community Web GUI  - Installation And Overview
Metasploit Community Web GUI - Installation And Overview
HackerSploit
36 Linux Expl0rer - Forensics Toolbox - Installation & Configuration
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
37 QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
38 Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
39 Metasploit For Beginners - #2 - Understanding Metasploit Modules
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
40 Kali Linux Quick Tips - #1 - Adding a non-root user
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
41 Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
42 Spectre Meltdown Vulnerability  - How To Check Your System
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
43 Metasploit For Beginners - #4 - Basic Exploitation
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
44 ARP Spoofing With arpspoof - MITM
ARP Spoofing With arpspoof - MITM
HackerSploit
45 WordPress Vulnerability Scanning With WPScan
WordPress Vulnerability Scanning With WPScan
HackerSploit
46 Generating A PHP Backdoor with weevely
Generating A PHP Backdoor with weevely
HackerSploit
47 Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
48 How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
49 Stacer - System Optimizer And Monitoring Tool For Linux
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
50 Kali Linux 2018.1 - Kernel Updates & Patches
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
51 MITM With Ettercap - ARP Poisoning
MITM With Ettercap - ARP Poisoning
HackerSploit
52 Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
53 How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
54 Channel Updates - How To Post Questions & Video Suggestions
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
55 Web App Penetration Testing - #1 - Setting Up Burp Suite
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
56 Web App Penetration Testing - #2 - Spidering & DVWA
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
57 Cl0neMast3r - GitHub Repository Cloning Tool
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
58 Kali Linux On Windows 10 Official - WSL - Installation & Configuration
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
59 DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
60 Web App Penetration Testing - #3 - Brute Force With Burp Suite
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit

This video teaches viewers how to use an Apache2 rootkit to establish persistence and evade defenses on Linux, with a focus on intermediate level cybersecurity techniques. The lab used in the video is available for free on the CYBER RANGES platform.

Key Takeaways
  1. Access the CYBER RANGES platform and lab
  2. Download and install the Apache2 rootkit
  3. Configure the rootkit for persistence and defense evasion
  4. Test the rootkit on a Linux system
  5. Analyze the results and improve the rootkit configuration
💡 The use of an Apache2 rootkit can provide a stealthy and effective way to establish persistence and evade defenses on Linux systems.

Related Reads

📰
Stop Using 'password123': A Developer's Guide to Strong Passwords
Learn how to create strong passwords and avoid common pitfalls to protect your online accounts and applications
Dev.to · zhihu wu
📰
Zero-Day Market: Why Developer Due Diligence Matters
Learn why developer due diligence is crucial in preventing cybersecurity breaches, especially in the context of zero-day exploits.
Dev.to · Frank
📰
XSS— TryHackMe
Learn about Cross-Site Scripting (XSS) and its significance in cybersecurity through a TryHackMe challenge
Medium · Cybersecurity
📰
Social Discovery Group’s Announcement: A Communication That Raises Questions About Transparency and…
Social Discovery Group's announcement raises questions about transparency and cybersecurity, highlighting the importance of critical analysis in the industry
Medium · Cybersecurity
Up next
Best VPN for Mac 2026 — Top 3 Tested and Which ONE Wins
Tutorial Stack
Watch →