L-SSH-AUTHKEYSPersistence

SSH authorized_keys Backdoor

Append attacker pubkey to ~/.ssh/authorized_keys (or root's) — classic stealth persistence.

§ Where this technique fits

L-SSH-AUTHKEYS is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 5 on average.

§ Dossiers chaining this technique

SUID binary → root via GTFOBins
Find an unusual SUID binary (find / nmap / vim / awk / less), check GTFOBins for the privilege-escalation primitive, spawn a root shell.
step 5 / 5
docker group membership → host root via container escape
User is in the docker group. `docker run -v /:/host --privileged alpine chroot /host` gives them root on the host without sudo.
step 5 / 5
polkit pwnkit (CVE-2021-4034) → instant root
Pre-2022 pkexec has a heap-overflow exploitable with no special permissions. Compile / drop the exploit, run as low-priv user, gain root.
step 5 / 5

§ Where this technique fits

§ Dossiers chaining this technique

SUID binary → root via GTFOBins

docker group membership → host root via container escape

polkit pwnkit (CVE-2021-4034) → instant root