Startup Apps
Last updated
Last updated
Each user can define apps that start when they log in, by placing shortcuts to them in a specific directory. Windows also has a startup directory for apps that should start for all users:
If we can create files in this directory, we can use our reverse shell executable and escalate privileges when an admin logs in.
Use accesschk.exe to check permissions on the StartUp directory:
Note that the BUILTIN\Users group has write access to this directory.
Create a file CreateShortcut.vbs with the VBScript provided in a previous slide. Change file paths if necessary.
Run the script using cscript:
no we wait for the admin to login: