Recently, carnal0wnage and mubix blogged about sticky keys. I have implemented this in Kautilya and found this usefult during many internal penetration tests.
I thought of playing more with this and using this is as something more useful and powerful. I started using powershell as debugger for sethc.exe and no points for guessing this is what I get when I pressed shift 5 times (or Left Alt + Left Shift + PrntScr for that matter).
So powershell is getting executed but there is no interactive prompt (I have not looked into the reason for this). I tried executing a simple script (which calls calc.exe) by setting it as a debuuger to sethc.exe. I have to call powershell from cmd as without cmd powershell was throwing some errors.
and the result was
Wow the legendary calc is here!! Keep in mind that if you use any environment variable for path of your powershell script, it would not be same for different user profile. For example, in the above if you use %temp%\calc.ps1 as path of the script, on an unlocked system that would be Temp directory of currently logged in user "C:\Users\\AppData\Local\Temp\calc.ps1". But when the machine is locked %temp% would be "C:\Windows\Temp", because of SYSTEM profile will access it. Keep that in mind while testing.
So, I was able to call the powershell script. This means if you are able to drop a script on victim and set powershell with proper arguments as a debugger to sethc.exe (or utilman.exe), you can execute the script with SYSTEM privilege.
What if I can somehow download and execute a meterpreter executable on the victim? Yes it is quite easy using this powershell one liner.
This looks good, a meterpreter executable downloaded and executed on a locked machine! But pulling a meterpreter executable on a machine is not a good idea for obvious reasons. Why not pulling a powershell script which can execute code in memory? Yes I am talking about Matt's work from his blog Exploit Monday.
So what we have now? A powershell command which executes meterpreter from memory, set as debugger to sethc.exe which gets executed with SYSTEM level privilege. Wow!!
But is this over yet? Let's play more :) How to maintain access to the machine? Using persistence and other methods available with meterpreter is one option. I would like to use a little more powershell here.
Let's do this. Our powershell one liner will download another script (let's say payload.ps1). Payload.ps1 will keep polling a tinypaste id in an interval of one hour (or less) and would download and execute whatever powershell script is present there. So let's set our sethc.exe or Utilman.exe Debugger to below.
using this
and now the result is
So what we have now is a payload which uses tinypaste as its C&C thingy and executes powershell scripts there with SYSTEM privilege :D
This is quite similar to my unpublished work called Maareech which is a sort of automated domain takeover tool in powershell.
payload.ps1 is the following powershell script. I know its ugly, I am still learning to write clean powershell scripts.
The payload, which polls tinypaste after given interval is very similar to "Time based execution" payload of Kautilya (just one line is different) but still for sake of usage, will be added as "Externally controlled payload" in some upcoming version of Kautilya.
Hope you enjoyed this. Feedback and suggestions are welcome.
I thought of playing more with this and using this is as something more useful and powerful. I started using powershell as debugger for sethc.exe and no points for guessing this is what I get when I pressed shift 5 times (or Left Alt + Left Shift + PrntScr for that matter).
So powershell is getting executed but there is no interactive prompt (I have not looked into the reason for this). I tried executing a simple script (which calls calc.exe) by setting it as a debuuger to sethc.exe. I have to call powershell from cmd as without cmd powershell was throwing some errors.
and the result was
Wow the legendary calc is here!! Keep in mind that if you use any environment variable for path of your powershell script, it would not be same for different user profile. For example, in the above if you use %temp%\calc.ps1 as path of the script, on an unlocked system that would be Temp directory of currently logged in user "C:\Users\
So, I was able to call the powershell script. This means if you are able to drop a script on victim and set powershell with proper arguments as a debugger to sethc.exe (or utilman.exe), you can execute the script with SYSTEM privilege.
What if I can somehow download and execute a meterpreter executable on the victim? Yes it is quite easy using this powershell one liner.
This looks good, a meterpreter executable downloaded and executed on a locked machine! But pulling a meterpreter executable on a machine is not a good idea for obvious reasons. Why not pulling a powershell script which can execute code in memory? Yes I am talking about Matt's work from his blog Exploit Monday.
So what we have now? A powershell command which executes meterpreter from memory, set as debugger to sethc.exe which gets executed with SYSTEM level privilege. Wow!!
But is this over yet? Let's play more :) How to maintain access to the machine? Using persistence and other methods available with meterpreter is one option. I would like to use a little more powershell here.
Let's do this. Our powershell one liner will download another script (let's say payload.ps1). Payload.ps1 will keep polling a tinypaste id in an interval of one hour (or less) and would download and execute whatever powershell script is present there. So let's set our sethc.exe or Utilman.exe Debugger to below.
using this
and now the result is
So what we have now is a payload which uses tinypaste as its C&C thingy and executes powershell scripts there with SYSTEM privilege :D
This is quite similar to my unpublished work called Maareech which is a sort of automated domain takeover tool in powershell.
payload.ps1 is the following powershell script. I know its ugly, I am still learning to write clean powershell scripts.
The payload, which polls tinypaste after given interval is very similar to "Time based execution" payload of Kautilya (just one line is different) but still for sake of usage, will be added as "Externally controlled payload" in some upcoming version of Kautilya.
Hope you enjoyed this. Feedback and suggestions are welcome.