sliver icon indicating copy to clipboard operation
sliver copied to clipboard

Published 20 hours ago verified publisher icon BishopFox

#9 Added persist command.

Open usiegl00 opened this issue 3 years ago • 21 comments

Card

This pr adds persistence support for the 3 major operating systems. (Windows, Darwin, Linux).

Details

I do not have a linux machine to test on right now. Here are the screenshots for Windows and Darwin:

  • Windows

    • User: windows-user
    • Root: windows-root

  • Darwin

    • User: darwin-user
    • Root: darwin-root

usiegl00 avatar Oct 25 '20 08:10 usiegl00

How do I store the names of the files being persisted for later cleanup? (persist -u)

usiegl00 avatar Oct 27 '20 01:10 usiegl00

How do I store the names of the files being persisted for later cleanup? (persist -u)

I guess we'd need to use the database for that, and link the session with the file names.

rkervella avatar Oct 27 '20 08:10 rkervella

Could you share some example code on using the database? It would really help with custom file names / paths.

usiegl00 avatar Oct 28 '20 02:10 usiegl00

Could you share some example code on using the database? It would really help with custom file names / paths.

Sure, here's an example:

https://github.com/BishopFox/sliver/blob/7507cf0b201a4427f5e8ca61e50e6c4be404f999/server/generate/canaries.go#L113-L123

However, we'll need to add an RPC to update the session data (maybe there's already one, I don't remember), as the DB is stored on the server side.

Also, FYI, I just pushed a new PR to add a GetEnv RPC:

https://github.com/BishopFox/sliver/blob/a1635807ccae0e5793c2b7f7a2e796ad82edb2c9/protobuf/rpcpb/services.proto#L86

rkervella avatar Nov 03 '20 11:11 rkervella

I am going to implement a generic grpc db handler. That will allow the client to get and set bucket data.

usiegl00 avatar Nov 03 '20 11:11 usiegl00

Is there an update on this?

usiegl00 avatar Nov 15 '20 05:11 usiegl00

Sorry I've been quite busy lately, I started reviewing it but I'm not done, and I don't know when I'll get some time to continue.

rkervella avatar Nov 16 '20 08:11 rkervella

I have updated the code in accordance with the database changes.

usiegl00 avatar Feb 08 '21 09:02 usiegl00

Awesome we're going to be digging into this PR shortly.

moloch-- avatar Feb 20 '21 15:02 moloch--

@usiegl00 so I gave this PR another go, and so far, only the MacOS persistence seem to work.

rkervella avatar Feb 23 '21 13:02 rkervella

If you could give me more info, that would be great. For windows, check the scheduled tasks to see if the task was registered. For linux, check crontab to see if the entry is there. I really appreciate you taking the time to review this. Also, if you have the debug log, that would be very useful.

usiegl00 avatar Feb 24 '21 00:02 usiegl00

On Windows, the task doesn't show in the task scheduler. On Linux, the crontab is empty for the user:

ubuntu@devbox:~$ crontab -l
no crontab for ubuntu

On Windows, the user is a local administrator, but the Sliver instance does not run in an elevated context. On Linux, I'm using a regular user.

rkervella avatar Feb 24 '21 08:02 rkervella

After adding some debug logging, a very interesting issue appeared. For linux, the crontab command appears to be executing, but the entry is not added.

Sliver Debug Log:
Command: /bin/sh -c "echo \"@reboot /home/user/...\" | crontab -"
$ crontab -l
no crontab for user
$ /bin/sh -c "echo \"@reboot /home/user/...\" | crontab -"
$ crontab -l
@reboot /home/user/...

When executing the exact same command in the shell, the entry is added as expected.

usiegl00 avatar Feb 25 '21 01:02 usiegl00

It should work now.

usiegl00 avatar Mar 12 '21 00:03 usiegl00

Persistence on Linux seems to work now, but still nothing on Windows. I even try to run it within an elevated context, but the task doesn't seem to be created at all:

Get-ScheduledTask -TaskName RUBBER_WEDDING
Get-ScheduledTask : No MSFT_ScheduledTask objects found with property 'TaskName' equal to 'RUBBER_WEDDING'.  Verify the value of the property and retry.
At line:1 char:1
+ Get-ScheduledTask -TaskName RUBBER_WEDDING
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (RUBBER_WEDDING:String) [Get-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CmdletizationQuery_NotFound_TaskName,Get-ScheduledTask

rkervella avatar May 04 '21 12:05 rkervella

Hmm, I will take another look.

usiegl00 avatar May 04 '21 23:05 usiegl00

In userland we cannot create schtasks with onstart or onlogon. I have switched to using minute, so there will be way too many slivers spawned. This can be fixed by using a semaphore detailed in #231.

If you want, I can also add an option to configure the schtask duration. Ex: 10 minutes.

usiegl00 avatar May 05 '21 11:05 usiegl00

I have updated this pr in accordance with the architecture changes.

@rkervella It is ready for review.

usiegl00 avatar Jul 25 '21 08:07 usiegl00

I know it's been a while. Is there anything you need from me to get this across the line?

usiegl00 avatar Nov 23 '21 03:11 usiegl00

I was just taking a look at this as well, I think we can probably fit it into v1.5

moloch-- avatar Nov 23 '21 04:11 moloch--

Nice! Let me know if there is anything I can do to help.

usiegl00 avatar Nov 23 '21 04:11 usiegl00

Any chance that this will ever get implemented?

acheong08 avatar Nov 04 '22 11:11 acheong08

It would probably be better implemented as an extension/alias at this point. Back when this PR was open we did not have any of that in place. Since there are tons of ways to persist on different systems, it's probably more beneficial to implement these techniques as a Sliver script or an extension depending on the system you're targeting.

rkervella avatar Nov 04 '22 15:11 rkervella