A penetration tester has obtained root access to a Linux-based file server and would like to maintain persistence after reboot.
Which of the following techniques would BEST support this objective?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Option A: Creating a one-shot systemd service to establish a reverse shell
This technique involves creating a one-time systemd service that will execute a reverse shell connection to the attacker's system upon server reboot. This will allow the attacker to regain access to the server without having to perform another attack. However, this technique can be easily detected by system administrators and is not a reliable method of maintaining persistence.
Option B: Obtaining /etc/shadow and brute-forcing the root password
Obtaining the /etc/shadow file is a common technique used by attackers to retrieve password hashes, which can be cracked using brute force attacks. While this technique can be effective in gaining access to a system, it does not provide a reliable method of maintaining persistence, as the password may be changed by the system administrator at any time.
Option C: Running the nc -e /bin/sh command
This technique involves using the netcat command to create a reverse shell connection to the attacker's system. This method can be effective in maintaining persistence, as the connection will be automatically established upon server reboot. However, this technique is also easily detected and can be blocked by firewalls.
Option D: Moving laterally to create a user account on LDAP
This technique involves moving laterally through the network to access an LDAP server and create a user account with administrative privileges. This method can be effective in maintaining persistence, as the attacker will have a backdoor into the network that can be used to gain access to other systems. However, this technique is also risky as it can be easily detected and blocked by system administrators.
Based on the above analysis, the BEST option for maintaining persistence after obtaining root access to a Linux-based file server is option C, running the nc -e /bin/sh command. While this technique is easily detected and can be blocked by firewalls, it provides a reliable method of maintaining persistence that does not require the attacker to perform additional attacks. However, it is important to note that any method of maintaining persistence carries inherent risks and should be used with caution.