forensicsfreemedium

PersistenceIsFutile

HackTheBox

Task: compromised Linux server with 8 backdoors (remote access + privilege escalation) to find and remove, then run verification script. Solution: systematic enumeration of SSH keys, crontabs, SUID binaries, shell RC files, MOTD scripts, and system users to identify and remediate all 8 persistence mechanisms.

$ ls tags/ techniques/

base64 suid privilege_escalation backdoor netcat reverse_shell incident_response persistence linux_forensics ssh_authorized_keys crontab bind_shell bashrc motd dns_c2

backdoor_enumeration_and_removalsuid_binary_detection_via_md5cron_persistence_analysisbashrc_alias_backdoor_detectionmotd_script_analysisssh_key_persistence_removaldns_txt_c2_detectionpasswd_shadow_modification_detection

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

PersistenceIsFutile — HackTheBox

Description

Hackers made it onto one of our production server. We've isolated it from the internet until we can clean the machine up. The IR team reported eight different backdoors on the server, but didn't say what they were and we can't get in touch with them. We need to get this server back into prod ASAP. Please find the eight backdoors (both remote access and privilege escalation) and remove them. Once done, run /root/solveme as root to check.

We are given SSH access to a compromised Linux server (credentials: user / hackthebox with sudo rights). The goal is to find and remove all 8 backdoors — both remote access and privilege escalation — then run /root/solveme as root to verify full remediation.

Analysis

Initial Reconnaissance

Connected via SSH and performed comprehensive enumeration across all common persistence locations:

Area Checked	Command / Path	Purpose
User accounts	`/etc/passwd`, `/etc/shadow`	Detect modified/added users
Running processes	`ps auxf`	Find active backdoor processes
Listening ports	`ss -tlnp`	Detect bind shells
SSH keys	`/root/.ssh/authorized_keys`	Unauthorized keys
Crontabs	`crontab -l`, `/etc/cron.daily/`, `/etc/cron.d/`	Scheduled persistence
SUID binaries	`find / -perm -4000`	Privilege escalation
Systemd services	`systemctl list-units`	Malicious services
Shell RC files	`.bashrc`, `.profile`	Login-triggered backdoors
MOTD scripts	`/etc/update-motd.d/`	SSH login triggers
PAM configs	`/etc/pam.d/`	Authentication backdoors

This systematic approach revealed all 8 backdoors spanning multiple persistence categories.

Solution

Backdoor 1 — Reverse Shell via MOTD (Remote Access)

Location: /etc/update-motd.d/30-connectivity-check → calls /var/lib/private/connectivity-check

...