Using Empire, I generated a bash launcher and saved it on the target (Whonix workstation 13). Added +x and ran it. This launcher runs a base64 encoded python script.
The steps above require some convincing aka social engineering (or just being naive about security of this or that system). The rest doesn’t.
Seconds after the script silently runs (and deletes itself) I have a shell into Whonix Workstation.
I use a ruby keylogger module, and hey, I’m lucky today, the user runs sudo apt-get update and I get his password with the keylogger.
The password is changeme. I probably could have skipped the last step
I use the sudo_spawn module with the password and get a new agent with root permissions.
I use a persistence module (add a file under ~/.config/autostart, or alternatively a cron tab), restart the workstation and voila I have persistent access.
Point #1: all the default payloads in metasploit and empire are detected and automatically removed by Windows 10 defender.
Point #2: I didn’t use more than the standard payloads of a system that was mostly written in 2015 / 2016 and is accessible to anyone with basic linux knowledge.
Point #3: I don’t imply Whonix workstation is less secure than windows, but I do hope the above is food for thought. We can’t discount human mistakes.
Point #4: I will try that on Tails too.