Backdoor Hunt. The 10 Places to Look

The competition image arrives pre-compromised. Before the scoring engine even gets involved, you need to find and remove the planted backdoors. Ten locations cover 95% of persistence mechanisms used in past competitions.

Objectives

• Check for UID-0 accounts other than root
• Audit sudoers and sudoers.d for NOPASSWD
• Inspect every user's crontab + system cron directories
• Find and read all authorized_keys files
• List enabled systemd services and timers
• Read /etc/rc.local, /etc/profile.d, all shell rcfiles
• Enumerate SUID binaries and flag dangerous ones
• Find processes running from /tmp, /dev/shm, /var/tmp
• Watch current outbound TCP connections
• Identify listening ports you don't recognize

Quick reference

Common pitfalls

• Missing a script because you only checked user cron (not /etc/cron.d/)
• Wiping authorized_keys and losing the scoring engine's key
• Killing a suspicious process without identifying what started it. it respawns
• Disabling a systemd service without also disabling its `.timer`
• Removing a crontab entry but the same cron file exists under a different user

Skill drills

1. 1. Command to find all SUID binaries on the system?
   Reveal

   find / -perm -4000 -type f
2. 2. Where do pre-scheduled systemd tasks live?
   Reveal

   systemctl list-timers (or .timer unit files in /etc/systemd/system/)
3. 3. What UID does root have?
   Reveal

   0
4. 4. What's the signature of a reverse-shell bash idiom?
   Reveal

   /dev/tcp in the command, or bash -i with an fd redirect