Add git persistence techniques

Adds information about backdooring git configs and git hooks.
vitaliyhan · Oct 30, 2022 · 11fbcec · 11fbcec
1 parent 0381fd3
commit 11fbcec
Showing 1 changed file with 56 additions and 1 deletion.
diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md
@@ -12,7 +12,7 @@
 * [Backdooring a driver](#backdooring-a-driver)
 * [Backdooring the APT](#backdooring-the-apt)
 * [Backdooring the SSH](#backdooring-the-ssh)
-* [Tips](#tips)
+* [Backdooring Git](#backdooring-git)
 * [Additional Linux Persistence Options](#additional-persistence-options)
 * [References](#references)
 
@@ -134,6 +134,61 @@ Add an ssh key into the `~/.ssh` folder.
 2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys`
 3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys
 
+## Backdooring Git
+
+Backdooring git can be a useful way to obtain persistence without the need for root access.  
+Special care must be taken to ensure that the backdoor commands create no output, otherwise the persistence is trivial to notice.
+
+### Git Configs
+
+There are multiple [git config variables](https://git-scm.com/docs/git-config) that execute arbitrary commands when certain actions are taken.  
+As an added bonus, git configs can be specified multiple ways leading to additional backdoor opportunities.  
+Configs can be set at the user level (`~/.gitconfig`), at the repository level (`path/to/repo/.git/config`), and sometimes via environment variables.
+
+`core.editor` is executed whenever git needs to provide the user with an editor (e.g. `git rebase -i`, `git commit --amend`).  
+The equivalent environment variable is `GIT_EDITOR`.
+
+```properties
+[core]
+editor = nohup BACKDOOR >/dev/null 2>&1 & ${VISUAL:-${EDITOR:-emacs}}
+```
+
+`core.pager` is executed whenever git needs to potentially large amounts of data (e.g. `git diff`, `git log`, `git show`).  
+The equivalent environment variable is `GIT_PAGER`.
+
+```properties
+[core]
+pager = nohup BACKDOOR >/dev/null 2>&1 & ${PAGER:-less}
+```
+
+`core.sshCommand` is executed whenever git needs to interact with a remote *ssh* repository (e.g. `git fetch`, `git pull`, `git push`).  
+The equivalent environment variable is `GIT_SSH` or `GIT_SSH_COMMAND`.
+
+```properties
+[core]
+sshCommand = nohup BACKDOOR >/dev/null 2>&1 & ssh
+[ssh]
+variant = ssh
+```
+
+Note that `ssh.variant` (`GIT_SSH_VARIANT`) is technically optional, but without it git will run `sshCommand` _twice_ in rapid succession.  (The first run is to determine the SSH variant and the second to pass it the correct parameters.)
+
+### Git Hooks
+
+[Git hooks](https://git-scm.com/docs/githooks) are programs you can place in a hooks directory to trigger actions at certain points during git's execution.  
+By default, hooks are stored in a repository's `.git/hooks` directory and are run when their name matches the current git action and the hook is marked as executable (i.e. `chmod +x`).  
+Potentially useful hook scripts to backdoor:
+
+- `pre-commit` is run just before `git commit` is executed.
+- `pre-push` is run just before `git push` is executed.
+- `post-checkout` is run just after `git checkout` is executed.
+- `post-merge` is run after `git merge` or after `git pull` applies new changes.
+
+In addition to spawning a backdoor, some of the above hooks can be used to sneak malicious changes into a repo without the user noticing.
+
+Lastly, it is possible to globally backdoor _all_ of a user's git hooks by setting the `core.hooksPath` git config variable to a common directory in the user-level git config file (`~/.gitconfig`).  Note that this approach will break any existing repository-specific git hooks.
+
+
 ## Additional Persistence Options
 
 * [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)