My file keeps disappearing from machine

I’m working on a retired, easy, Windows-based machine. I have ssh access and upload a file (nc.exe, msfvenom, etc) to the machine. Then, when I run my exploit that executes successfully, the file disappears.

My first thought was someone was deleting it, but I have VIP+ access, so it’s a personal machine, correct?

My second thought was there’s an AV deleting the file since it disappears right when I run the exploit. Soo… I tried nc.exe and various msfvenom .exes. Same thing. Then, I found an article on AV evasion and compiled a XOR msfvenom payload based on c++ code supplied by the author. It too disappeared (though the article was a few years old, so I’m sure the AVs can fingerprint the binary by now).

Not sure where to go from here. So far, the box has been straight forward. I’m at the final stretch, but my file keeps disappearing. Surely AV evasion wouldn’t be necessary on an “easy” box, right?

There are a lot of reasons this could be happening and it really depends on the box.

Some things to consider:

  • The creator has a “cleanup” script running.
  • Your AV bypass hasn’t worked.
  • Something in the payload is deleting itself when it runs.
  • Some form of application control is running.

etc.

However, I agree, AV bypass is unusual on easy boxes.

As it is a retired box, I’d check a walkthrough to see what might be causing it.