Forum Thread: Install Payload with Only Hard Drive Access

Hello,

What is the best way, to install a persistent metasploit (or any) payload, on a PC, that you only have access to its hard drive. For example you have physical access to the PC, but you don't have the username and password, and you do not want to remove the password, however, you can boot in using a live cd, and access to the hard drive.

What I have done so, is put a payload (bat) under windows directory or System32, add an entry in the registry: "HKEYLOCALMACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

So each time any user logs in, the bat is executed.
However, the payload requires admin rights, so you'll get that UAC prompt each time.

I know you can wait for the victim to log in, get in the PC then install a persistent exploit with meterpreter(persistence.rb), but is there any other more efficient and better way?

(PS: target testing on is windows 10 x64)

Get The Weekly Null Byte Newsletter

Never miss a Null Byte guide.

3 Responses

Have you tried putting it in Hkey current user?

Yes same thing, i'm no saying it does not work, im saying is there any other and better alternative?

You were saying UAC would pop up so I thought it might not if you try current user with less privs. I thought that was what you were asking.

An alternative might be to use powershell in the registry. Create a registry key that will open command prompt which would then run the powershell script.

Look into the Metasploit exploit Exploit/Windows/Local/registry-persistence

Share Your Thoughts

  • Hot
  • Active